Getting Fired for Privacy Violations: The New Normal?
I never thought I’d ever mention Kim Kardashian in a blog post but, surprisingly, I find myself doing so in the context of a privacy breach. The “human element” in privacy violations – whether by error or omission in conduct or a willful or deliberate act – plagues organizations subject to breach notification requirements. Leaving aside compliance costs, conduct that might have met disciplinary action only ten years ago now is increasingly seen as totally unacceptable. But are employees really getting the message yet? And should employers be more explicit in getting that message out.
In a story about the Cedar-Sinai Medical Centre, the LA Times reported here that “14 patient records were “inappropriately accessed” between June 18 and June 24. Six people were fired over the breach: four were employees of community physicians who have medical staff privileges at the hospital, one was a medical assistant employed by Cedars-Sinai, and one was an unpaid student research assistant.” Furthermore, “[f]ive of the workers accessed a single patient record; the other one looked at 14.” Without expressly saying so, the story suggests that the one record in question might have belonged to Kim Kardashian who gave birth to her daughter on June 15th.
This isn’t an American story alone. In British Columbia, Susan Steel worked as an analyst in the IT department of the Coast Credit Union. In that position she was expected – and her job description stated – that she was to respect the privacy and confidentiality of information held by her employer at all times. A specific protocol governing support staff access to personnel folders containing personal information also existed and this protocol was acknowledged as part of the annual review process. In other words, the rules were clear and known to Ms. Steel.
Ms. Steel was found accessing a spreadsheet pertaining to a priority list for allocating parking spots. Seems innocuous but the file also contained pay grades and seniority dates. The result, however, was dismissal. Inappropriate access had turned into a loss of trust in an employee where trust is of paramount importance. Ms. Steel sued arguing that her misconduct was not sufficient in the circumstances for her to be fired. In a short decision in March 2013, the court found otherwise – inappropriate access constitutes just cause to terminate employment. See Steel v. Coast Capital Savings Credit Union. The degree to which this case becomes a precedent will be of interest to those who follow employment law developments for some time to come.
This is not a “west coast” phenomenon. Newfoundland’s Eastern Health Authority fired five employees and suspended six for breaching patient confidentiality, including one nurse with 10 years seniority. In all, the medical files of 122 patients were perused without a legitimate reason. You can read the story here. Newfoundland went even farther and charged two of the former employees under that province’s personal health information statute.
What’s extraordinary about the Canadian “firings” is that American employment law bestows far more leeway for employers in their relationship with employees than Canadian law does. American firings one can easily see; Canadian firings, well not so much.
Have we reached the tipping point where a breach of confidentiality in the workplace automatically justifies termination of employment? We seem most sensitive to it in a healthcare setting but the Steel decision indicates the principle extends beyond personal health information. Some academic research might be in order but one can’t help but increasingly feel – when it comes to inappropriate access – that there’s a “new normal” out there and if employees haven’t gotten the message yet they should. Accessing someone else’s personal information is rarely worth losing one’s job. “Rogue” employees who do so clearly have not understood the severity of the consequences should they choose to initiate a privacy breach. At a minimum, employers should make it very clear in their initial onboarding and annual training as to the probability of extreme consequences for privacy violations.