Monday, August 08, 2011

Office Equipment Firm Not Liable for Failing to Disclose Storage of Personal Information

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

A bank could not go forward with purported class action claims against an office equipment company for failing to make certain disclosures regarding the storage of information on printers and other machines, the federal district court in Bridgeport, Connecticut has decided.

The company allegedly failed to tell customers that its leased printers, copiers, and other equipment contained digital data storage devices that automatically saved copies of documents that had been faxed, printed, or scanned and that the company did not destroy the images when the equipment was returned to the company and then sold or leased to others.

The bank contended that the company knew or should have known that the equipment would be used to fax, print, or scan documents containing private financial and identifying information, including Social Security numbers, birth dates, medical records, and business data. The company’s conduct allegedly put its customers at risk of identity theft and caused them to incur expenses to monitor their credit and to destroy saved images on storage devices inside the equipment currently in their possession.

The bank brought claims for negligence, negligence per se, negligent misrepresentation, and violations of the Connecticut Unfair Trade Practices Act and the Connecticut data breach notification statute.

Duty to Disclose

According to the court, the company did not have a duty to disclose anything regarding the storage devices in the office equipment. There was no allegation that the company owned, licensed, or maintained personal information, so the duty to disclose imposed by the breach notification statute did not apply. The bank also did not allege that a breach of security had occurred.

There were no allegations of bad faith by the company; nothing suggested that the company purposely excluded information regarding the storage devices from the lease agreements because it hoped that the bank would become a victim of identity theft. The company lacked a duty to exercise reasonable care to make disclosures about the storage devices because it was not foreseeable that the bank’s use of the equipment to fax, print, or scan documents containing private information would result in harm, the court said.

The essence of the transactions between the bank and the company was the lease of office equipment, not the protection of data that would be stored on the equipment. The bank did not allege that the company knew about the bank’s apparent lack of familiarity with digital storage devices or that there was a custom or other objective circumstance that would cause the bank to believe that data security would be covered by the leases.

In addition, the bank could not pursue breach of contract claims because the lease agreements were silent as to data security, and there was no allegation that the parties discussed the issue or did anything to suggest that the issue was included in the lease agreements.

The decision is Putnam Bank v. Ikon Office Solutions, Inc., CCH Privacy Law in Marketing ¶60,658.

No comments: