On Thursday, a unanimous Cuyahoga County Court of
Appeals reversed a directed verdict entered at trial in favor of an employer on
a claim for wrongful discharge in violation of public policy based on the plaintiff’s
objection to password sharing by employees. Rebello
v. Lender Processing Servs., Inc.,
2015-Ohio-1380 (4-9-15). The employer was a service provider for Chase
Bank and was required by contract to restrict access to non-public information
about Chase customers to employees who had cleared Chase’s security procedures
(including a background check, and drug testing, etc.). However, because Chase was not approving new
employee passwords fast enough, it had allegedly become common practice for the
employees to share passwords in order to keep up with their work. The Plaintiff claimed to have objected to
this process repeatedly, particularly after an email from Human Resources threatened
that employees who shared passwords could be fired and subjected to civil and
criminal liability. Shortly after
directing her subordinates to stop sharing emails and threatening to report the
practice to upper management and Chase, she was fired for reasons that she
claimed were pretextual. At trial, the
judge ruled that she had not identified a clear public policy against sharing
passwords. On appeal, the Court of
Appeals found that the public policy reflected in the Gramm-Leach-Bliley
Act, 15 U.S.C. §6801, et seq. was sufficiently clear to support her claim that
she was fired for opposing unauthorized disclosure and use of non-public
financial customer information.
Moreover, she could also show that this public policy was jeopardized by
her termination since that statute did not contain any provisions protecting
employees from retaliation for refusing to violate the Act or for threatening
to report its breach.
According to the Court’s opinion, the plaintiff worked for a
company which helped preserve property owned by customers of Chase Bank who
were in financial distress or foreclosure.
In order to perform their duties, employees were provided with access by
Chase to non-public information about the clients subject to a contract which
required that access be limited to employees who had cleared Chase’s security
protocols and were provided with a password by Chase. Moreover, they were
required by the Chase contract to report to Chase any unauthorized disclosures
of the information. However, apparently, Chase was not providing
passwords fast enough and it had become common practice for employees to share
passwords in order to keep up with the work.
There was evidence that the plaintiff had objected to this process for
over 18 months and was repeatedly told to stay the course and management would
take care of the problem. There was also evidence that upper management
became aware – at least several occasions – that passwords were being shared
and that they told employees to stop sharing passwords and requested Chase to
speed up its process.
After a Denver employee reported the password sharing
practice in her exit interview, the issue came to the forefront again in
February 2012. A conference call was
held and supervisors, including the Plaintiff, were told that password sharing
must stop. The Plaintiff’s manager told
her to stay the course and calm down and that it was not their job to inform
Chase about the password sharing. When
password sharing continued, Human Resources sent an email to all employees at
the end of February reminding them that they were not permitted to share
passwords, that they could be immediately fired for sharing passwords and that
they could also be civilly and/or criminally prosecuted. Plaintiff informed her supervisor that she
would prohibit her employees from sharing passwords even if it meant that the
work production suffered and that that she would inform upper management or
Chase about the password sharing. She was
told that the company’s Information Service Officer would handle it.
The following week, the Plaintiff’s manager claimed she
reported concerns with the Plaintiff’s attendance and tardiness. On April 2, a co-worker allegedly complained
about disruptive profanity the Plaintiff used in a personal telephone
call. A subsequent investigation by
Human Resources discovered that other employees had been similarly disturbed by
other personal telephone calls by the Plaintiff. Therefore, the Plaintiff was summarily fired
for “for disrupting the work environment, unsatisfactory performance, violation
of policies and procedures, challenges with supervisory execution and
challenges with attendance, punctuality and time off.” There was apparently no documentation of
prior disciplinary or performance issues.
The plaintiff filed a wrongful discharge in violation of
public policy claim based on several statutes: the Fair Credit Reporting Act, Ohio’s
identify theft protection statute and the Gramm-Leach-Bliley Act, 15 U.S.C. §6801
(“GLBA”). The employer’s motion to
dismiss was denied, as was its summary judgment motion. However, at trial, the visiting judge granted
the employer’s motion for directed verdict (thus, removing the case from the
jury) on the ground that none of these statutes clearly addressed the plaintiff’s
objections to employees sharing computer passwords. This appeal followed.
On appeal, the Court agreed that the employer was not
subject to the Fair Credit Reporting Act because it was not a consumer
reporting agency and the Plaintiff failed to show “that her concerns regarding
password sharing in any way implicated any of the specific policies or purposes
FCRA was enacted to address.” It also found that Ohio’s identity theft
statute, R.C.§1349.19, did not apply
because
there was no evidence
that, as a result of password sharing, LPS’s or Chase’s security systems were “breached”
as defined in the statute or that any unauthorized “access and acquisition” of personal
information occurred (or was likely to occur) that “cause[d] or reasonably is believed
will cause a material risk of identity theft or other fraud.” [She]
presented no evidence that any of the Chase customers whose information was
accessed by LPS employees
through password sharing was at any material risk of identity theft, fraud or any
other financial harm as a result of that practice.
However, the
GLBA was different. “The GLBA requires financial institutions to take steps to
ensure the security and confidentiality of the nonpublic information of its
customers.” Moreover, the Interagency
Guidelines Establishing Information Security Standards (“guidelines”), 12
C.F.R. part 30, Appx. B, “apply to ‘customer information maintained by or on
behalf of entities over which the office of the Comptroller of the Currency has
authority’ and “address standards for developing and implementing
administrative, technical, and physical safeguards to protect the security,
confidentiality, and integrity of customer information.”
The guidelines also require banks to consider whether other security
measures, such as controls to authenticate and permit access only to authorized
individuals, controls to prevent employees from providing customer information
to unauthorized individuals, and encryption of electronic customer information
to which unauthorized individuals may have access, are appropriate and, if so,
adopt those measures. . . . The guidelines also require banks to “[r]equire its
service providers by contract to implement appropriate measures designed to
meet the objectives” . . . “Service providers” include “any person or entity that
maintains, processes, or otherwise is permitted access to customer information
or consumer information through its provision of services directly to the
[bank].”
The Court
concluded that the GLBA and its guidelines established a clear public policy.
The employer did “not dispute that the GLBA and its regulations apply to
Chase and the nonpublic customer information accessed by” the employer’s
employees, but argued that the GLBA technically only applied to Chase and not
to service providers like it. The Court rejected this argument:
[The employer] cites no authority in support of its
contention that an employer must be found to have violated and subject to
liability under the specific statute that serves as the source of the public
policy before we may conclude that a clear public policy exists that has been
compromised by the employer’s conduct.
Importantly,
the employer’s own documents, policies and contracts acknowledged that its
activities were subject to the GLBA and that it had a statutory obligation to
comply with that statute to protect and maintain the confidentiality of Chase
customer information.
The
Court also rejected the employer’s attempts to limit characterization of the
Plaintiff’s objections to “password sharing,” which is not a specific activity
discussed in the GLBA. While there
would be no statutory violation if passwords were shared among employees who
were already authorized by Chase to access the non-public information, there
arguably would be a statutory violation if the passwords were shared with
individuals who were not authorized to access the information.
Rebello does not contend that there is a public policy
against “password sharing” under the GLBA or any other state or federal law.
Instead, she argues that her objections to password sharing and threats to
report LPS’s practice of password sharing to Chase implicated public policy
because they related to concerns over the unauthorized access and disclosure of
nonpublic personal information of Chase’s customers. Rebello contends that “by
objecting to sharing passwords, she [was] objecting to a practice that
threatened the confidentiality and allowed unauthorized access of individuals
to confidential nonpublic customer information.” She argues that even though there
is no public policy against password sharing per se, there is a public policy manifested
in the GLBA to protect against the unauthorized access and disclosure of nonpublic
personal information and that because LPS’s and Chase’s anti-password sharing
policies were implemented (at least in part) to prevent the unauthorized access
and disclosure of this information, dismissing employees under circumstances
like those allegedly involved in her dismissal, i.e., for refusing to continue
sharing passwords and threatening to report password sharing among LPS
employees to Chase, would jeopardize that public policy.
. . . Where, however, a password that permits
access to nonpublic customer information is shared with a person who does not
have authority to access that information and the password is, in fact, used by
the person with whom it is shared to access nonpublic consumer information,
password sharing results in the unauthorized disclosure of that information, thereby
implicating the public policy against unauthorized access and disclosure of nonpublic
personal information of consumers. Thus, the issue in this case is whether Rebello’s
objections to password sharing were akin to a complaint regarding the unauthorized
access and disclosure of nonpublic consumer information.
That
being said, there was still a factual dispute about the scope of the password
sharing. The employer produced evidence
that the individuals gaining access had been authorized to do so by Chase, but
simply had not yet received the means of access (i.e., a password token). However, the Plaintiff and one other witness
testified that access was also being provided to employees who had not yet been
authorized by Chase. To complicate the
matter further, the Plaintiff did not think it really mattered whether the
employees had been authorized by Chase to access the information or not since
the contract and policy prohibited sharing passwords. She viewed the issue of password sharing to
be virtually identical to the issue of unauthorized disclosure of the protected
information. The Court concluded that a
reasonable jury could agree with the Plaintiff:
In this case, based
on the evidence presented by Rebello that LPS was regularly and systemically
disregarding the password system established by Chase and allowing LPS
employees who had not yet been authorized by Chase to access its nonpublic
customer information, a reasonable jury could have found that there was, in fact,
no difference between Rebello objecting to password sharing and Rebello
objecting specifically to the results of that password sharing, i.e., the
unauthorized access and disclosure of nonpublic information to LPS employees.
The trial court erred in taking that determination away from the jury and
concluding as a matter of law that “[t]he mere assertion relative to sharing passwords is insufficient to satisfy the
clarity element of a wrongful termination action.”
Moreover,
it was irrelevant that no identity theft had actually occurred as a result of
the password sharing practice or that the violation of the password protocols
had not actually harmed any of Chase’s customers. The alleged unauthorized access by the
employees was by itself enough harm to the privacy interests of Chase’s
customers as protected by the GLBA:
Rebello was not required to show that any consumer identity
theft had occurred or that any consumer’s confidential information had otherwise
been misappropriated to establish the clarity and jeopardy elements of her claim.
A plaintiff asserting a claim of
wrongful termination in violation of public policy is not required to show that
the conduct to which the employee objected actually resulted in the type of
harm that the public policy seeks to prevent. Furthermore, even if such a showing
were required, the unauthorized access of Chase’s customers’ nonpublic information by LPS
employees in and of itself caused a harm to the privacy interests of those
customers — one of the interests the GLBA seeks to protect. (bolding added for
emphasis).
Finally, the Court found that public
policy could be jeopardized by the employer’s conduct in terminating the
Plaintiff for refusing to participate and threatening to report its alleged violation
of the statute. Public policy claims at
common law can only exist where the applicable statute does not provide
exclusive remedies for its breach.
The GLBA contains no statutory remedies protecting employees
who complain about, refuse to participate in and threaten to disclose an
employer’s unauthorized access and disclosure of nonpublic consumer
information. Thus, there is no existing statutory remedy that “adequately
protect[s] society’s interest [in] discouraging this wrongful conduct.” Id. If
employers were allowed to terminate employees for objecting to, refusing to
participate in and threatening to disclose the unauthorized access and
disclosure of nonpublic consumer information, such retaliatory practices could
deter employees from reporting or taking other steps to protect nonpublic consumer
information from unauthorized access and disclosure. We find that without a common-law
tort for wrongful discharge under these circumstances, the clear public policy
against unauthorized access and disclosure of nonpublic consumer information would
be compromised.
NOTICE: This summary is designed merely to inform and alert you
of recent legal developments. It does not constitute legal advice and does not
apply to any particular situation because different facts could lead to
different results. Information here can be changed or amended without
notice. Readers should not act upon this information without legal advice. If
you have any questions about anything you have read, you should consult with or
retain an employment attorney.