A recent decision by the Appellate Division of the New York Supreme Court, upholding a jury award of punitive damages for unintentional privacy breaches, should serve as a warning flag for all companies – especially those in the health care sector – that failure to implement and maintain appropriate policies for the handling of personal data may result in liability. The case, Randi A.J. v. Long Is. Surgi-Center, No. 2005-04976 (N.Y. App. Div. Sep. 25, 2007), emphasizes the importance of proper data security safeguards and suggests that companies revisit their policies and procedures to ensure that they are in compliance. This decision, as with other notable cases involving security breaches, also accentuates the critical role that employee training and education plays in a company’s data privacy and security program.

In this case, the court ruled, in a 3-2 decision, that punitive damages can be awarded for a grossly negligent breach of confidential medical information, even if the breach was the result of negligence and not intentional or malicious. The court upheld the jury’s award of $365,000 ($65,000 in compensatory emotional distress damages and $300,000 in punitive damages) despite acknowledging that the defendant was acting in good faith

and without malice or intent to violate the plaintiff’s privacy rights. According to the court’s decision, a plaintiff need not prove malice or bad faith in order to be awarded punitive damages.

The facts of the case illustrate the importance of development of and uniform compliance with internal policies and procedures for maintaining confidentiality and privacy of personal data. The plaintiff underwent an abortion at the defendant surgery center. When filling out a pre-operative questionnaire, the plaintiff included her home telephone number, but then crossed it out. Because the plaintiff lived with her parents and did not want them to know of the procedure, she gave specific instruction only to call her cell phone number. However, administrative personnel at the surgery center generated patient file labels for the plaintiff which included her home number. Later, a nurse at the center made a call to the plaintiff’s home number to follow up on certain lab tests. Despite realizing that she was speaking with the plaintiff’s mother, and not the plaintiff, the nurse proceeded to discuss the plaintiff’s condition in a manner that made apparent the fact that the plaintiff had undergone an abortion procedure.

The court found that although the defendant did not act in bad faith, the actions of the center and its personnel rose to the level of recklessness and gross negligence. The court specifically pointed to the fact that the center had no written policy for protection of the patient’s right to privacy and confidentiality. The decision in this case is a reminder that companies must not only develop privacy and personal data protection policies and procedures, but must also ensure that personnel consistently implement and follow these policies and procedures.

Goodwin Procter LLP is one of the nation’s leading law firms, with a team of 700 attorneys and offices in Boston, Los Angeles, New York, San Diego, San Francisco and Washington, D.C. The firm combines in-depth legal knowledge with practical business experience to deliver innovative solutions to complex legal problems. We provide litigation, corporate law and real estate services to clients ranging from start-up companies to Fortune 500 multinationals, with a focus on matters involving private equity, technology companies, real estate capital markets, financial services, intellectual property and products liability.

This article, which may be considered advertising under the ethical rules of certain jurisdictions, is provided with the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin Procter LLP or its attorneys. © 2007 Goodwin Procter LLP. All rights reserved.