The Massachusetts Appeals Court recently issued a decision strongly confirming the responsibility of businesses to protect the personal information of their customers.

In Adams v. Congress Auto Insurance Agency, Inc., an insurance agency employee wrongfully accessed the personal information of one of the agency’s customers. The customer had been in an accident with the employee’s boyfriend. The employee accessed her employer’s records to obtain the customer’s personal information, which the boyfriend then used to make threatening phone calls to the customer. When the customer reported the calls, both the employee and her boyfriend were arrested for witness intimidation. The customer then sued the insurance agency for negligence.

The insurance agency argued that it could not be held responsible for an employee who violated the law and the agency’s policies regarding personal information. The Appeals Court disagreed in this case because the agency was aware that its employee had a prior criminal record. Even though the employee had downplayed her earlier arrest, calling it a “misunderstanding,” the Court faulted the agency for not investigating. An investigation would have revealed that the employee had been involved with illegal firearms and had lied about her involvement to the police and to the agency. The Court reasoned that the insurance agency should have known these facts and should not have put the employee in a position to access sensitive personal information of its customers.

The Court compared this case to a previous one, where an apartment building owner gave the building keys to an employee known to be a drifter with a criminal record and addiction problems. When the employee murdered a tenant, the building owner was found liable for entrusting the keys to someone who was likely to use them for access to commit a crime. Just like keys may be used for access to commit a crime against a tenant, sensitive personal information may be accessed to commit a crime against a consumer. Companies must be careful not to grant this access to employees who are likely to misuse it.

This case is a warning to businesses that maintain personal information of their customers. While data privacy policies are crucial for these businesses, they may not be enough if the wrong employees are trusted with the “keys” to personal customer information.