Data Privacy for Employees: A Two-Edged Sword

The recent launch of GDPR in the EU (spawning lawsuits against Google and Facebook for $8.8 Billion), and the endless string of data breaches (from Target and Home Depot to Equifax and Under Armor) has data privacy on everyone’s mind. A recently-decided case in Pennsylvania, Terrell v. Main Line Health, Inc. , E.D. Pa., No. 17-3102, should give businesses some degree of relief while at the same time highlighting an area of data privacy that is often overlooked: employee access to personally identifiable information.

Gloria Terrell worked for Main Line Hospital. According to the hospital, Terrell was fired for twice using Main Line Hospitals’ internal records system to access a co-worker’s phone number. Because the Health Information Portability and Accountability Act (HIPAA) covers hospital employee phone numbers as protected health information, Main Line had a strict policy prohibiting its employees from using the internal records system to access information about co-workers. Terrell claimed, however, that she was fired because of her age in violation of the Age Discrimination in Employment Act.

Main Line persuaded the court on a motion for summary judgment that Ms. Terrell was fired for violation of Main Line’s policies. The court ruled that terminating an employee who accesses personal data without authorization (in violation of privacy protection laws, in this case HIPAA, and in violation of company policy), is a legitimate non-discriminatory reason for termination.

Although the decision gives businesses some comfort—i.e., they can discipline employees who violate privacy laws and company policies designed to protect personal information—it also highlights a potentially overlooked area of data privacy that employers may need to address. In many businesses, employees have access to large amounts of personal information—whether the personal information of other employees or the personal information of the company’s clients. Without adequate controls limiting employee access to the information they need to do their jobs, companies may be unknowingly and unnecessarily exposing themselves to the significant liability that could arise if careless or disgruntled employees access and disclose protected information.

If you have concerns about the adequacy of your company’s cybersecurity and data privacy efforts, or you are concerned about the implication of a possible or potential data breach, please contact Steve Lau, an experienced litigation and trial attorney specializing in commercial, employment, cybersecurity, and privacy litigation, and Romaine Marshall, an experienced litigation and trial attorney specializing in cybersecurity and privacy litigation.


Unless you are a current client of Holland & Hart LLP, please do not send any confidential information by email. If you are not a current client and send an email to an individual at Holland & Hart LLP, you acknowledge that we have no obligation to maintain the confidentiality of any information you submit to us, unless we have already agreed to represent you or we later agree to do so. Thus, we may represent a party adverse to you, even if the information you submit to us could be used against you in a matter, and even if you submitted it in a good faith effort to retain us.