Tax Preparation Firm That Dumped Sensitive Customer Records Faces Liability

If your company handles sensitive customer information, as most companies these days do, a recent lawsuit, Pinero v. Jackson Hewitt Tax Service, Inc., pending in a federal court in Louisiana bears consideration. The Pinero case reminds businesses that their privacy policies and protocols need to be up to date and adhered to by employees. Negligently exposing private customer information to the public may lead to liability and a public relations nightmare for your company.

The Lawsuit

The plaintiff in the lawsuit was a customer of one of the defendants, a popular tax preparation franchisee. In 2005, before engaging the defendant franchisee to provide tax preparation services, the plaintiff was shown the franchisee’s privacy policy, and was assured that her personal information would be safeguarded.

In 2008, however, someone found the plaintiff’s tax records, along with those of more than a hundred other individuals, in a dumpster behind the franchisee’s retail store. The records had not been shredded. A news station broke the story and returned the tax records to the plaintiff. The franchisee claimed that the tax records were stolen.

The plaintiff, likely angry that her confidential information had been disposed of so irresponsibly, brought suit against the franchisee and franchisor, setting forth a variety of claims, including fraud, breach of contract, and violation of state statutes. In a series of rulings, the court dismissed some of the plaintiff’s claims, but did allow the plaintiff to proceed with claims of fraud, violation of Louisiana’s Unfair Trade Practices Act, and an invasion of privacy claim against the defendants.

What This Means For You

The Pinero lawsuit is a reminder that companies must handle sensitive customer information with great care. Not only can improper exposure of private customer information lead to liability, it can also create a public relations nightmare for your company.

Privacy policies should be drafted carefully to define what constitutes private information and should set forth the company’s obligations and the customer’s rights. These policies should also be updated periodically to stay current with changes in law, technology, or to keep up with your company’s products and services.

Adequate security technology should be employed to safeguard the storage and transfer of electronic records of customer information. Employees should also be trained and routinely refreshed as to what constitutes “private” information, how that information should be handled and disposed, and their responsibility in ensuring that the information remains private.

Of course, despite the strictest measures, private customer information may be compromised inadvertently or through criminal acts such as hacking. In that situation, swift action must be taken to resolve the problem. In certain cases, it may be make sense to proactively inform the customer about the breach and the steps you are taking to remedy the situation.

-- Anuj Desai, Esq.

Not If, but How

Arnall Golden Gregory, LLP has significant experience in the area of privacy law, ranging from drafting privacy policies, counseling clients about privacy security technology solutions, as well as resolving related disputes. We serve the business needs of growing public and private companies, helping clients turn legal challenges into business opportunities. We don't just tell you if something is possible, we show you how to make it happen.

Please visit our website for more information, http://www.agg.com/.