Joseph Lazzarotti and John Snyder comment on Cambridge Who’s Who Publishing v. Sethi, a case recently covered on DataBreaches.net because of its reference to an alleged data breach that had never been reported in the media. Of significance to me, the court ruled that Cambridge Who’s Who could not get an injunction that would stop its former employee from writing about a data breach that occurred while he was employed by them, nondisclosure agreements notwithstanding. As I noted in my comments, I was pleased that the judge appreciated the significance of data breaches to the public and that such revelation would be protected speech.
Lazzarotti and Snyder discuss the case from the perspective of workplace law on Workplace Privacy Data Management & Security Report. They write, in part:
Cambridge provides employers with several significant lessons.
- First, it is instructive of the enforceability of a non-solicitation-of-customers provision that it enforced by injunction.
- Second, absent compelling facts constituting “extraordinary circumstances,” courts generally are reluctant to enjoin or restrain speech that may be protected by the First Amendment.
- Third, the decision raises two key points about data security:
- Companies that experience an unauthorized access to or acquisition of personal information that they possess may be required to report the unauthorized access to affected individuals and certain state agencies. In New York, there are three state agencies that must be notified in cases of certain breaches of personal information: Office of Cyber Security, Attorney General’s Office, and Consumer Protection Board.
- Likewise, companies must take appropriate steps when employees complain about or raise data-security issues. In at least two court decisions, one in New Jersey and the other in California, employees were permitted to proceed with claims of employment retaliation upon asserting they have suffered an adverse employment action after their complaints about data security at their companies.
What I find intriguing is that this breach was never reported to the New York State Consumer Protection Board, even though there seems to be some documentation from one of the vendors that would seem to confirm that data went missing. Cambridge Who’s Who has not responded to an email request for a statement or clarification on these allegations, but I will keep trying to find out what, if anything, happened there.