Protecting Your Insurance Agency

Mark Adams v. Congress Auto Insurance Agency (Appeals Court No. 15-P-452)

A recent decision of the Massachusetts Appeals Court makes it clear that insurance agencies may be held responsible when their employees access, for unauthorized purposes, the personal information of not just insureds, but also of claimants.

In  December, 2016, the  Appeals Court  held that a jury reasonably could find that the insurance agency was liable to the plaintiff on the basis of negligence.  The plaintiff, Mark Adams, was a claimant against the automobile policy of the agency’s employee, in a claim involving damage to Mr. Adams’ vehicle.  The agency’s employee  used her access to an insurance company’s portal (which she had through the agency), to obtain Mr. Adams’ identity and contact information. Mr. Adams, who had told police that he could identify the agency’s employee’s  boyfriend as the driver of her car, then received threatening telephone calls.

Despite having policies and procedures in place prohibiting employees from using information that they obtained through their employment for unauthorized purposes, the agency continued to allow the employee  access to the personal information of its insureds and claimants even though the agency knew that criminal charges had been brought against the employee and the employee  had been arrested by federal marshals while at the agency. 

The Appeals Court found that there were two possible theories under which a jury could find that the agency breached its legal duty to Mr. Adams:(1) the conflict of interest inherent in allowing the employee  unrestricted access to information relating to a claim against her own insurance policy; and (2) the failure to investigate the employee’s continuing fitness for access to the confidential information of others available through her employment. 

What should insurance agencies do?

-         If an employee is personally involved in a claim, that employee’s access to information about the claim should be restricted or prohibited.

-         Insurance agencies must ensure that, not only do they have policies in place preventing unauthorized access to third party personal information, but also that those policies are being followed and enforced. Enforcement steps include:

-  Regular review of the applicable policies with the employees

-  Regular training sessions to ensure employees understand their responsibilities

-  Regular monitoring employees’ access to the personal information of insured or claimants

-         In the event of allegations of criminal activity by an employee, conduct an independent investigation to determine the nature and extent of the allegations and   take appropriate steps to restrict or prohibit such employee’s access to third party personal information

For further information or for discussion on how to protect your agency, please contact Barnett Ovrut ( or Sherry L. Vaughn (