Enter to open, tab to navigate, enter to select
Pennsylvania Supreme Court Holds Employers Must Protect Employee Data
Practical Law Legal Update w-017-7645 (Approx. 3 pages)
Pennsylvania Supreme Court Holds Employers Must Protect Employee Data
by Practical Law Intellectual Property & Technology
| Published on 26 Nov 2018 • Pennsylvania, USA (National/Federal) |
In Dittman v. UPMC, the Pennsylvania Supreme Court held employers have an affirmative duty to safeguard employees' sensitive personal information against third parties' misuse.
In Dittman v. UPMC, the Supreme Court of Pennsylvania held that employers have a duty to use reasonable care to safeguard sensitive personal data that they collect from employees and store on internet-accessible computer systems ( (Pa. Nov. 21, 2018)). The Court vacated the Superior Court of Pennsylvania's judgment, reversed the trial court, and remanded the matter for further proceedings.
In 2014, University of Pittsburgh Medical Center employees filed a class action against their employer. In the lawsuit, they alleged 62,000 current and former employees' personal and financial information was accessed and stolen from UPMC's computer systems in a data breach. The stolen data included:
- Names.
- Birth dates.
- Social security numbers.
- Addresses.
- Tax forms.
- Bank account information.
The employees further alleged that the stolen data was used to file fraudulent tax returns, resulting in actual damages.
The employees asserted claims for breach of implied contract and negligence on the basis that UPMC:
- Had a duty to exercise reasonable care to protect the personal and financial information it collected from being compromised, lost, stolen, misused, or disclosed to unauthorized parties.
- Owed its employees a duty of care to secure their information because:
- of the special employer-employee relationship; and
- UPMC required its employees to provide the information as a condition of employment.
- Breached its duty of reasonable care by failing to:
- adopt, implement, and maintain adequate security measures to safeguard the information;
- adequately monitor the security of the network, which allowed a third party unauthorized access to the information; and
- recognize in a timely manner that the information had been compromised.
- Violated administrative guidelines by failing to meet current data security industry standards.
UPMC argued the employees' negligence claim failed as a matter of law because:
- They did not allege any physical injury or property damage.
- Under the economic loss doctrine, no cause of action exists for negligence when the damage is solely economic.
While the lower courts agreed with UPMC, on appeal, the Pennsylvania Supreme Court agreed with the employees. It held that an employer has a legal duty to use reasonable care to safeguard its employees' sensitive personal information stored on an internet-accessible computer. The Court reasoned:
- UPMC required employees to provide sensitive personal information as a condition of employment.
- UPMC should have:
- implemented adequate security measures when collecting and storing the data; and
- realized the likelihood that a data breach was within the scope of risk UPMC created when it failed to implement adequate security measures.
- The superseding criminal acts that caused the UPMC employees actual harm did not diminish UPMC's duty to protect its employees' personal and financial information.
- The economic loss doctrine did not bar the employees' claims because the duty to protect their information with reasonable care existed independently from any contractual obligations.
This decision is notable because employees successfully argued employers have liability for a data breach under a common law duty of care standard. Employers operating in Pennsylvania should review their internal data security measures to ensure they have measures in place to adequately secure employee data.