Published in the December, 2018 PA Insider Newsletter Articles
Published on: Sat 1st Dec, 2018 By: Brian P. Gabriel
The Pennsylvania Supreme Court recently held that employers have a common law duty to use reasonable care in storing employees’ personal information and data on internet-accessible systems and that negligence is now a viable cause of action where an employer fails to provide adequate data security. The Court’s decision opens a new avenue for plaintiffs’ lawyers that requires all employers to review and ensure that their data security measures adequately prevent against any type of data breach and the significant liability that may follow.
In 2014, the University of Pittsburgh Medical Center (UPMC) suffered a data breach which led to the theft of names, Social Security numbers, addresses, tax information, bank account information, and birthdates belonging to thousands of UPMC employees. The plaintiffs in Dittman v. UPMC alleged that UPMC had been negligent in securing the employees’ personal information, which was allegedly stored on an internet-accessible computer system. Employees were required to disclose the personal information to UPMC as a condition of employment. The identity theft led to the filing of fraudulent tax returns and actual damages to the plaintiffs.
The Supreme Court unanimously reversed the trial court’s pre-trial dismissal and found that UPMC had a duty of reasonable care in securing its employees’ personal information where UPMC had affirmatively collected this sensitive information as a condition of employment. The fact that a third party executed the criminal data breach did not relieve the employer’s duty to safeguard the information or from potential liability. UPMC’s affirmative collection of personal information from its employees created the foreseeable risk of a cyber data breach. As a result, UPMC was required to implement reasonable protections against such an attack.
Given the procedural posture of the case – pretrial dismissal of the case by the trial court – there was no analysis of what level of cybersecurity meets the duty of reasonable care. Nonetheless, the message from the Supreme Court could not have been clearer: requiring employees to turn over sensitive personal information necessitates a reasonable effort by the employer to protect that information.
The Pennsylvania Political Subdivision Tort Claims Act (the “Act”) may still provide some protection for municipalities from claims of negligence arising from a data breach. However, there are no reported decisions that provide certainty under the Act at this point in time. Further, creative attorneys may develop theories that are outside of the immunity provided in the Act. Such claims could potentially develop from constitutional rights, contract based theories or statutorily-based privacy protections. Thus, it would be a mistake for any municipality to rely on the Act, particularly where this area of the law is continuing to evolve and costly litigation may only add to the harmful effects of a data breach.
Employers across Pennsylvania must carefully review the manner in which they are storing employees’ personal information and whether their cybersecurity adequately protects against such information from ever-evolving security threats.