The Pennsylvania Supreme Court handed the state’s employees a major legal victory last week when it decided that employers have an affirmative legal responsibility to protect the confidential information of its employees.
In reversing two lower courts, the justices ruled that, by collecting and storing employee’s personal information as a pre-condition to employment, employers had the legal duty to take reasonable steps to protect that information from a cyber-attack.
“[A]n employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an internet-accessible computer system,” wrote Justice Max Baer for the court. “Employees have sufficiently alleged that UPMC’s affirmative conduct created the risk of a data breach … UPMC owed [e]mployees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.”
The ruling revives a proposed class action lawsuit against the University of Pittsburgh Medical Center and one of its hospitals, UPMC McKeesport, after a 2014 data breach in which hackers allegedly stole the personal information of 62,000 former and current employees. According to the amended complaint, the information stolen by hackers included birth dates, Social Security Numbers, tax forms, and banking information. It was further alleged that the information was used to file fraudulent tax returns and steal tax refunds “that resulted in actual damages to victimized employees….”
The amended complaint alleged that employee information was stored by the medical center without use of adequate security measures including proper encryption, adequate firewalls, and authentication protocols.
Whether the ruling is viewed narrowly as confined to its facts, or more broadly as establishing a general legal duty to safeguard confidential information, there is little question that the decision marks an important development in tort law governing data breach cases.
At the federal level, the viability of data breach lawsuits has turned on the issue of standing—the requirement that, under Article III of the U.S. Constitution, federal courts limit themselves to hearing ‘‘actual cases or controversies.’’ The federal circuits have split on the standing issue in data breach cases, with several circuits holding that the risk of future harm is sufficient to confer Article III standing. Other circuits have required a more concrete showing of harm. For a deeper dive into the standing issue, click here.
The case is Dittman et al. v. UPMC, Case No. 43 WAP 2017.
