Pennsylvania’s Supreme Court recently issued a landmark ruling in the case of Dittman v. UPMC which makes employers vulnerable to lawsuits from employees for improper handling of personal data.
UPMC operates the University of Pittsburgh Medical Center and UPMC McKeesport in the Pittsburgh area. Dittman was an employee of UPMC and the lead plaintiff in a class-action lawsuit filed on behalf of all employees of UPMC.
According to the Court’s opinion, hackers successfully targeted UPMC. The hackers stole personal and financial information, including names, birth dates, social security numbers, addresses, tax forms, and bank account information for all 62,000 of UPMC’s employees. Allegedly, the hackers, or the people to whom they sold the stolen information, filed fraudulent tax returns on behalf of the employees, and exposed them to an “increased and imminent risk of becoming victims of identity theft crimes, fraud, and abuse.”
As a result, the employees of UPMC impacted by the hack sued and claimed that UPMC breached its duty to safeguard their personal information. Specifically, they alleged that UPMC failed to “protect their personal and financial information within its possession or control from being compromised, lost, stolen, misused, and/or disclosed to unauthorized parties.” The employees argued that UPMC, as an employer, had a duty to “ensure the security of their information in light of their special relationship,” as employees and employer, because UPMC required the employees “to provide the information as a condition of their employment.”
This requirement of this duty includes “designing, maintaining, and testing its security systems to ensure” that employees’ personal information is “adequately protected, and implementing processes that would detect a breach of its security systems in a timely manner.” Consequently, UPMC allegedly breached this duty because it “violated administrative guidelines and failed to meet current data security industry standards, specifically by failing to encrypt data properly, establish adequate firewalls to handle a server intrusion contingency, and implement an adequate authentication protocol to protect the confidential information contained in its computer network.”
UPMC strenuously objected to the assertion that it owed its employees a duty to protect their data from hackers. It argued that this duty does not exist under the law, in part because the breach is the result of criminal activity and not the actions or inactions of UPMC.
The trial court agreed and dismissed the employees’ claims. The employees appealed and the Superior Court also sided with UPMC, and upheld the dismissal. The employees appealed again, this time to the Supreme Court of Pennsylvania. The Supreme Court overruled the trial court and Superior Court, and agreed with the employees.
The Supreme Court explained that employers must use reasonable care when handling and storing employee data given “the prevalence of electronic data storage in the employment context and the foreseeable risk of breaches of such data.” This is significant because, as the Court noted, “troves of electronic data stored on internet-accessible computers held by large entities are obvious targets for cyber criminals.”
The Supreme Court further held that this duty exists even though the harm is ultimately caused by criminals (the hackers). The duty to protect employee data from hackers is a significant exception to the general rule that there is no duty to protect people from criminal conduct. It is clear that employers must now take reasonable anticipatory measures against criminal conduct of this nature. The Supreme Court explained that this is because the risk of the hack arises from the mass collection of the data and the mass collection of data creates a known likelihood of a hack.
In light of this decision, all employers should immediately undertake an evaluation of their cyber security measures and the storage of sensitive employee information. While employers may not liable for every hack that occurs of their systems and data storage, employers may now be sued by their employees when a hack occurs and be forced to defend the adequacy of their security measures. This is arguably a serious and significant source of new liability for employers. The defense against such a claim will likely cause significant expenses in terms of attorneys’ fees and expert fees to establish the sufficiency of the security system.
Additionally, while this case only deals with employers and employees, there is reason to believe that it will be applicable in other contexts as well. Business transactions which require customers to provide personal and financial information which a business retains electronically could possess the same duty as employers. For this reason, implementing, testing, and maintaining computer security must be a paramount concern for any business in the modern age.
All businesses should consult with their insurance providers to evaluate whether their current policies provide coverage for claims arising from a data breach, or whether additional insurance coverage is needed. Insurers also often can provide services to help businesses assess their vulnerabilities and aid with improving systems in order to minimize the risk of exposure and liability for the insurance carrier in the event of a lawsuit.
Matthew T. Hovey, Esquire is an attorney at the law firm of Wolf, Baldwin & Associates, P.C., which has offices in Pottstown, Reading, and West Chester. He practices in the areas of municipal law, business representation, and civil litigation. He may be reached by telephone at 610.323.7436 or by e-mail to firstname.lastname@example.org.