The Pennsylvania Supreme Court has recently held that an employer may be liable to its employees for a data breach involving the employees’ “personal and financial information including names, birth dates, social security numbers, addresses, tax forms and bank account information…”
The case, Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center and UPMC McKeesport (“UPMC”), involved a class action complaint on behalf of 62,000 current and former employees of UPMC. The employees asserted that their personal and financial information (described above) was stolen from UPMC’s computer systems and “used to file fraudulent tax returns on behalf of the victimized [e]mployees, resulting in actual damages”. Significantly, the employees also asserted that the information accessed and stolen was information they were required to provide their employer as a condition of employment.
The employees’ claims against UPMC were based on their employer’s alleged negligence in failing to properly maintain and protect the employees’ personal and financial information. Two lower courts had ruled against the employees, resulting in a dismissal of their claims.
On appeal, the Pennsylvania Supreme Court reversed the lower courts and concluded that an employer has a legal duty to exercise reasonable care in collecting, storing and safeguarding its employees’ personal and financial information where the employer chooses to store such information on an “internet accessible computer system” and the employees are required to provide such information as a condition of employment.
Based on the Court’s recognition of this duty, the issue in the case then turned on the question as to whether the UPMC could be said to have been negligent in the performance of its duty to its employees. As with any matter, where one party is claiming injury because of another party’s negligence, the ultimate outcome is fact- specific. In this case, the Court held that the employees had stated a potential claim where they asserted that their information was negligently “collected and stored on its [employer’s] internet-accessible computer system without the use of adequate security measures, including proper encryption, adequate firewalls and an adequate authentication protocol.”
The Court did not accept UPMC’s defense that the data breach occurred as result of criminal activity rather that UPMC’s own negligence: the criminal activity would be “ ’within the scope of risk created’ “ by UPMC and thus something against which it would have to provide protection.
Also rejected by the Supreme Court, was the lower courts’ application of the economic loss doctrine. This doctrine, as interpreted by the lower courts, would have barred the employees’ claims because they alleged no physical injury or property damage-only an economic loss. The Supreme Court held that this doctrine was not applicable to the claims in this case because the employees’ claims were not based on a contract claim but based on a tort, namely the alleged negligence of the UPMC in undertaking its duty to protect the employees’ information.
The Supreme Court, having set forth the employer’s duty to its employees, sent the case back to the trial court for new proceedings consistent with the Supreme Court’s ruling. (The Supreme Court did not actually make a factual determination by this case that the employer was negligent).
The decision in this case should cause an employer to triple-check the safeguards attached to the data it maintains and to further consider what personal data and financial data(if any) of its employees the employer actually needs to retain. Any data breach may be litigated and analyzed against what protections were in place, what protections could have been in place and whether the employer used reasonable care to protect the information.