Employers------Protect Your Employees’ Data - Or Else!

Wednesday, 16 January 2019 21:14 Written by  Michael Klimpl

The Pennsylvania Supreme Court has recently held that an employer may be liable to its employees for a data breach involving the employees’ “personal and financial information including names, birth dates, social security numbers, addresses, tax forms and bank account information…”

The case, Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center and UPMC McKeesport (“UPMC”), involved a class action complaint on behalf of 62,000 current and former employees of UPMC.  The employees asserted that their personal and financial information (described above) was stolen from UPMC’s computer systems and “used to file fraudulent tax returns on behalf of the victimized [e]mployees, resulting in actual damages”. Significantly, the employees also asserted that the information accessed and stolen was information they were required to provide their employer as a condition of employment.

The employees’ claims against UPMC were based on their employer’s alleged negligence in failing to properly maintain and protect the employees’ personal and financial information. Two lower courts had ruled against the employees, resulting in a dismissal of their claims.

On appeal, the Pennsylvania Supreme Court reversed the lower courts and concluded that an employer has a legal duty to exercise reasonable care in collecting, storing and safeguarding its employees’ personal and financial information where the employer chooses to store such information on an “internet accessible computer system” and the employees are required to provide such information as a condition of employment.

Based on the Court’s recognition of this duty, the issue in the case then turned on the question as to whether the UPMC could be said to have been negligent in the performance of its duty to its employees. As with any matter, where one party is claiming injury because of another party’s negligence, the ultimate outcome is fact- specific. In this case, the Court held that the employees had stated a potential claim where they asserted that their information was negligently “collected and stored on its [employer’s] internet-accessible computer system without the use of adequate security measures, including proper encryption, adequate firewalls and an adequate authentication protocol.”

The Court did not accept UPMC’s defense that the data breach occurred as result of criminal activity rather that UPMC’s own negligence:  the criminal activity would be   “ ’within the scope of risk created’ “  by UPMC  and thus something  against  which it would have to provide  protection.

Also rejected by the Supreme Court, was the lower courts’ application of the economic loss doctrine. This doctrine, as interpreted by the lower courts, would have barred the employees’ claims because they alleged no physical injury or property damage-only an economic loss. The Supreme Court held that this doctrine was not applicable to the claims in this case because the employees’ claims were not based on a contract claim but based on a tort, namely the alleged negligence of the UPMC in undertaking its duty to protect the employees’ information.

The Supreme Court, having set forth the employer’s duty to its employees, sent the case back to the trial court for new proceedings consistent with the Supreme Court’s ruling.  (The Supreme Court did not actually make a factual determination by this case that the employer was negligent).

The decision in this case should cause an  employer to triple-check the safeguards attached to the data it maintains  and to further consider what personal data and financial data(if any) of its employees   the employer actually  needs to retain. Any data breach may be litigated and analyzed against what protections were in place, what protections could have been in place and whether the employer used reasonable care to protect the information.

Last modified on Thursday, 17 January 2019 16:51
Michael Klimpl

Michael Klimpl

Michael’s practice areas include Real Estate, Municipal Law, Zoning and Land Use, Employment Law, Civil Litigation, Estate Planning and Estate Administration, with a concentration in the areas of employment law, estate planning and administration, and transactional law.

To view Michael Klimpl's full bio, click here.

Leave a comment

Blogger Bios

  • Alan Wandalowski Alan Wandalowski
    Alan concentrates his practice in Estate Planning, Estate Administration, Elder Law, Estate…
  • Bill MacMinn Bill MacMinn
    Bill concentrates his practice in the area of litigation, including Commercial Litigation,…
  • Christopher D. Wagner Christopher D. Wagner
    Christopher Wagner is an experienced and results-driven business law attorney with a comprehensive understanding…
  • Elaine T. Yandrisevits Elaine T. Yandrisevits
    As an estate planning attorney, Elaine Yandrisevits is committed to guiding individuals…
  • Elizabeth J. Fineman Elizabeth J. Fineman
    Elizabeth Fineman concentrates her practice on domestic relations matters and handles a…
  • Gabriel Montemuro Gabriel Montemuro
    Gabe’s practice focuses on litigation, including commercial litigation, personal injury, estate and…
  • Jamie M. Jamison Jamie M. Jamison
    Jamie Jamison is a supportive, knowledgeable advocate to clients experiencing the challenges…
  • Jessica A. Pritchard Jessica A. Pritchard
    Jessica A. Pritchard, focuses her practice exclusively in the area of family…
  • Joanne Murray Joanne Murray
    Joanne concentrates her practice in the areas of Business Law, Business Transactions,…
  • John Trainer John Trainer
    John’s concentrates his legal practice in estate planning, estate administration and elder…
  • Mariam Ibrahim Mariam Ibrahim
    Mariam Ibrahim is dedicated to helping clients and their families navigate the…
  • Michael Klimpl Michael Klimpl
    Michael’s practice areas include Real Estate, Municipal Law, Zoning and Land Use, Employment…
  • Michael W. Mills Michael W. Mills
    Mike is devoted to helping businesses build value and improve working capital,…
  • Patricia Collins Patricia Collins
    Patty has been practicing law since 1996 in the areas of Employment…
  • Stephanie M. Shortall Stephanie M. Shortall
    Throughout her career, Stephanie has developed a practice focused on advising closely…
  • Susan Maslow Susan Maslow
    Sue concentrates her practice primarily in general corporate transactional work and finance…
  • Thomas P. Donnelly Thomas P. Donnelly
    Tom’s practice focuses on commercial litigation and transactions. In litigation, Tom represents…