Welcome to the AMM Law Blog, a tool to help you keep up to date on current legal developments over the broad spectrum of our practice areas. We welcome your comments and suggestions to create a dynamic forum that will be of interest to readers and participants.
The Pennsylvania Supreme Court has recently held that an employer may be liable to its employees for a data breach involving the employees’ “personal and financial information including names, birth dates, social security numbers, addresses, tax forms and bank account information…”
The case, Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center and UPMC McKeesport (“UPMC”), involved a class action complaint on behalf of 62,000 current and former employees of UPMC. The employees asserted that their personal and financial information (described above) was stolen from UPMC’s computer systems and “used to file fraudulent tax returns on behalf of the victimized [e]mployees, resulting in actual damages”. Significantly, the employees also asserted that the information accessed and stolen was information they were required to provide their employer as a condition of employment.
The employees’ claims against UPMC were based on their employer’s alleged negligence in failing to properly maintain and protect the employees’ personal and financial information. Two lower courts had ruled against the employees, resulting in a dismissal of their claims.
On appeal, the Pennsylvania Supreme Court reversed the lower courts and concluded that an employer has a legal duty to exercise reasonable care in collecting, storing and safeguarding its employees’ personal and financial information where the employer chooses to store such information on an “internet accessible computer system” and the employees are required to provide such information as a condition of employment.
Based on the Court’s recognition of this duty, the issue in the case then turned on the question as to whether the UPMC could be said to have been negligent in the performance of its duty to its employees. As with any matter, where one party is claiming injury because of another party’s negligence, the ultimate outcome is fact- specific. In this case, the Court held that the employees had stated a potential claim where they asserted that their information was negligently “collected and stored on its [employer’s] internet-accessible computer system without the use of adequate security measures, including proper encryption, adequate firewalls and an adequate authentication protocol.”
The Court did not accept UPMC’s defense that the data breach occurred as result of criminal activity rather that UPMC’s own negligence: the criminal activity would be “ ’within the scope of risk created’ “ by UPMC and thus something against which it would have to provide protection.
Also rejected by the Supreme Court, was the lower courts’ application of the economic loss doctrine. This doctrine, as interpreted by the lower courts, would have barred the employees’ claims because they alleged no physical injury or property damage-only an economic loss. The Supreme Court held that this doctrine was not applicable to the claims in this case because the employees’ claims were not based on a contract claim but based on a tort, namely the alleged negligence of the UPMC in undertaking its duty to protect the employees’ information.
The Supreme Court, having set forth the employer’s duty to its employees, sent the case back to the trial court for new proceedings consistent with the Supreme Court’s ruling. (The Supreme Court did not actually make a factual determination by this case that the employer was negligent).
The decision in this case should cause an employer to triple-check the safeguards attached to the data it maintains and to further consider what personal data and financial data(if any) of its employees the employer actually needs to retain. Any data breach may be litigated and analyzed against what protections were in place, what protections could have been in place and whether the employer used reasonable care to protect the information.
Now that the hustle of the holiday season is over, everyone is looking forward to the new year. January tends to be the month where people look for a fresh start and catch up on the tasks that were pushed off during the holiday season. For many people, that involves making new year’s resolutions. While some resolutions are harder to keep than others, a very simple resolution to make and keep is to review and update your estate plan.
Here are factors to keep in mind when considering updating your estate plan:
1. Life changes in your family: An estate plan is not one-size-fits-all; it is customized to meet your family’s unique circumstances and needs. Perhaps you had an estate plan prepared when your children were very young, but now they are older and capable of managing their own financial resources. In contrast, perhaps you have concerns about a child’s ability to make prudent financial choices, and would like to know your options for protecting any inheritance they might receive. Maybe you have a child or other family member with disabilities, and you are concerned about how the receipt of an inheritance will affect their public benefits. Perhaps you now have grandchildren that you would like to provide for as part of your estate plan. An estate plan can take all of these areas into consideration and be drafted to best fit your needs.
2. Your personal financial profile: Everyone’s financial profile changes over time. You may have accumulated significant assets since the last time you reviewed your estate plan, or you may be retiring and drawing down on your hard-earned assets. An estate plan created when you had a very different financial profile may not provide the best treatment of your estate based on its current and projected status.
3. Fiduciary roles in your estate plan: Creating an estate plan involves selecting various individuals (or entities) as fiduciaries, such as the Executor of your estate, Trustee of any trusts created under your estate plan, Guardian of your minor children, Agent during your life under your Power of Attorney, and Surrogate to make end-of-life decisions in your Living Will. Each of these roles is very important, so you should consider if the individuals who are named in these roles in your current estate planning documents are still the people you would want to serve. Your documents may name individuals who have gotten older and may be unable to serve in these roles due to health concerns, or individuals who have moved away and may not be able to effectively serve due to geographical distance. You may have created documents when your children were younger, but may now feel that your children are mature enough to take on these responsibilities. While anyone named in an estate planning document may resign or renounce if they are unable to serve in a fiduciary role, updating your documents now will avoid the time and delay involved in appointing the appropriate individuals to these roles in the future.
4. Changes in the tax laws: There is a saying that the only two constants in life are death and taxes, and your estate involves both. Your estate may be subject to various estate, inheritance, and/or generation-skipping taxes, and the law in these areas is constantly evolving. Depending on the law and your personal financial profile, your estate plan can be crafted to reduce your estate’s exposure to these taxes. Documents designed to account for one set of tax laws may not be as effective once those laws change, so it is important to update your documents to ensure they stay current.