The Pennsylvania Supreme Court has recently held that an employer may be liable to its employees for a data breach involving the employees’ “personal and financial information including names, birth dates, social security numbers, addresses, tax forms and bank account information…”
The case, Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center and UPMC McKeesport (“UPMC”), involved a class action complaint on behalf of 62,000 current and former employees of UPMC. The employees asserted that their personal and financial information (described above) was stolen from UPMC’s computer systems and “used to file fraudulent tax returns on behalf of the victimized [e]mployees, resulting in actual damages”. Significantly, the employees also asserted that the information accessed and stolen was information they were required to provide their employer as a condition of employment.
The employees’ claims against UPMC were based on their employer’s alleged negligence in failing to properly maintain and protect the employees’ personal and financial information. Two lower courts had ruled against the employees, resulting in a dismissal of their claims.
On appeal, the Pennsylvania Supreme Court reversed the lower courts and concluded that an employer has a legal duty to exercise reasonable care in collecting, storing and safeguarding its employees’ personal and financial information where the employer chooses to store such information on an “internet accessible computer system” and the employees are required to provide such information as a condition of employment.
Based on the Court’s recognition of this duty, the issue in the case then turned on the question as to whether the UPMC could be said to have been negligent in the performance of its duty to its employees. As with any matter, where one party is claiming injury because of another party’s negligence, the ultimate outcome is fact- specific. In this case, the Court held that the employees had stated a potential claim where they asserted that their information was negligently “collected and stored on its [employer’s] internet-accessible computer system without the use of adequate security measures, including proper encryption, adequate firewalls and an adequate authentication protocol.”
The Court did not accept UPMC’s defense that the data breach occurred as result of criminal activity rather that UPMC’s own negligence: the criminal activity would be “ ’within the scope of risk created’ “ by UPMC and thus something against which it would have to provide protection.
Also rejected by the Supreme Court, was the lower courts’ application of the economic loss doctrine. This doctrine, as interpreted by the lower courts, would have barred the employees’ claims because they alleged no physical injury or property damage-only an economic loss. The Supreme Court held that this doctrine was not applicable to the claims in this case because the employees’ claims were not based on a contract claim but based on a tort, namely the alleged negligence of the UPMC in undertaking its duty to protect the employees’ information.
The Supreme Court, having set forth the employer’s duty to its employees, sent the case back to the trial court for new proceedings consistent with the Supreme Court’s ruling. (The Supreme Court did not actually make a factual determination by this case that the employer was negligent).
The decision in this case should cause an employer to triple-check the safeguards attached to the data it maintains and to further consider what personal data and financial data(if any) of its employees the employer actually needs to retain. Any data breach may be litigated and analyzed against what protections were in place, what protections could have been in place and whether the employer used reasonable care to protect the information.
Under the Americans with Disabilities Act (ADA), an employer must provide reasonable accommodations to an employee who is disabled (as defined under the ADA) and who is otherwise qualified for the position.
An issue frequently faced by employers and addressed by the courts is what constitutes a “reasonable accommodation”?
A federal appeals court recently addressed this matter, where an employee confined to bed because of complications from her pregnancy, requested that she be permitted to work from home or a hospital (telecommuting) for a ten week period. Mosby-Meachem v. Memphis Light, Gas & Water Div. 2018 WL 988895 (6th Cir. February 21, 2018). The employee served as an in-house counsel for a corporation. Her request to telecommute for ten weeks was denied. The company did not at the time of the request have a formal written telecommuting policy-although it did permit telecommuting and permitted the employee on a prior occasion to telecommute. The employee filed suit under the ADA, and a jury awarded her $92,000 in compensatory damages. In affirming the jury’s award, the court held that a “rational jury [under the specific facts of the case,] could find that the employee was a qualified employee, [covered by the ADA] and that working remotely for ten weeks was a reasonable accommodation.” In reaching its conclusion, the court found that sufficient evidence had been presented to the jury to support the employee’s claim that she “could perform the essential functions of her job remotely for ten weeks…” The court rejected the employer’s claim that the written job description for this employee dictated the opposite result because the job description was outdated and did not reflect the employee’s actual work requirements. The court, in affirming the jury verdict, also relied on the fact that the employer did not engage in an “interactive process” with the employee to understand the limitations the employee faced, and what accommodations might be put in place to allow the employee to continue at her job. Instead the employer pre-determined what it intended to do without conversing with the employee. Several lessons can be drawn from this case: First, even if an employer has no telecommuting policy or a policy which does not permit telecommuting, the employer, under a particular set of facts, may be in violation of the ADA if telecommuting would be found to be a reasonable accommodation. Secondly, an employer must engage in an interactive process with an employee to determine what, if any, accommodation might be reasonable under the particular circumstances. This means direct communication between the employer and the employee. An inflexible policy of the employer may end up causing the employer to be in violation of the ADA. Finally, written job descriptions must be reviewed and updated as needed. An outdated or inaccurate job description cannot help an employer and in many instances will be detrimental to an employer seeking to defend against a claim of job discrimination.
Finally, Spring is here! It has certainly been a long, cold, snowy, and relentless winter. I want to take this opportunity to wish all of you a snow-free, warm and sunny Spring. As an employment lawyer, I'd like to do my part to help all of you employers maintain a care-free Spring mood by offering the following Spring cleaning checklist, which can protect your business from litigation and compliance risks.