Late last year, the Pennsylvania Supreme Court issued a decision imposing a new duty on employers to protect employees’ personal information. The ruling permitted employees of the University of Pittsburgh Medical Center (UPMC) to maintain a lawsuit to hold UPMC liable for a data breach. From an employer’s perspective, the most significant impact of the case is the limitation of the economic loss doctrine, which generally precludes negligence claims in the absence of physical injury or property damage. Employees can now recover purely pecuniary damages by showing a breach of a legal duty independent of contractual duties.
The case arose from a data breach that exposed the personal information of over 62,000 employees, including names, addresses, social security numbers, and other personal financial information for its employment records. UPMC maintained this personal information in an online data bank, accessible via the internet. As a result of the breach, many employees had fraudulent tax returns filed under their names, and many others had their identities stolen.
Affected employees filed a class action suit in the Allegheny County Court of Common Pleas seeking to hold UPMC liable for the data breach, arguing that UMPC had a duty to exercise reasonable care in safeguarding its employees’ personal information. The employees claimed that UPMC put them at risk for having their information stolen by storing it online without sufficient protections to prevent breaches or leaks of their information.
UPMC filed preliminary objections asserting that the economic loss doctrine barred the employees’ claims. The trial court agreed with UPMC and dismissed the class action. The trial court reasoned that public policy disfavored creating a new cause of action that would overwhelm the judicial system and put many entities out of business. A split panel of the Superior Court affirmed the trial court’s decision, adding that employers do not have a duty to guard against unspecified criminal activity by third parties.
The Pennsylvania Supreme Court, however, agreed with the employees, finding that UPMC’s choice to store the employees’ personal information online, allegedly without any firewall, antivirus, encryption, or authentication protocol to protect the information could be negligent. In other words, UMPC could have foreseen that its employees’ information might have been stolen without any kind of protectionary measures, and, thus, it should be responsible to compensate the employees who were harmed. Given the current prevalence of cybercrime, and the emphasis on cyber-security, UPMC could have anticipated that without any obstructions, cybercriminals would have an easy target in the data bank of employees’ personal information.
The Supreme Court’s decision paves the way for employees to bring lawsuits where their personal information, stored with an employer on an online data bank, was breached as a result of the employer failing to protect it. Employers now have a legal duty to exercise reasonable care to safeguard their employees’ sensitive personal information gathered for employment purposes and stored by the employer on an internet-accessible computer system. This means that employers without any kind of cyber-security in place to secure employee data should invest in data protection measures.
The court did not reach the issue of what constitutes a “reasonable” security measure. Therefore, it is unclear what employers need to do to protect their employees’ personal information. Firewalls, antivirus software, encryption, or password protections are safe bets. A combination of any of the above may be considered reasonable, if the procedures are consistently followed by all personnel with access to employee data. For businesses or employers who already use cyber-security measures to protect client or patient data online, choosing to expand those measures to protect employee data is a worthy endeavor.
This article was written with contribution from Sarah Rothermel, 3rd year law student at Widener Law Commonwealth.