On November 21, 2018, the Supreme Court of Pennsylvania issued an opinion in the Dittman v. UPMC case holding that employers have a legal duty to exercise reasonable care in safeguarding their employees’ sensitive personal information stored by the employers on internet-accessible computer systems.
The Dittman matter began in 2014 when a class of employees filed suit against their employer, UPMC, alleging that a data breach had occurred wherein their personal and financial information was accessed and stolen from UPMC’s computer systems. The employees further alleged that they were required to provide such data to UPMC as a condition of their employment. The trial court dismissed the employees’ negligence claim, concluding that it should not impose a “new affirmative duty of care that would allow data breach actions to recover damages recognized in common law negligence actions.” The trial court further stated that creating a private negligence cause of action to recover actual damages that resulted from data breaches could produce “hundreds of thousands of lawsuits,” overwhelming the judicial system and requiring employers to incur substantial costs to defend against such actions, which could potentially drive some employers out of business. The trial court also noted that the legislature in Pennsylvania had already considered the issue of employee data protection. In 2006, Pennsylvania enacted the Breach of Personal Information Notification Act, which only imposes the duty to provide notice of a data breach and gives the Office of Attorney General the exclusive authority to bring an action for violation of such notification requirement.
On appeal to the Superior Court, a three-judge panel issued a split decision affirming the trial court’s dismissal of the employees’ claims. The Superior Court found that it was not necessary to create a judicial duty of care because there already are “statutes and safeguards in place to prevent employers from disclosing confidential information.” The Superior Court also found that it was unnecessary to “require employers to incur potentially significant costs to increase security measures when there was no true way to prevent data breaches altogether.”
The Supreme Court of Pennsylvania later granted allowance of appeal to address two issues, including whether an employer has a legal duty to use reasonable care to safeguard sensitive personal information of its employees when the employer chooses to store such information on an internet-accessible computer system. After considering the parties’ arguments, the Supreme Court held that this case did not involve the imposition of a new duty of care — rather, it involved “the application of an existing duty to a novel factual scenario.” The court observed that “in scenarios involving an actor’s affirmative conduct, he is generally under a duty to others to exercise the care of a reasonable man to protect them against an unreasonable risk of harm to them arising out of the act.” The court noted that because UPMC required the employees to provide their confidential data as a condition of their employment, and UPMC chose to collect and store such data on its internet-accessible computer systems without the use of adequate security measures, this constituted affirmative conduct on the part of UPMC and that such conduct created the risk of a data breach. Accordingly, UPMC owed the employees the duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that affirmative conduct. Furthermore, the court held that while “the wrongful actions of a third party are not deemed to be forseeable by a negligent actor merely because he or she could have speculated that they might conceivably occur,” the alleged conditions surrounding UPMC’s collection and storage of its employees’ data “are such that a cybercriminal might take advantage of the vulnerabilities in UPMC’s computer system and steal employees’ information; thus, the data breach was within the scope of the risk created by UPMC.”
Based on the Supreme Court’s ruling, employers in Pennsylvania should review their current employee data storage policies and procedures to ensure that they are taking reasonable care to protect such data from unauthorized access. As always, employers should consult with their legal counsel to address any questions or concerns that they have with this newly established legal duty.
For more information, please contact: