Employer Owes Employees More than a Paycheck

Dickinson, Mackaman, Tyler & Hagen, P.C.

Dickinson, Mackaman, Tyler & Hagen, P.C.

The Pennsylvania Supreme Court recently decided that employers have a duty to take reasonable steps to protect sensitive employee data from cyberattacks. The case began after employees at the University of Pittsburgh Medical Center (“UPMC”) learned that fraudsters accessed and stole their names, social security numbers, addresses, tax forms, and bank information. Employees sued UPMC for failing to take reasonable steps to secure their data.

According to the employees, UPMC failed to encrypt employee data, establish adequate firewalls, and implement an adequate authentication protocol. According to the employees, UPMC had a duty to keep their data secure because they had to provide it in order to work at UPMC.

The Pennsylvania Supreme Court agreed with the employees. The Court concluded that when UPMC obtained employees’ sensitive personal information and stored it on internet connected servers, UPMC had a “duty to exercise reasonable care” to protect that data.

UPMC argued that it could not be liable to the employees for cybercriminals’ criminal acts. The Court rejected that argument, however, because if UPMC’s actions increased the likelihood of a fraudster accessing employee data then UPMC can still be liable for its failure to properly secure the data.

The Court’s conclusion is interesting, because the Court assumes that a data breach is a foreseeable consequence of failing to take reasonable steps to secure data. This is contrary to the Eighth Circuit’s conclusion in State Bank of Bellingham v. BancInsure, Inc., previously covered by this blog, that a cyberattack is not always a foreseeable consequence of lax information security standards.

This case is also contrary to a recent decision from the Third Circuit, also covered by this blog. In that case, an employee whose information was breached claimed that the employee handbook promised him that his data would be secure. He claimed his employer broke that promise, so he he was entitled to damages. The court rejected the employee’s claim.

These three cases demonstrate that the law in this area remains unsettled. Employers only have a patchwork of decisions under different state laws to guide their decision making. The Pennsylvania Supreme Court’s analysis acknowledges the reality that data breaches and cyberattacks are a common feature of modern life. As the law slowly adapts to new risks from cyberattacks, the Pennsylvania Supreme Court’s analysis seems most consistent with the principle that has traditionally guided the development of tort law—the one in the best position to prevent harm should take reasonable steps to do so.

Iowa employers do not have any immediate reason to be concerned about the outcome in UPMC’s case. The Court’s decision came at a preliminary stage, and there is still a long way to go before the plaintiffs ever recover anything. However, employers should view UPMC’s case as a sign of things to come, and make sure they are taking reasonable steps to secure their employee data. That doesn’t just mean installing the latest software and hardware. Reasonable security also means looking at who has access to sensitive data, and controlling the ability of any one employee to disseminate that to third parties. As previously covered by this blog, fraudsters are adept at tricking employees into sharing information through phishing schemes. Employers need to make sure they have the right policies, procedures, and technical safeguards in place to protect their employees’ information. This means consulting not only with knowledgeable technical experts, but also knowledgeable counsel to help employers assess legal and technical risks to their organization.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dickinson, Mackaman, Tyler & Hagen, P.C. | Attorney Advertising

Written by:

Dickinson, Mackaman, Tyler & Hagen, P.C.

Dickinson, Mackaman, Tyler & Hagen, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.