The Pennsylvania Superior Court held yesterday in Dittman v. UPMC et al. that an employer owes no common law duty under a negligence theory to use reasonable care in the collection and storage of employee information and data.  The case involved a data breach by hackers of birth dates, social security numbers, tax information, addresses, salaries, and bank information of 62,000 UPMC employees and former employees.  The data was stolen from UPMC’s computer systems and used to file fraudulent tax returns and steal tax refunds of some employees.

The employees claimed that UPMC failed to keep their information safe by failing to properly encrypt data, establish adequate firewalls, and implement adequate authentication protocols to protect information on its network.  Employees sued UPMC for negligence, alleging that UPMC owed a common law duty to protect their personal and financial information, and under an implied contract theory, alleging that UPMC entered into an implied contract with them to safeguard their data.  The court found that UPMC did not owe a common law duty to the employees and that no implied contract existed.

When determining whether UPMC owed a duty to its employees to safeguard their data, the court looked at several factors, including the consequences of imposing such a duty.  The court found this factor significant because data breaches are wide spread and there is not a safe harbor for entities storing confidential information.  The court also found it unnecessary to require employers to incur potentially significant costs to increase security measures “when there is no true way to prevent data breaches altogether,” and because “employers strive to run their businesses efficiently and they have an incentive to protect employee information and prevent these types of occurrences.”  The court noted that there are already statutory safeguards to prevent employers from disclosing confidential employee information, like the Pennsylvania Breach of Personal Information Notification Act, statutory protection of social security numbers, and the federal Stored Communications Act.

In analyzing the final factor, whether the public interest favors imposing a duty, the court held that (1) imposing a duty would cause great expense to judicial resources, and (2) the only duty that the legislature has decided to impose is notification of a data breach.  With that in mind, that court ruled against creating a new legal duty beyond the legislative requirements already in place.

Unless this case is overturned by the Pennsylvania Supreme Court, Pennsylvania employers can be encouraged by the fact that the courts will not impose a new legal duty upon them with regard to data breaches.