In a groundbreaking decision published on November 21, 2018, the Pennsylvania Supreme Court held, for the first time, that employers must exercise reasonable care to safeguard employee personal information stored on an internet-accessible computer system, and that employers can be held liable in the event of a data breach.
In Dittman v. UPMC, a group of employees brought a class action complaint against the University of Pittsburgh Medical Center (UPMC), alleging that a data breach compromised the personal information (including names, birth dates, social security numbers, addresses, tax forms, and bank account information) of over 60,000 employees. The plaintiffs claimed that the stolen data, which was provided by employees to UPMC as a condition of their employment, was used to file fraudulent tax returns on behalf of some of the employees, and that other employees were placed at increased risk of identity theft in the future. Plaintiffs also claimed that UPMC failed to properly monitor its network security or establish security protocols such as data encryption, firewalls, and authentication requirements.
The claim was initially dismissed at the preliminary stage, and that dismissal was affirmed by a split panel of the Pennsylvania Superior Court. However, the Supreme Court granted the employee’s request for appeal to consider two questions:
(1) Does an employer have a duty to use reasonable care to safeguard employee personal information on an internet-accessible computer system?
(2) Does Pennsylvania’s “economic loss doctrine” bar recovery in cases of this type?
The Supreme Court ruled in favor of the employees on both questions. First, the Court held that since UPMC made an affirmative decision to collect sensitive personal data from its employees, and then store that data on internet-accessible computer systems, it was required to exercise reasonable care to protect that data against unauthorized access. The Court rejected UPMC’s argument that it should not be held liable for the criminal activity that led to the breach, and held that if UPMC had failed to implement security measures before storing the data, criminal access was a foreseeable outcome.
To address the second question, the Court needed to clarify the scope of Pennsylvania’s economic loss doctrine, which bars certain types of claims seeking only economic damages (unaccompanied by physical injury or property damage). The Court held that the economic loss doctrine did not bar the plaintiffs from recovering damages because UPMC’s duty to safeguard employee data exists independently from any contractual obligation. The Court distinguished prior cases that had appeared to endorse a much broader view of the economic loss doctrine.
In a concurring and dissenting opinion, Chief Justice Thomas Saylor agreed that the plaintiffs’ negligence claim should be permitted to continue. However, Justice Saylor suggested that since the plaintiffs’ claim was a hybrid between a tort and contract claim, the economic loss doctrine could still apply to impose limitations on the amount of damages awarded.
The Supreme Court remanded the Dittman case back to the trial court. If the case does not settle out of court, the parties will have to engage in discovery to determine what, if any, data security safeguards were in place at UPMC during the relevant time period. If the case proceeds far enough, cyber security experts could be retained to testify about what types of security measures would have been reasonable to protect the employee data. The Supreme Court did not provide any guidance about how damages should be determined for this type of claim.
This ruling serves as yet another reminder of the importance of data security in the modern workplace, and represents a growing area of risk for employers. Under Pennsylvania’s Breach of Personal Information Notification Act, companies are already required to provide notice of data breaches to those impacted. Pennsylvania employers may now see an increase in data breach lawsuits seeking damages.
While Dittman does not require employers to successfully prevent all cyber-attacks, employers should take a hard look at whether they have utilized “reasonable care” to safeguard any employee data on internet-accessible devices. Depending on the size and sophistication of the company, and the nature of the employee data being stored electronically, this could include an internal review of company data security, or a consultation with an outside data security expert. Employers who utilize Human Resource Information Systems or Human Resource Management Systems (HRIS/HRMS) or other third-party systems to track and store employee information should talk with their providers to ensure that security measures (such as ongoing security monitoring, encryption, firewalls, dual authentication, etc.) meet or exceed industry standards. Employers should also consider training their employees to recognize social engineering techniques used by cyber criminals, such as “phishing” e-mails that attempt to trick users into providing passwords or other information.
HR Legalist will continue to monitor the impact of the Dittman case and any further developments as the case continues. Employers with questions about this case, or in data security issues in general, should consult with counsel with experience in this area, as well as personnel with technical expertise in data security.
 See 73 P.S. §§ 2301-2329.