On November 21, 2018 Pennsylvania’s highest court ruled that employers in Pennsylvania have an affirmative legal duty to protect workers’ sensitive data from possible hacking. This ruling has profound implications for employers, which may now be subject to liability for failing to take reasonable precautions to protect their employees from cyber attacks.
In a proposed class action, employees of the University of Pittsburgh Medical Center sought damages after a data breach exposed the personal information – including names, dates of birth, addresses, Social Security numbers, bank, salary, and tax information – of approximately 62,000 UPMC employees. The employees’ information was then used to steal tax refunds through filing of false tax returns. Of critical importance to the court’s ruling, UPMC collected its workers’ personal data as a condition of employment.
The employees’ proof of this requirement of sharing personal information was, according to the court, a sufficient allegation that UPMC’s affirmative conduct created the risk of a data breach. Therefore, the court explained, “we agree with employees that, in collecting and storing employees’ data on its computer systems, UPMC owed employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.” The court explained that it was not creating a new duty, but rather that this was the “application of an existing duty to a novel factual scenario.”
As a result of the court’s ruling, the case will return to the trial court where the employees may proceed to put forward proof that UPMC breached its duty to protect their personal data.
The implications of this ruling on cyber security tort law are profound for employers in Pennsylvania, and perhaps nationwide should the Pennsylvania Supreme Court’s reasoning be followed elsewhere. Given the recognition of this duty of care, it should be expected that plaintiffs’ attorneys will look to bring suit against employers on behalf of workers affected by cyber attacks on their employers. Likewise, the court’s ruling will likely be cited by claimants seeking damages as a result of data breaches in other contexts outside of the employer-employee relationships, such as consumers. Indeed, the Court’s ruling does not appear to rely on any specific relationship between the employer and employee in reaching its conclusion, but rather the conduct of requesting and then storing of personally identifiable information.
With the proliferation of regulatory requirements around cyber security, larger employers were already likely taking steps to aggressively protect personally identifiable information from cyber attacks and perhaps are in position to argue that they have already taken reasonable steps to defend against civil claims for breach of a duty. However, the potential for liability for failure protect against data breaches may have a significant impact on smaller and mid-sized entities which may not otherwise have acted to secure such data. Companies of any size which obtain personally identifiable information of employees, customers, clients, and even third-party individuals with whom they have no direct relationship should take heed and evaluate whether they are taking reasonable precautions to protect the data of such individuals.
Read our Employment and Labor Practice Group’s overview of the case here.