Monday, November 26, 2018

PA Supreme Court recognizes employer duty to safeguard employee data

Right before Thanksgiving, the Supreme Court of Pennsylvania (SCOPA) issued its opinion in Dittman v. UPMC.

UPMC employees alleged that "a data breach had occurred through which the personal and financial information, including names, birth dates, social security numbers, addresses, tax forms, and bank account information of all 62,000 UPMC employees and former employees was accessed and stolen from UPMC’s computer systems." They further alleged that the data was used to file fraudulent tax returns. Do they have a valid claim?

Two primary issues: (1) Did UPMC actually owe them a duty recognized by law? and (2) Does the "economic loss doctrine" preclude the lawsuit?

The Court held that "an employer has a legal duty to use reasonable care to safeguard its employees’ sensitive personal information that the employer stores on an internet-accessible computer system." We don't know exactly what that means yet - but a duty to use reasonable care exists.

For the second issue, the Court addressed the economic loss doctrine, which precludes negligence lawsuits where the only damage is economic (i.e. no physical injury or property damage). The Court ultimately concluded that "recovery for purely pecuniary damages is permissible under a negligence theory provided that the plaintiff can establish the defendant’s breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract."

The big takeaway here is that employers must use reasonable care to protect employee data - and, if they don't and the data gets compromised, those employees have a leg to stand on in court.