The Pennsylvania Supreme Court has ruled that an employer has a legal duty to use reasonable care to safeguard its employees’ sensitive personal information that it requires an employee to provide and that the employer stores on an internet-accessible computer system, and that an employee can recover economic damages resulting from the misuse of such information if the employer failed to utilize adequate measures to prevent its theft. The decision is new law in Pennsylvania, and exposes an employer to significant potential liability in the event its computer system is hacked.
The case, Ditman v. UPMC D/B/A The University of Pittsburg Medical Center (November 21, 2018), involved a claim by employees that their personal and financial information, including names, birth dates, social security numbers, addresses, tax forms, and bank account information were accessed through a data breach of the employer’s internet-accessible computer system, and that the stolen data was used to file fraudulent tax returns on behalf of the employees.
This decision raises questions which will need to be answered by future decisions. What constitutes reasonable measures to protect an employee’s sensitive personal and financial information from the foreseeable risk of a data breach? Is expensive and often cumbersome encryption technology required? What are “adequate” firewalls and authentication protocols?
Perhaps more critical, are there any limitations on the damages an employee can recover? The criminal use of stolen data can cause significant losses to victims. Although a concurring and dissenting opinion suggests the possibility of limiting damages to “mitigation damages”, the majority opinion did not address the issue (the case was before the Supreme Court at a pre-trial stage, so the issue of specific damages was not before the Court).
Employers should consult with their computer services provider about the cost and efficiency of enhanced security measures for their employee information. Insurance providers should also be consulted about available coverages.