On November 21, 2018, the Supreme Court of Pennsylvania issued an opinion that could have far-reaching implications both inside and outside the state of Pennsylvania. In its opinion in Dittman v. UPMC, the court ultimately held that an “employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an internet-accessible computer system.”
The Dittman matter involved a class action complaint filed by employees against their employer, the University of Pittsburgh Medical Center and UPMC McKeesport (collectively referred to herein as “UPMC”), wherein they alleged that a data breach occurred due to the negligence and breach of an implied contract against UPMC. Specifically, the employees alleged that their personal and financial information -- including, among other things, names, birth dates and Social Security numbers -- was stolen, which could be used to file fraudulent tax returns. The employees alleged that UPMC undertook a duty of care to safely store their data in light of the fact that UPMC required their information as a condition of employment, and that UPMC breached that duty by failing to adequately protect the data by failing to encrypt the data properly, establish fire walls, and/or implement adequate authentication protocols.
In holding that the employees adequately pled a cause of action against UPMC, the Pennsylvania Supreme Court rejected the findings of the lower courts that there was no generally accepted standard of care for protecting data. Indeed, the lower courts seemingly indicated that data breaches were not preventable, and that an employer therefore should not be required to expend significant resources in combating same. The Pennsylvania Supreme Court also rejected UPMC’s argument that the presence of third-party criminality eliminates the duty it owed to its employees, noting that if UPMC realized or should have realized that this third-party conduct might have occurred, they could be held liable. As such, the court held they were not creating a new duty, but rather seeking the “application of an existing duty to a novel factual scenario.”
In reaching its decision, the Pennsylvania Supreme Court sent a strong message that those collecting the personal data of others must undertake reasonable measures to protect the data. The court also warned that the presence of a third-party “bad actor” is insufficient to extinguish that duty, especially in light of today’s cyber landscape.