What happens to all that sensitive personal information you give your employer when you start a new job, like Social Security Number, bank account number and passport number? If stored electronically, must your employer take reasonable steps to protect it from cyber thieves and breaches? This is not a trick question.
Yes, the Pennsylvania Supreme Court ruled on Nov. 21, 2018 in Dittman v. UPMC, a case that will no doubt resonate throughout the country as other states consider the ruling. Many will adapt it, creating new obligations on the part of employers.
Or are they new? In reversing the decision of the Superior Court, which had affirmed the dismissal of plaintiff’s claims at the trial court, the Supreme Court held that the employer, University of Pittsburgh Medical Center (UPMC), required employees to provide sensitive information such as birthdates, Social Security Numbers, tax information and bank account numbers. In acting in this way, the employer had a duty to act in a way that protected the employees against foreseeable risk. This, the court wrote, is not novel; it’s basic tort law.
The court, having found that a duty exists to protect employees’ information, concluded that the law suit (a class action) could proceed because plaintiffs has sufficiently alleged that UPMC breached its common law obligation to plaintiff employees by failing to take basic precautions such as adequate firewalls and authentication protocols, to protect the data, thereby leading to the cyber-attack and theft of the information. Affirmative harm was demonstrated, the court continued, by the allegation that false tax returns using the purloined information had been filed in the name of some of the employees.
This case has significant ramifications for employers well beyond Pennsylvania. The maxim of tort law upon which it relied is observed in every state, and it won’t be a stretch for courts to apply it to the next data breach. In addition, the Dittmancourt cited law from states as diverse as Illinois and South Carolina in support of its ruling as well as an authoritative text every law student has cited, Restatement (Second) of Torts.
As all emplo0yers collect the same categories of personal information as UPMC did, employers should meet with their counsel and IT personnel to review protections for this information so that they can meet the standards set out in Dittman, because the Dittman ruling will be coming to their states sooner, rather than later.
If you need assistance with laws and regulations pertaining to obligations to safely store employees’ personal information or other aspects of digital information management, please call Kenneth N. Rashbaum.