[BreachExchange] PA Appellate Court Finds No Common Law Duty For Employer Handling Of Employee Info After Data Breach

[Audrey McNeil]

http://www.jdsupra.com/legalnews/pa-appellate-court-
finds-no-common-law-33018/

The Pennsylvania Superior Court held yesterday in Dittman v. UPMC et al.
that an employer owes no common law duty under a negligence theory to use
reasonable care in the collection and storage of employee information and
data.  The case involved a data breach by hackers of birth dates, social
security numbers, tax information, addresses, salaries, and bank
information of 62,000 UPMC employees and former employees.  The data was
stolen from UPMC’s computer systems and used to file fraudulent tax returns
and steal tax refunds of some employees.

The employees claimed that UPMC failed to keep their information safe by
failing to properly encrypt data, establish adequate firewalls, and
implement adequate authentication protocols to protect information on its
network.  Employees sued UPMC for negligence, alleging that UPMC owed a
common law duty to protect their personal and financial information, and
under an implied contract theory, alleging that UPMC entered into an
implied contract with them to safeguard their data.  The court found that
UPMC did not owe a common law duty to the employees and that no implied
contract existed.

When determining whether UPMC owed a duty to its employees to safeguard
their data, the court looked at several factors, including the consequences
of imposing such a duty.  The court found this factor significant because
data breaches are wide spread and there is not a safe harbor for entities
storing confidential information.  The court also found it unnecessary to
require employers to incur potentially significant costs to increase
security measures “when there is no true way to prevent data breaches
altogether,” and because “employers strive to run their businesses
efficiently and they have an incentive to protect employee information and
prevent these types of occurrences.”  The court noted that there are
already statutory safeguards to prevent employers from disclosing
confidential employee information, like the Pennsylvania Breach of Personal
Information Notification Act, statutory protection of social security
numbers, and the federal Stored Communications Act.

In analyzing the final factor, whether the public interest favors imposing
a duty, the court held that (1) imposing a duty would cause great expense
to judicial resources, and (2) the only duty that the legislature has
decided to impose is notification of a data breach.  With that in mind,
that court ruled against creating a new legal duty beyond the legislative
requirements already in place.

Unless this case is overturned by the Pennsylvania Supreme Court,
Pennsylvania employers can be encouraged by the fact that the courts will
not impose a new legal duty upon them with regard to data breaches.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170116/a695d061/attachment.html>