[BreachExchange] Employer Owes Employees More than a Paycheck

[Destry Winant]

https://www.jdsupra.com/legalnews/employer-owes-employees-more-than-a-91313/

The Pennsylvania Supreme Court recently decided that employers have a
duty to take reasonable steps to protect sensitive employee data from
cyberattacks. The case began after employees at the University of
Pittsburgh Medical Center (“UPMC”) learned that fraudsters accessed
and stole their names, social security numbers, addresses, tax forms,
and bank information. Employees sued UPMC for failing to take
reasonable steps to secure their data.

According to the employees, UPMC failed to encrypt employee data,
establish adequate firewalls, and implement an adequate authentication
protocol. According to the employees, UPMC had a duty to keep their
data secure because they had to provide it in order to work at UPMC.

The Pennsylvania Supreme Court agreed with the employees. The Court
concluded that when UPMC obtained employees’ sensitive personal
information and stored it on internet connected servers, UPMC had a
“duty to exercise reasonable care” to protect that data.

UPMC argued that it could not be liable to the employees for
cybercriminals’ criminal acts. The Court rejected that argument,
however, because if UPMC’s actions increased the likelihood of a
fraudster accessing employee data then UPMC can still be liable for
its failure to properly secure the data.

The Court’s conclusion is interesting, because the Court assumes that
a data breach is a foreseeable consequence of failing to take
reasonable steps to secure data. This is contrary to the Eighth
Circuit’s conclusion in State Bank of Bellingham v. BancInsure, Inc.,
previously covered by this blog, that a cyberattack is not always a
foreseeable consequence of lax information security standards.

This case is also contrary to a recent decision from the Third
Circuit, also covered by this blog. In that case, an employee whose
information was breached claimed that the employee handbook promised
him that his data would be secure. He claimed his employer broke that
promise, so he he was entitled to damages. The court rejected the
employee’s claim.

These three cases demonstrate that the law in this area remains
unsettled. Employers only have a patchwork of decisions under
different state laws to guide their decision making. The Pennsylvania
Supreme Court’s analysis acknowledges the reality that data breaches
and cyberattacks are a common feature of modern life. As the law
slowly adapts to new risks from cyberattacks, the Pennsylvania Supreme
Court’s analysis seems most consistent with the principle that has
traditionally guided the development of tort law—the one in the best
position to prevent harm should take reasonable steps to do so.

Iowa employers do not have any immediate reason to be concerned about
the outcome in UPMC’s case. The Court’s decision came at a preliminary
stage, and there is still a long way to go before the plaintiffs ever
recover anything. However, employers should view UPMC’s case as a sign
of things to come, and make sure they are taking reasonable steps to
secure their employee data. That doesn’t just mean installing the
latest software and hardware. Reasonable security also means looking
at who has access to sensitive data, and controlling the ability of
any one employee to disseminate that to third parties. As previously
covered by this blog, fraudsters are adept at tricking employees into
sharing information through phishing schemes. Employers need to make
sure they have the right policies, procedures, and technical
safeguards in place to protect their employees’ information. This
means consulting not only with knowledgeable technical experts, but
also knowledgeable counsel to help employers assess legal and
technical risks to their organization.