Tuesday, November 27, 2018

UPDATE: Does an employer have a duty to protect the personal information of its employees?


In July, I asked whether an employer owes its employees a legal duty to protect their personal information. I discussed cases that answered that question in both the affirmative and the negative. I also suggested that regardless of whether employers have a legal duty to protect the personal information and data of your employees, they still have a significant financial and reputational incentive to take reasonable steps to maintain the privacy and security of all of their information.

The dominoes, however, are starting to fall on the existence of a legal duty.

In Dittman v. UPMC d/b/a the University of Pittsburgh Medical Center, a group of UPMC current and former employees sued their employer following the theft of their names, birth dates, social security numbers, tax information, addresses, salaries, and bank account information was stolen from UPMC’s computer systems.

Last week, the Pennsylvania Supreme Court held that the employer did owe a duty to its employees to protect their information, reversing the appellate court that had held otherwise.

We hold that an employer has a legal duty to exercise reasonable care to safeguard its employees sensitive personal information stored by the employer on an internet accessible computer system.…

As a condition of employment, UPMC required them to provide certain personal and financial information, which UPMC collected and stored on its internet-accessible computer system without use of adequate security measures, including proper encryption, adequate firewalls, and an adequate  authentication protocol. These factual assertions plainly constitute affirmative conduct on the part of UPMC.…

Employees have sufficiently alleged that UPMC's affirmative conduct created the risk of a data breach. Thus, we agree with Employees that, in collecting and storing Employees' data on its computer systems, UPMC owed Employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.

What does this mean for you and your business?

Unless you are in Pennsylvania, likely not much legally.

But practically, this case matters. As data breaches continue to increase in quantity and quality, courts and legislatures will look for ways to shift the cost of those harm to those who can both better afford it and better take measures to hedge against them. In other words, while there is scant law on this issue now, in five years I predict we will view Dittman as the start of a trend, and not a legal anomaly.

The question for you and your business to answer is what are you going to do about it. I offer some suggestions here. Generally speaking, the time to get your business's cyber-house in order is now (actually, it was years ago, but let's go with now if you're late to the game). Don't wait for a court to hold you liable to your employees (and others?) after a data breach.

* Photo by Kaur Kristjan on Unsplash