Stolen Employee Data: PA Supreme Court Decision Breaks New Ground | High Swartz
High Swartz - Attorneys At Law LLP
Print This Page

Stolen Employee Data: Pennsylvania Supreme Court Decision Breaks New Ground

In late 2018, the Pennsylvania Supreme Court decided that employees may sue employers for the release of stolen confidential employee data. The Court’s decision in the Dittman vs. University of Pittsburgh Medical Center, allowed University of Pittsburgh Medical Center (“UPMC”) employees to bring a class action for negligence after a data breach from UPMC’s computer systems.

university of pittsburgh medical center data breach dittman ruling blog by High Swartz firm

By Thomas D. Rees, Labor & Employment Attorney at High Swartz law Firm in Norristown, PA

The Decision’s Impact

The Court’s decision will have a far-reaching impact. First, the decision will require employers to use reasonable care to protect employees’ personal and financial information. Second, the decision allows negligence lawsuits even where the plaintiffs’ losses were purely economic and no physical injury or tangible property damage occurred. As such, the decision limits the “economic loss doctrine” that courts had used to dismiss such lawsuits.

The Back Story

The cyber attack took place in 2014. The data breach led to the theft of 62,000 employees’ names, addresses, birth dates, social security numbers, salaries, or tax and bank information. The hackers taking the information then used the stolen data to file fraudulent tax returns and steal employees’ tax refunds.

The Lawsuit

Right after the breach, a group of employees sued UPMC for negligence and breach of implied contract. The employees contended that UPMC had a duty to use reasonable care to protect employees’ personal and financial information from being compromised, lost, stolen, misused, and /or disclosed to unauthorized parties. The employees claimed that UPMC had breached this duty. Specifically, UPMC had (1) failed to undertake adequate security measures, (2) failed to monitor network security, (3) allowed unauthorized access to information, and (4) failed to recognize that information had been compromised. The employees alleged that UPMC failed to meet current standards for encryption, firewalls, and authentication.

UPMC filed preliminary objections seeking immediate dismissal of the complaint. UPMC argued that no duty of care existed to protect against data breaches, and that the economic loss doctrine barred negligence claims.

The Lower Courts Dismiss the Case

The Allegheny County Court of Common Pleas agreed with UPMC and dismissed the employees’ suit. The Court both relied on the economic loss doctrine and held that courts should not create a new affirmative duty of care to protect against data breaches. The Court had concerns that this new duty of care would flood the court system with lawsuits. The Court also said that data breach liability was a policy issue to be addressed by the legislative branch.

The employees appealed to the Superior Court, where a three judge panel upheld the lower court in a 2-1 decision. One dissenting judge stated that employers have a duty of care to protect against data breaches.

The PA Supreme Court Allows Employees to Sue for Data Breach

After accepting the case for appeal, the Pennsylvania Supreme Court overturned the two lower court decisions on both the duty of care and the economic loss issues. The Supreme Court held that UPMC had the duty to protect employee information since UPMC had taken the affirmative step to require employees to provide certain information. The Court said that this duty existed despite the intervening third party theft, because theft was foreseeable without proper data protection.

On the economic loss issue, the Court allowed a negligence claim for economic loss where a duty existed outside the parties’ contractual relationship. The Court found that the employees alleged that UPMC had a duty, outside any contract, to act with reasonable care in collecting and storing personal and financial information on computer systems. The Court’s decision is a setback for efforts to invoke the economic loss doctrine in defending against business-related tort claims.

Practical Implications: Employers Need to Use Reasonable Care to Protect Employee Data

What are the practical implications of the UPMC ruling? Employers will have to take additional steps to lock down confidential employee information. The decision will affect every employer, since all employers collect confidential data in the course of setting up basic transactions like direct deposit and tax and social security withholding. Legislative action may also provide more specific guidance on data protection. The decision will have a continuing effect in the workplace and in development of new data protection policies.

The information above is general: we recommend that you consult a High Swartz Attorney regarding your specific circumstances.  The content of this information is not meant to be considered as legal advice or a substitute for legal representation. 

About the Author: Tom Rees

Thomas D. Rees heads the firm’s Litigation and Employment Practice. He focuses his practice primarily on employment law, where he represents employers in litigations over employment terminations; restrictive covenants, trade secrets, and other employee mobility issues; employment discrimination and sexual harassment matters; employment contract disputes; and defamation and privacy related matters. Tom also serves employers in a wide variety of non-litigation matters, including contract negotiation, preparation of policies and procedures, and hiring and termination. These services help employers to avoid and resolve disputes without resorting to the courtroom. In addition to employment law matters, Tom also handles complex litigation and dispute resolution in the areas of land use and zoning law, education law, and government regulation.

More posts by Tom