Employer Did Not Owe Legal Duty to Protect Employees' Hacked Personal and Financial Records
University of Pittsburgh Medical Center (UPMC) maintained a human resource database containing current and former employees' names, dates of birth, social security numbers, tax information, addresses, salaries, and bank information. Hackers breached the database and stole financial information for 62,000 individuals and used the information to file fraudulent tax returns and steal tax refunds. In Dittman v. UPMC, the plaintiffs brought a class action alleging UPMC was negligent in securing the data and breached an implied contract. A divided panel of the Pennsylvania Superior Court ruled that UPMC did not owe a legal duty to its current and former employees to protect their personal and financial information from hacking.
The Superior Court balanced the value of employers storing employee data electronically against the risk of data breaches and hacking, concluding that: "Although breaches of electronically stored data are a potential risk, this generalized risk does not outweigh the social utility of maintaining electronically stored information." This practical rationale acknowledged that because "there is no true way to prevent data breaches altogether," it is "unnecessary to require employers to incur potentially significant costs to increase security measures." Further, the Superior Court refused to create a judicially-imposed duty of care for employers, finding that companies do not need extra incentive to protect their current and former employees' confidential information. It was noted that Pennsylvania already has statutory safeguards, the Breach of Personal Information Notification Act, in place to prevent the disclosure of confidential employee information.
This decision, and its implications on how courts will likely handle cases involving breaches of human resource databases in the future, should be encouraging to employers. However, employers should take reasonable steps to address hacking issues because, as the Superior Court's opinion illustrates, courts will apply a balancing test which weighs numerous factors on a case-by-case basis to data breach suits. That is, the factual circumstances of a particular data breach may result in a court finding that the employer owed a duty of reasonable care to its current and former employees.
In light of Dittman v. UPMC, employers maintaining confidential employee information electronically should:
- Realize that hackers may target your Human Resources database;
- Talk to your electronic security and IT personnel regarding the risks of hacking and data breach;
- Obtain and maintain the best electronic data security you can afford;
- Institute monitoring protocols to ensure that in the event of a data breach you will be made aware of such breach promptly; and
- Know your legal obligations regarding notification of current and former employees in the event of a data breach.
If you have any questions about employer obligations regarding data breaches of electronically stored employee information, contact Andrew Ruxton at (412) 394-2573 | firstname.lastname@example.org, or another member of Clark Hill's Labor and Employment Practice Group.