Employer Did Not Owe Legal Duty to Protect Employees' Hacked Personal and Financial Records
University of Pittsburgh Medical Center (UPMC) maintained a human resource database containing current and former employees' names, dates of birth, social security numbers, tax information, addresses, salaries, and bank information. Hackers breached the database and stole financial information for 62,000 individuals and used the information to file fraudulent tax returns and steal tax refunds. In Dittman v. UPMC, the plaintiffs brought a class action alleging UPMC was negligent in securing the data and breached an implied contract. A divided panel of the Pennsylvania Superior Court ruled that UPMC did not owe a legal duty to its current and former employees to protect their personal and financial information from hacking.
The Superior Court balanced the value of employers storing employee data electronically against the risk of data breaches and hacking, concluding that: "Although breaches of electronically stored data are a potential risk, this generalized risk does not outweigh the social utility of maintaining electronically stored information." This practical rationale acknowledged that because "there is no true way to prevent data breaches altogether," it is "unnecessary to require employers to incur potentially significant costs to increase security measures." Further, the Superior Court refused to create a judicially-imposed duty of care for employers, finding that companies do not need extra incentive to protect their current and former employees' confidential information. It was noted that Pennsylvania already has statutory safeguards, the Breach of Personal Information Notification Act, in place to prevent the disclosure of confidential employee information.
This decision, and its implications on how courts will likely handle cases involving breaches of human resource databases in the future, should be encouraging to employers. However, employers should take reasonable steps to address hacking issues because, as the Superior Court's opinion illustrates, courts will apply a balancing test which weighs numerous factors on a case-by-case basis to data breach suits. That is, the factual circumstances of a particular data breach may result in a court finding that the employer owed a duty of reasonable care to its current and former employees.
In light of Dittman v. UPMC, employers maintaining confidential employee information electronically should:
- Realize that hackers may target your Human Resources database;
- Talk to your electronic security and IT personnel regarding the risks of hacking and data breach;
- Obtain and maintain the best electronic data security you can afford;
- Institute monitoring protocols to ensure that in the event of a data breach you will be made aware of such breach promptly; and
- Know your legal obligations regarding notification of current and former employees in the event of a data breach.
If you have any questions about employer obligations regarding data breaches of electronically stored employee information, contact Andrew Ruxton at (412) 394-2573 | firstname.lastname@example.org, or another member of Clark Hill's Labor and Employment Practice Group.
FAQs: Mandatory COVID-19 Vaccines and the Automotive & Manufacturing Industries
Join us for a presentation where we will share the considerations, implications, and answer your frequently asked questions surrounding the implementation of mandatory COVID-19 vaccines.
Tea & Tidbits: Benefits Strategies for Small Employers
June’s discussion will center around benefit strategies for start-ups or employers who are small and aren’t sure if they can offer benefits at all.
New Customs Enforcement Action on Seafood From China
The WRO on seafood covers tuna, swordfish, and other seafood products harvested by vessels owned or operated by Dalian Ocean Fishing Co., Ltd. The WRO is based on information that reasonably indicates the use of forced labor in Dalian’s fishing fleet.