Employer Duties to Protect Employee Data

Do employers have a duty to protect their employee’s data? In Dittman v. UPMC, the Pennsylvania Supreme Court determined, among other things, that the defendant employer had a duty to use reasonable care in protecting employee data. See __ A.3d __, No. 43 WAP 2017 (Pa. 2018). Dittman concerned a data breach that allegedly compromised the personal information of employees and former employees of the defendant. The defendant required employees to provide this personal information as a condition of employment. The claims asserted, among other things, that the defendant was negligent by not taking appropriate steps towards safeguarding employees’ sensitive information.

The Pennsylvania Supreme Court found the legal duty in common law – that is, not in statute or in contract. The crux of the Pennsylvania Court’s reasoning centered on the fact that cyberattacks are becoming more common and are thus potentially foreseeable risks. This appellate decision was a reversal of an earlier decision that was concerned with the ramifications of imposing a legal duty that could subject employers to litigation. Note the liability in Dittman did not arise because the breach occurred but rather because the defendant failed to show that it worked sufficiently to stop the breach from occurring – that’s part of how the alleged negligence arose.

The lesson from Dittman is a simple one— commercially reasonable preventative care steps on workplace data security can mitigate or eliminate the risks associated with employee litigation, as well as protecting a business from the other harms that accompany breaches.