The Pennsylvania Supreme Court found the legal duty in common law – that is, not in statute or in contract. The crux of the Pennsylvania Court’s reasoning centered on the fact that cyberattacks are becoming more common and are thus potentially foreseeable risks. This appellate decision was a reversal of an earlier decision that was concerned with the ramifications of imposing a legal duty that could subject employers to litigation. Note the liability in Dittman did not arise because the breach occurred but rather because the defendant failed to show that it worked sufficiently to stop the breach from occurring – that’s part of how the alleged negligence arose.
The lesson from Dittman is a simple one— commercially reasonable preventative care steps on workplace data security can mitigate or eliminate the risks associated with employee litigation, as well as protecting a business from the other harms that accompany breaches.