Posted on 12/07/2018 at 11:25 AM by John Lande
The Pennsylvania Supreme Court recently decided that employers have a duty to take reasonable steps to protect sensitive employee data from cyberattacks. The case began after employees at the University of Pittsburgh Medical Center (“UPMC”) learned that fraudsters accessed and stole their names, social security numbers, addresses, tax forms, and bank information. Employees sued UPMC for failing to take reasonable steps to secure their data.
According to the employees, UPMC failed to encrypt employee data, establish adequate firewalls, and implement an adequate authentication protocol. According to the employees, UPMC had a duty to keep their data secure because they had to provide it in order to work at UPMC.
The Pennsylvania Supreme Court agreed with the employees. The Court concluded that when UPMC obtained employees’ sensitive personal information and stored it on internet connected servers, UPMC had a “duty to exercise reasonable care” to protect that data.
UPMC argued that it could not be liable to the employees for cybercriminals’ criminal acts. The Court rejected that argument, however, because if UPMC’s actions increased the likelihood of a fraudster accessing employee data then UPMC can still be liable for its failure to properly secure the data.
The Court’s conclusion is interesting, because the Court assumes that a data breach is a foreseeable consequence of failing to take reasonable steps to secure data. This is contrary to the Eighth Circuit’s conclusion in State Bank of Bellingham v. BancInsure, Inc., previously covered by this blog, that a cyberattack is not always a foreseeable consequence of lax information security standards.
This case is also contrary to a recent decision from the Third Circuit, also covered by this blog. In that case, an employee whose information was breached claimed that the employee handbook promised him that his data would be secure. He claimed his employer broke that promise, so he he was entitled to damages. The court rejected the employee’s claim.
These three cases demonstrate that the law in this area remains unsettled. Employers only have a patchwork of decisions under different state laws to guide their decision making. The Pennsylvania Supreme Court’s analysis acknowledges the reality that data breaches and cyberattacks are a common feature of modern life. As the law slowly adapts to new risks from cyberattacks, the Pennsylvania Supreme Court’s analysis seems most consistent with the principle that has traditionally guided the development of tort law—the one in the best position to prevent harm should take reasonable steps to do so.
Iowa employers do not have any immediate reason to be concerned about the outcome in UPMC’s case. The Court’s decision came at a preliminary stage, and there is still a long way to go before the plaintiffs ever recover anything. However, employers should view UPMC’s case as a sign of things to come, and make sure they are taking reasonable steps to secure their employee data. That doesn’t just mean installing the latest software and hardware. Reasonable security also means looking at who has access to sensitive data, and controlling the ability of any one employee to disseminate that to third parties. As previously covered by this blog, fraudsters are adept at tricking employees into sharing information through phishing schemes. Employers need to make sure they have the right policies, procedures, and technical safeguards in place to protect their employees’ information. This means consulting not only with knowledgeable technical experts, but also knowledgeable counsel to help employers assess legal and technical risks to their organization.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Law is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Law blog postings does NOT create an attorney-client relationship between you and Dickinson, Mackaman, Tyler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.