Pennsylvania Superior Court Rejects Common-Law Duty to Safeguard Employee Personal Information

Many employers collect and store sensitive employee data on a computer system, compelling questions as to whether the employer has a duty to enact extra security measures to safeguard that information from increasingly common data breaches. In a recent pro-employer decision, Dittman v. UPMC, the Pennsylvania Superior Court held that an employer owes no duty to employees to store and manage sensitive employee data on internet-accessible computer systems, despite vulnerability to computer hackers.

In 2014, the University of Pittsburgh Medical Center (UPMC) discovered a large-scale data breach, in which hackers accessed the private information of approximately 62,000 UPMC employees, including names, birth dates, social security numbers, tax information, addresses, salaries, and bank information. The stolen information then was used to file fraudulent tax returns and misappropriate refunds for certain employees. The data stolen was collected and stored by UPMC as a condition of employment.

The affected employees instituted a class action litigation, alleging, in pertinent part, that UPMC owed a legal duty to protect their personal and financial information by preventing vulnerabilities in their computer systems. The class also alleged that UPMC created an implied contract with the employees to collect the information requiring the UPMC to reasonably safeguard its computer systems. The Pennsylvania Superior Court disagreed.

Under Pennsylvania law, courts must balance five factors to determine whether a duty of care exists: (1) The relationship between the parties; (2) the social utility of the conduct; (3) the risk and the foreseeability of the harm; (4) the consequences of imposing a duty; and (5) the public interest in the solution.

Balancing these factors, the Superior Court declined to impose a duty on employers. In fact, the only factor that the Court found weighing in favor of imposing a duty was the first, because of the special relationship between an employer and employee. Nonetheless, the Superior Court acknowledged that employers have an obvious need to collect and store employees’ personal information and, “in the modern era, more and more information is stored electronically and the days of keeping documents in file cabinets are long gone.” Indeed, electronic storage of information creates beneficial efficiencies for employers and employees alike. Although data breaches are becoming more common, the Superior Court decided that the risk does not outweigh the social utility of electronically storing employee information.

Further, the Superior Court held that the consequences of imposing a duty weighed against doing so. Significantly, it noted that data breaches are so widespread that there is no way to truly prevent them altogether. Further, there already are safeguards preventing employers from disclosing employees’ confidential information. Therefore, the Superior Court decided that there exists no need to significantly increase security costs by imposing an additional duty to protect electronically-stored personal data.

The Superior Court also rejected an argument that UPMC created an implied contract with the plaintiffs wherein it agreed to prevent disclosure of employee information in a data breach. The Court contrasted this situation with a bank’s duty of confidentiality to their customers that is created by virtue of the relationship.

Although Pennsylvania law does not impose a blanket tort liability for the disclosure of employees’ personal information in a data breach, a robust data-security program still may be a necessity in some contexts and, ultimately, makes good business sense. As the Superior Court acknowledged, employers must comply with other statutes and regulations governing data privacy, such the Federal Health Insurance Portability and Accountability Act (“HIPAA”), as well as Pennsylvania’s Unfair Trade Practices and Consumer Protection Law (“UTPCPL”) and Breach of Personal Information Notification Act. Finally, extra data security and privacy measures, to the extent feasible, can prevent the inevitable reputational harm and damage to employee morale that necessarily can result from a data breach. •

If you have any questions concerning this or other legal issues, please contact Erin R. Kawa (717-909-1624 or ekawa@shumakerwilliams.com) at Shumaker Williams, P.C., PRLA’s General Counsel.