A years-long litigation battle surrounding a data breach at the University of Pittsburgh Medical Center in 2014 has resolved with a judicially approved settlement. Under the agreement, UPMC must pay $2.65 million to 66,000 employees whose personal information was stolen in the data breach. UPMC’s case highlights the responsibilities an employer may have to protect its employees’ private information.
In 2014, hackers breached UPMC’s computer systems and stole employees’ personally identifiable information (PII), including names, addresses, social security numbers, salaries, and bank information. A suspect was arrested for the hacking in 2020 and confessed to selling the employees’ PII on the dark web. The information was then used to file phony tax returns in order to collect fraudulently obtained refunds, leading to $1.7 million in IRS losses.
A class-action suit, Dittman et al. v. University of Pittsburgh Medical Center, was filed on behalf of UPMC employees following the breach. The plaintiffs alleged that UPMC’s failure to adequately secure their PII constituted negligence and breach of implied contract under Pennsylvania common law.
The trial court dismissed the employees’ claims, and the Superior Court, in a split panel decision, affirmed the trial court’s decision. However, on further appeal, the Supreme Court of Pennsylvania issued an important decision reinstating the employee’s negligence claim in 2018.
Pennsylvania Supreme Court decision
Dittman explored whether an employer has a legal duty to use reasonable care when storing its employees PII on a computer system. 649 Pa. 496 (Pa. 2018).
The plaintiffs argued that the legal duty to exercise reasonable care is relatively broad, and when an employer takes affirmative action, it has a duty to exercise reasonable care to ensure that others are protected against an unreasonable risk of harm as a result of its act. See Restatement (Second) of Torts § 302, cmt. a (1965).
The employees argued that they were exposed to risk as a result of UPMC’s affirmative action (requiring the disclosure of PII and storing it on their computers). UPMC, on the other hand, argued that it could not be held liable for a criminal data breach by a third party, because under the law, “there is no duty to protect or rescue someone on account of circumstances the defendant had no role in creating.”
The Court decided for the plaintiffs, holding that an employer has a legal duty to exercise reasonable care in the storage of employees’ PII. In deciding in favor of the plaintiffs, the court found among other things that:
UPMC acted affirmatively by requiring employees to provide certain personal and financial information, and by storing that information on a computer; and
UPMC played a role in the circumstances, since its affirmative conduct created the risk of a data breach.
After the Supreme Court of Pennsylvania’s reversal of the lower courts, the plaintiffs ultimately settled their claims and were able to recover damages.
Other court decisions
The Supreme Court of Pennsylvania is not the only court to have addressed data breach issues in the employment context. Several other courts have held that employees may sue regarding an employer’s duty to protect employees’ PII:
In Sackin v. TransPerfect Global, Inc., email scammers gained access to employees’ W-2 forms and payroll information after a company official mistakenly fell for an email “phishing” scam. 278 F.Supp.3d 739 (S.D.N.Y. 2017). Due to inadequate cybersecurity measures at the company, this information was sent in an unencrypted format, allowing the scammers access to employees’ PII. The Court found that employees had standing to sue, and that they had stated a claim for both negligence and breach of implied contract under New York law.
In McKenzie v. Allconnect, Inc., employees’ PII was also disclosed through response to a phishing email. 369 F.Supp.3d 810 (E.D. Ky., 2019). Employees sued, alleging that Allconnect had failed to take adequate precautions to safeguard their PII against unauthorized release. The Court found that the employees had standing to sue, and that they had stated claims for negligence, breach of implied contract, and invasion of privacy.
In Portier v. NEO Technology Solutions, several employees had their sensitive data compromised by a breach. 2019 WL 7946103 (D. Mass. 2019). Some employees’ PII may have been used to file fraudulent tax returns in their name. The Court denied the defendants’ motion to dismiss on the employees’ claim of negligence, finding that the employer owed its employees a duty of care, that it may have breached that duty by failing to implement adequate security measures, and that it may have caused plaintiffs actual and imminent injuries as a result.
Courts aren’t the only entities safeguarding employees’ PII. Some states have begun enacting statutes requiring employers to take precautions when storing sensitive personal information.
The California Consumer Privacy Act (CCPA) imposes a variety of requirements on companies to safeguard both employee and consumer PII. Under the CCPA, consumers and employees who are impacted by data breaches will be able to bring claims for statutory damages of up to $750 per affected individual per incident, or for actual damages, whichever is higher.
Additionally, New York’s SHIELD Act requires employers whose systems contain the PII of New York Residents (including employees) to develop data security programs, including administrative, physical, and technical safeguards for their data.
While some states are working to ensure that employee data must be protected, the reality is that the majority of states do not have statutes addressing this issue. As a result, employees who are victims of data breaches must usually base their claims on common law causes of action, making them reliant on courts to interpret the law in their favor. And, as the lower court decisions in Dittman illustrate, that may not be a certainty.
Employees who fall victim to data breaches should be aware that they may have a cause of action against their employer. Employers that neglect to implement adequate data security measures, such as firewalls and data encryption, may be held liable for their failure to take reasonable care.
Oscar Heanue contributed to this article.