August 7, 2020

Volume X, Number 220

August 07, 2020

Subscribe to Latest Legal News and Analysis

August 06, 2020

Subscribe to Latest Legal News and Analysis

August 05, 2020

Subscribe to Latest Legal News and Analysis

Pennsylvania Companies Must Protect Employees’ Sensitive Data

Employers, and likely all businesses, now have a specific duty to safeguard their employees’ personal data that is stored on internet-based computer systems, according to a recent decision by the Supreme Court of Pennsylvania. Prior legislation only required companies to report potential or actual data breaches to the individuals or businesses whose information may have been, or was, compromised.

In Dittman v. Univ. of Pittsburgh Medical Center, the court held that employers have a duty to exercise reasonable care to protect their employees against an unreasonable risk of harm if the company collects and stores the employees’ data on internet-based computer systems. Further, this duty is independent of any contractual obligations between the employer and employee. The court reasoned that by collecting the data without appropriate security measures, UPMC created a foreseeable risk of a data breach. In other words, UPMC should have known a cyber-criminal might take advantage of its vulnerable computer system and steal the data.

The case involved the theft of social security numbers, dates of birth, tax information, addresses, salaries and bank account information of more than 62,000 current and former UPMC employees. UPMC gathered the sensitive information as a condition of employment. The employees sought money damages for losses due to the filing of fraudulent tax returns and for the increased and imminent risk of identity theft.

This ruling is important because the decision likely extends to any entity (not just employers) that collects and stores sensitive personal data. Additionally, defendants can no longer claim the criminal act of a third party as an intervening act to shield them from liability. As such, this new decision will force companies to incur significant expenses to update their security protocols and will expose them to more risk and potential litigation.

COPYRIGHT © 2020, STARK & STARKNational Law Review, Volume IX, Number 165


About this Author

Bianca A. Roberto, Stark Law, Transactional lawyer, Litigation Attorney

Bianca A. Roberto is an Associate and member of Stark & Stark’s Business & Corporate Group.  Ms. Roberto concentrates her practice in the area of transactional and litigation work, representing corporations, banks, boards, and individuals in a broad range matters. Prior to joining Stark & Stark, Ms. Roberto served as Judicial Law Clerk to the Honorable Robert O. Baldi and the Honorable Wallace H. Bateman, Jr. in the Bucks County Court of Common Pleas.  Ms. Roberto served as a legal intern for The Supreme Court of Pennsylvania for the Honorable J. Michael...