Pennsylvania Supreme Court finds a common law duty for employers to protect sensitive employee information
In 2014, hackers broke into the University of Pittsburgh Medical Center’s (UPMC) computer system and stole large amounts of personal information about UPMC’s employees.
The employees were unsurprisingly not able to find the hackers to hold them responsible. They opted instead to sue UPMC, alleging that the hospital had indirectly caused their harm by forcing employees to provide sensitive data and then acting negligently in protecting that data. The problem was, the trial court found that UPMC did not have a legal duty to protect its employees’ data and dismissed the case. On appeal, the Pennsylvania Superior Court agreed and upheld the dismissal. But in a new opinion, the Pennsylvania Supreme Court disagreed with the lower courts, finding that employers do in fact have a duty to protect the sensitive information they gather from employees.
The trial court and the intermediate appellate court had dismissed the case for two primary reasons. First, they found that there was no explicit legal duty for employers to protect their employees’ information. These courts applied the five-factor test from Althaus ex rel Althaus v. Cohen, 562 Pa. 547, 756 A.2d 1166 (2000) to evaluate whether a new common law duty of care existed. In applying the Althaus test, the lower courts found that the financial consequences of imposing a duty of care in these types of cases would be a substantial burden on businesses. The lower courts then reasoned that this additional burden was not offset by the benefit of imposing a duty of care because companies already have an incentive to protect against breaches, and therefore a new rule wouldn’t significantly benefit the public.
The Pennsylvania Supreme Court disagreed, finding that there was no need to evaluate the cost and benefit of a new duty under Althaus because the general duty of care already applied to these situations. The common law rule provides that when an actor takes an affirmative action, that actor must exercise reasonable care to protect others from the foreseeable risk of harm from such action. UPMC required its employees to provide personal and financial information to the hospital and stored that information on an internet-accessible computer system without proper or adequate security measures. These were affirmative acts by UPMC, and a data breach was a foreseeable risk of these acts. Accordingly, the Court found that UPMC had a duty to exercise reasonable care to mitigate those foreseeable risks.
There are many questions left open by this decision. How, for instance, is the duty of care measured, and does it apply to all employee data or just especially sensitive data, such as social security numbers? Does it apply to other entities that store data or just employers? And what about entities outside of Pennsylvania that store the data of Pennsylvania residents? Those questions will have to be decided by future cases. What is clear, however, is that this case continues the recently increasing trend of holding data controllers liable for breaches caused by third-party hackers.
In the past, the legal duty to protect data only existed in fields, such as finance and health care, that involved particularly sensitive data. Today, courts are recognizing that sensitive data can (and often is) maintained by all types of entities, and that any entity that collects sensitive data needs to exercise reasonable care to protect that data. While this ruling is limited to Pennsylvania, it is representative of a growing trend. It is likely only a matter of time before more states adopt similar rules.
While there is significant uncertainty in this fast-developing area of the law, organizations don’t have to sit back and wait for things to develop before they begin addressing data-breach related risks. The first step is to consult with a privacy professional to develop and implement an appropriate data security plan for your organization. Frost Brown Todd’s Data Privacy and Security Team stands ready to help your organization meet these challenges and, if necessary, help manage any breach.
Ask the Blogger
Do you have a topic that you would like discussed in a future blog article? Please let us know. If you have a confidential question regarding a blog article, please feel free to contact the article's author directly, or let us know if you would like for someone to contact you directly.
Douglas A. Gastright is a patent attorney with more than seven years of professional experience as a software developer in the Cincinnati area.