720-891-1663
Return to the list of client alerts
In a case that we have been watching for a couple of years, the Pennsylvania Supreme Court just ruled unanimously that employers have a common law duty to protect information given to them by employees and that employees can sue even the only damage is economic.
With that hammer, the Pennsylvania Supreme Court, made a significant change to the cyber breach landscape even beyond the borders of the Commonwealth of Pennsylvania.
The decision stems from a 2014 breach at the University of Pennsylvania Medical Center (UPMC) that compromised the personal information of over 60,000 employees. The data stolen included the normal stuff like name, address and socials, but also included bank account information, tax returns and income history.
The plaintiffs sought damages for economic losses from the filing of fraudulent tax returns as well as the imminent risk of identity theft.
The Allegheny County Court of Common Pleas dismissed the case because, they said, Pennsylvania law did not recognize a duty to secure employee data held in Internet-accessible computers [by employers] and the courts should not create a new affirmative duty of care. That decision, in 2015, hurt my brain, but I am used to courts doing seemingly strange things. The court said that if they said that employers had to protect employee data, that might generate hundreds of thousands of lawsuits. An alternative conclusion could be that if they said that employers were responsible, employers might decide that it is cheaper to protect the data than to not protect it.
Either speculation could be equally valid, but both are completely ungrounded guesses.
I am not sure, but I don’t think that courts are allowed to make decisions based on how much work that decision could, possibly, cause for the court in the future.
The Superior Court affirmed the dismissal on appeal.
Fast forward a couple of years and the case came before the Pennsylvania Supreme Court.
The Supremes kind of held a different view.
They said that an employer has a common law duty to use reasonable care (undefined term) to safeguard employees’ personal information stored on an Internet-accessible computer. They also said that Pennsylvania’s economic loss doctrine permits recovery of financial damages as a result of such negligence.
In another whack at UPMC, the Supremes said that they [UPMC] should have realized that cyber-criminals might take advantage of vulnerabilities in UPMC’s computer system and steal information.
That is a profound thought, even for a court.
So what are the implications to businesses?
At a minimum, for businesses of any kind that have employees or customers in Pennsylvania, negligence claims for not having adequate cybersecurity practices which may have caused or allowed a breach are grounds for a claim.
The court also says that the very act of collecting and storing data creates a common law duty to protect it.
It is also likely that plaintiffs other states may point to this decision to educate other courts, even though the decision is not binding on those courts.
As I have been saying, the courts are coming around to the thinking that companies have a duty to protect your information if they choose to collect it.
This is an important piece of the cyber liability puzzle as the court precedent continues to expand and it would be wise for employers to take this decision seriously.
See the National Law Review Article for more details.