A recent Pennsylvania Supreme Court decision makes it easier for employees to sue for damages resulting from data breaches of employer data systems. In light of the ruling, employers should review their data security practices and review the data they keep to ensure they are not creating potential liability. Here's how the lawsuit came about:
Data breach at UPMC
In February 2014, employees from the University of Pittsburgh Medical Center notified the health system that fraudulent tax returns had been filed in their names. UPMC investigated and determined that its systems had been hacked.
Ultimately, the personal data of more than 62,000 current and former UPMC employees were at risk. Data stolen included personal information such as names, birth dates, Social Security numbers and addresses, as well as financial data such as tax forms and bank account information.
Breach of contract lawsuit
Barbara and six other UPMC employees filed a class-action suit alleging negligence and breach of implied contract.
UPMC moved to have the case dismissed, arguing that it did not breach any legal duty and that Pennsylvania's "economic loss doctrine" precluded any damages. The "economic loss doctrine" posits that no cause of action exists for negligence that results in purely economic losses that aren't accompanied by physical injury or property damage.
Both the trial court and an appeals court sided with UPMC, dismissing the case. The plaintiffs appealed to the Pennsylvania Supreme Court. (Dittman, et al. v. UPMC, Supreme Court of PA, WD, 2018)
The Supreme Court decision
The Pennsylvania Supreme Court agreed to address two issues on appeal:
Does an employer have a legal duty to use reasonable care to safeguard employees' sensitive personal information when the information is stored on an internet-accessible computer system?
Does the economic loss doctrine permit recovery for purely pecuniary damages that result from the breach of an independent legal duty arising under common law?
The Supreme Court determined that employers have a duty to use reasonable care to protect employee data on internet-accessible computer systems because they required employees to supply that data as a condition of employment. That duty includes using reasonable measures to protect the information from the foreseeable risk of a data breach.
The court also determined that the "economic loss doctrine" does not apply in all cases. The court said liability depends on "the source...