Securing Employee Data - The Duty of Care
The Pennsylvania Supreme Court has ruled that an employer that collected and stored employee data on its computer systems owed employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm. In addition, the Court found that the economic loss doctrine is not a blanket prohibition of negligence claims seeking purely economic damages. The case, Dittman v. UPMC, _A.3d_, No. 43 WAP 2017, 2018 WL 6072199 (Pa. 2018), dealt with employees of UPMC who were required to provide UPMC with personal information. The electronic system that UPMC used to store the personal information experienced a breach resulting in unauthorized access to the employees’ personal and financial information which led to identity theft and related damages. UPMC sought to dismiss the case based on the economic loss doctrine claiming that no cause of action exists for a negligence claim that results solely in economic damages where there is no physical injury or property damage. The lower courts agreed with UPMC and plaintiffs appealed to the Supreme Court.
The Supreme Court did not determine whether UPMC breached the duty of care or signal what is reasonable in protecting employee data but it did make clear that an employer that requires its employees to provide personal information owes a duty to exercise reasonable care to protect them against an unreasonable risk of harm. One could argue that this duty of care could be extended to companies that require customers to provide personal information. A lot of focus has been placed on regulatory compliance but the risk of litigation and harm to both employees and customers further supports the notion that security needs to be a top priority for companies.
Written by Emily McNeeley, CIPP/US, Attorney, Intuitive Edge Team