Groundbreaking Court Decision Creates Employer Liability to Employees Whose Data is Stolen

By: Joshua Glikin

The highest court in Pennsylvania recently laid the groundwork for a new type of employer liability that businesses around the country should not ignore. It found that an employer in Pennsylvania has a legal duty to use reasonable care to safeguard its employees’ sensitive personal information that the employer stores on an internet-accessible computer system. Although the case holding applies only in Pennsylvania, there is no doubt that attorneys will urge other state courts to adopt the same or similar approach. Employers everywhere should, therefore, take heed and view the changing legal landscape as yet another reason to take reasonable measures to safeguard employee personal, financial, health and other sensitive information from hackers and unauthorized access.

The Pennsylvania case involved a class action lawsuit by a group of current and former University of Pittsburgh Medical Center employees whose data was stolen when UPMC’s computers were hacked. Some of that data was used to file fake tax returns on behalf of some of the employees. Importantly, UPMC required employees to provide certain personal information, including social security numbers, and stored that information on a server that was internet-accessible. The employees sued, alleging that because UPMC engaged in the affirmative act of collecting sensitive personal data and storing it on an internet-accessible system, UPMC also owed its employees (and former employees whose data it continued to maintain) a duty to exercise reasonable care under the circumstances, which includes taking reasonable measures to protect them from the foreseeable risk that third parties – hackers – would attempt to access and steal the information. They alleged that ‘reasonable measures’ includes abiding by current data security industry standards, such as encrypting data, establishing adequate firewalls, and implementing adequate authentication protocol. They asserted that UPMC did not do any of these things.

Before the case reached Pennsylvania’s highest court, several lower courts had dismissed the Plaintiffs’ claims for a number of reasons, including that: (1) UPMC could not be held liable for the criminal conduct of third-parties; (2) imposing hacker liability on employers might cause a flood of copycat cases that the Courts could not handle, and that might put companies out of business; (3) employers already had sufficient incentives to protect personal data; and that (4) it is not possible to prevent all data breaches, even if a cost was not an issue. The Pennsylvania Supreme Court rejected all of these reasons, finding that employers in today’s world – especially large employers with a lot of employee data – should foresee that hackers might target vulnerable computer systems to steal personal information. Thus, the Court held, it would be negligent for an employer to not take reasonable measures to prevent such thefts.

Of course, the case leaves a number of unanswered questions – perhaps the most important of which is, “how much is enough” when it comes to investing in security, and whether what is reasonable might vary depending on the size and resources of the employer. For example, should a small business with only a handful of employees be required to pay for an maintain the same levels of security as a large employer like UPMC? Is the risk that a hacker would spend time trying to steal sensitive data for a few employees from a small business, foreseeable? Is this case limited to the fact that social security numbers were being used and stored with limited security measures? And should it be limited to hackers and not unauthorized access or disclosures from within an employer? And what if the employees suffered no actual damage from the theft of their sensitive information? In the Pennsylvania case, some employees had alleged that their stolen information was used to file false tax returns in their names, but would a showing of that type of harm be necessary in every case?

The truth is, these issues will be addressed by various courts over the years, as more businesses are hacked, and more employee data is stolen. But it’s equally true that employers should rely on the advice of data security experts to determine what types of security measures are reasonable under the circumstances. Employers may also want to carefully consider how much sensitive data about employees is stored on their internal and cloud-based computer systems. Employers also should routinely review their security measures and update them frequently so that they are remaining current with the industry standards and trends. After all, no one wants to be the defendant in a test case in a different state.

At Bowie & Jensen we have a team of seasoned, multi-disciplined attorneys who are prepared to face these emerging challenges. We can help employers prepare for them while limiting their risk when they occur. We also have a team that can step in while the hack is occurring to mitigate and resolve the matter as quickly as possible while reducing the client’s risk. We also are prepared for these types of lawsuits when they arrive since we have been at the forefront of these issues over the decades, and have experience litigating in courts around the nation.

For more information, contact the attorneys at Bowie & Jensen, LLC today.