The Pennsylvania Supreme Court recently issued an opinion in the case of Dittman et al. v. the University of Pittsburgh Medical Center (UPMC), holding that an employer has a legal duty to use reasonable care to safeguard its employees’ sensitive personal information.
The high court overturned lower court rulings and held that the employees may pursue a negligence claim.
In 2014, employees of UPMC and the University of Pennsylvania Medical Center McKeesport filed a class action charging negligence and breach of contract in connection with a data breach. The employees alleged that the breach resulted in the personal and financial information of 62,000 of the organization’s employees and former employees being accessed and stolen from the employer’s computer systems and that the information was used to file fraudulent tax returns on behalf of the victimized employees.
The employer brought preliminary objections arguing that no general duty by an employer to protect employee information exists. The employer also argued that a duty to employees should not arise from the unforeseeable criminal acts of third parties.
The trial court granted the employer’s preliminary objections and dismissed the employees’ claim, and the Pennsylvania Superior Court affirmed the trial court’s decision.
“[W]e agree with Employees that, in collecting and storing Employees’ data on its computer systems, the employer owed the employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act,” the Pennsylvania Supreme Court said in reversing the Superior Court. “Further, to the extent that the employer argues that the presence of third-party criminality in this case eliminates the duty it owes to Employees, we do not agree.”
The case was remanded for further proceedings.