PA Supreme Court Finds Employers Must Protect Their Employees’ Personal Data
A few months ago I wrote about the Third Circuit Court of Appeal’s avoidance of ruling on whether employers have a duty to protect their employees’ personal information. We now have an answer to that question (at least in this Commonwealth) from Pennsylvania’s Supreme Court: Yes, yes it does.
On the eve of Thanksgiving the Pennsylvania Supreme Court released its decision in Dittman v. UPMC. This lawsuit was brought by employees of the University of Pittsburgh Medical Center over a data breach that leaked the employees’ names, birth dates, social security numbers, and bank account information. But the existence of a duty by UPMC to protect this personal information remained in doubt. The Court ended this debate by ruling:
an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an internet-accessible computer system.
For employees, this is a decision that should be heralded as an important protection against identity theft. After all, what choice does an employee have but to give personal data to their employer? That the employer must protect that information is just common sense.
For employers, it means protecting internal employee information is as much of a priority as protecting customer data. While at first blush that seems like a heavier burden, maintaining better security over one data set is likely to impact both. If a hacker accesses your systems do you really expect them to target only employee data and leave customer data alone? Of course not; a breach of one is likely to become a breach of both. So it remains essential you keep up with the evolving world of cybersecurity threats.
Have you experienced identity theft you believe was caused by your employer’s failure to protect your information? Or are you worried about potential liability for your business because of the employee data in your possession? After the Pennsylvania Supreme Court’s recent ruling, either of these should lead you to speak with your technology law attorney.