PA Supreme Court rules businesses must protect workers private data from breaches
What the Court Ruled
A recent Pennsylvania Supreme Court decision announced that employers must protect their employees’ personal information from potential data breaches. In Dittman v. University of Pittsburgh Medical Center (UPMC), the Court ruled that employers have “a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an internet-accessible computer system.” UPMC employees alleged that a 2014 data breach at UPMC exposed personal and financial information that employees had to provide during their employment. The employees argued that because UPMC required this sensitive information as part of their employment, UPMC had a duty to protect this information from unauthorized access. The Court agreed with the employees’ argument. Because UPMC created the risk of the data breach in the first place, it owed the employees a duty to take reasonable steps to protect the personal data of its employees.
Unfortunately, the Court did not offer specific guidance on what reasonable steps employers should take. However, the Court held that failing to use common security measures such as “encrypting data properly, establishing adequate firewalls, and implementing adequate authentication protocol” could make the employer liable for stolen information.
The Bottom Line for Employers
Because of this decision, Pennsylvania employers are encouraged to review how they handle the collection and storage of sensitive employee information. It may be a good idea to consult with a cybersecurity specialist to implement any necessary changes. Employers can also review NFIB’s Guide to Developing a Document Retention Policy for best practices on retention of electronic and paper records.