Pennsylvania Superior Court Finds Employers Have No Duty to Protect Electronically Stored Personal Information

In Dittman v. UPMC,  breach of contract and negligence actions were brought against an employer when employees’ personal information was stolen from the employer’s computer system and used to file fraudulent tax returns and steal tax refunds.  Particularly, the names, birth dates, social security numbers, tax information, addresses, salaries, and bank information of approximately 62,000 UPMC employees and former employees were accessed and stolen from UPMC’s computer system.  The information stolen was personal information that UPMC required employees to provide as a condition of employment.

The employees filed a class action lawsuit, arguing that UPMC had a legal duty to protect their personal and financial information and that UPMC failed to properly encrypt the data and establish adequate firewalls to protect the information in its network.  UPMC filed preliminary objections to the complaint, arguing that the employees lacked standing to assert these claims on behalf of an individual who had not yet been injured and that the negligence and breach of contract claims failed as a matter of law.  The trial court sustained the preliminary objections and dismissed the claims.

On appeal, the Superior Court agreed with the trial court that UPMC did not owe a duty of reasonable care in its collection and storage of the employees’ data.  In coming to that conclusion, the Superior Court weighed five factors.  First, the Superior Court found that the relationship between the parties, that of employer and employee, weighed in favor of imposing a duty on the employer.  Second, the Court reasoned that employers have an obvious need to collect and electronically store the personal information of their employees.  Although the foreseeability of a data breach is a substantial risk, the utility of electronically storing information outweighs the risk.  Next, the Court reasoned that it was unnecessary to have a judicially imposed duty requiring employers to incur significant costs to increase security when there is not true way to prevent security breaches altogether.  Finally, the Court found that it was not in the public interest to impose a duty and expend judicial resources, as there was already legislature to  address the issue.

Thanks to Alexandra Perry for her contribution to this post and please write to Mike Bono if you would like more information.