The Pennsylvania Supreme Court Finds That Employers Have A Duty To Safeguard Their Employees’ Sensitive Data

November 30, 2018

A recent decision from the Pennsylvania Supreme Court came out the day before Thanksgiving this year and it could be an early holiday present for Pennsylvania plaintiffs. In the case of Dittman v. University of Pittsburgh Medical Center, the Pennsylvania Supreme Court ruled that an employer does have a duty to protect electronically stored confidential information of its employees and that a claim for breach of that duty is not barred by the economic loss doctrine. The economic loss doctrine is a principal that generally purely economic losses are not recoverable in tort cases that do not involve damage to person or property.

The case involved a data breach that led to a release of personal information that employees were required to provide to their employer, the University of Pittsburgh Medical Center ("UPMC"). UPMC claimed that there was no duty in Pennsylvania law that was breached and that even if they had breached a duty, the employees' loss was purely economic and therefore non-recoverable. The trial court agreed and dismissed the employees' claims. The Pennsylvania Superior Court agreed and upheld the dismissal.

The Pennsylvania Supreme Court reversed and found that dismissal of the claims of the employees was improper. The Court stated that "[e]mployees have alleged…as a condition of employment, UPMC required them to provide certain personal and financial information, which UPMC collected and stored on its internet-accessible computer system without use of adequate security measures, including proper encryption, adequate firewalls, and an adequate authentication protocol." The Court concluded that "[e]mployees have sufficiently alleged that UPMC's affirmative conduct created the risk of a data breach. Thus, we agree with Employees that, in collecting and storing Employees' data on its computer systems, UPMC owed Employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act."

The Court found further that Pennsylvania precedent does "not stand for the proposition that the economic loss doctrine, as applied in Pennsylvania, precludes all negligence claims seeking solely economic damages." The Court found that the source of the duty matters and if the source of the duty owed is contractual, the plaintiffs may not recover solely economic damages. However, because the "[e]mployees have asserted that UPMC breached its common law duty to act with reasonable care in collecting and storing their personal and financial information on its computer systems [and] this legal duty exists independently from any contractual obligations between the parties, the economic loss doctrine does not bar Employees' claim." The Court therefore found that the employees' claims could go forward as alleged and that they should have been given an opportunity to prove their claims.

Thus, the Court found that employers have a duty to protect confidential information that they collect from their employees. In addition, the Court clarified the longstanding "economic loss doctrine" in Pennsylvania in favor of plaintiffs. Employers in Pennsylvania should take note of this ruling and make sure that they have sufficient safeguards in place to protect the information of their employees. The lawyers at Conway Schadler have experience that can make the difference in these types of situations. Please contact our offices for a free consultation so we can discuss how this substantial experience can be used to your benefit.