Pennsylvania Supreme Court Rules In Favor Of Data Breach Plaintiffs
Todd Rowe of law firm Tressler LLP has posted a Supreme Court decision last month finding a duty for employers to safeguard employees’ personal information. The case is Dittman v. The Univ. of Pittsburgh Medical Center, decided 11/21/18. This was a class action alleging the Medical Center breached the personal information of its 62,000 employees, who were required to provide personal information as a condition of their employment. The employees claimed this information was used (by third party criminals) to file fraudulent tax returns.
The Supreme Court made two holdings:
- An employer has a duty to use reasonable care to safeguard employee personal information. The Medical Center claimed it was not responsible for a third party breach and did not create the risk of harm. The Court rejected this position and found the Medical Center did not take adequate security measures.
- The “economic loss” doctrine did not bar recovery for damages. The Medical Center’s duty to secure employee personal information was independent of any contractual obligation to its employees.
The Court did not directly address the factual question of whether there was a casual link between the breach and employee allegations.
The implications of this decision are that organizations are at risk of suits for failure to provide adequate security for personal information. It is a safe assumption that the duty recognized in Dittman will be applied to anyone’s protected personal information, not just employees. All organizations should strive for data security that meets best practices. As a backup, purchase Cyber insurance to cover security and privacy liability (including coverage for class action suits) and costs of breach notification and monitoring.