Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherAbout the NetworkJoin the NetworkProductsSub-MenuProducts OverviewBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAbout UsContactSubscribeSupport
Book a Demo
Search
Close

Pennsylvania’s Highest Court Rules that Employers Have a Duty to Guard Their Employees’ Personal Data

By Phillip L. Hurst & Whitney A. Lee on January 14, 2019
Email this postTweet this postLike this postShare this post on LinkedIn

On November 21, 2018, in Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center, the Supreme Court of Pennsylvania held that an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored on an internet-accessible computer.[1]Dittman is notable because it is the first time a state’s highest court has broadly held that a company owes a duty to its employees to protect their personal data that it collects and stores. Also, by rejecting the economic loss doctrine, the court opened the door to the potential recovery of pecuniary damages in data breach cases alleging a negligence theory. If the holding of Dittman is adopted by courts in other states, employers could face increased risk of financial liability following a data breach that compromises personal information of employees.

Plaintiffs originally brought the action against UPMC d/b/a the University of Pittsburgh Medical Center and UPMC McKeesport (collectively, “UPMC”) in June 2014, seeking to represent a class of current and former employees whose sensitive personal and financial information was compromised (and in some cases used to file false tax returns) following a data breach of UPMC’s systems. Plaintiffs brought a negligence claim, among others, alleging that UPMC had a duty to secure their information because it had required plaintiffs to provide the information as a condition of employment and breached that duty by failing to maintain adequate cybersecurity measures to safeguard their information.

The Pennsylvania Supreme Court reversed the trial court’s dismissal of plaintiffs’ negligence claim.[2] First, the court held that UPMC owed plaintiffs a duty of reasonable care to safeguard their personal information.[3] In doing so, the court rejected the trial court’s conclusion that any such duty would be newly created in the law. Instead, the court determined that plaintiffs’ claim merely applied a traditional duty of reasonable care to a novel factual circumstance—a criminal data breach of an employer’s computer system. The court held that UPMC’s collection of plaintiffs’ sensitive personal and financial information as a condition of employment was affirmative conduct that triggered a duty to exercise reasonable care to protect plaintiffs from risk. The court also held that the hacker’s criminal conduct did not eliminate UPMC’s duty because plaintiffs sufficiently alleged that UPMC created the risk by failing to implement adequate security measures.

Second, the court held that Pennsylvania economic loss doctrine did not bar the employees’ claim for purely economic damages. In rejecting UPMC’s assertion of the economic loss doctrine, the court held that UPMC’s duty to act with reasonable care in collecting and storing its employees’ sensitive data exists independently from any contractual obligations between the parties.[4]

Companies that collect and store employees’ personal data should be mindful of the reasonable care duty imposed by the court in Dittman—and which may be imposed by other courts and states in the future—as they create and implement policies regarding the protection of employee personal data. Pennsylvania’s ruling also caps off 2018 as a year marked by notable protections for employee data, including the passage of  the California Consumer Privacy Act — which some have noted could include employees among the “consumers” whose data is protected[5] — and the FTC’s settlement with Uber for breaches involving the personal information of its drivers.


[1] Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018).

[2] Id. at 1056.

[3] Id. at 1044-1048.

[4] Id. at 1048-1056.

[5] See California Consumer Privacy Act of 2018, AB 1121 (Sept 2018) (to be codified at Cal. Civ. Code. § 1798.140(g)) (defining consumer as “a natural person who is a California resident”); see also, e.g., Letter to Hon. Bill Dodd (Aug. 6, 2018), at 3 (noting definition of “consumer” is broad and proposing amendment to language to exclude employees), http://netchoice.org/wp-content/uploads/SB-1121-Final-Author-Coalition-Letter-2.8.7.2018.pdf. .

  • Posted in:
    Privacy & Data Security
  • Blog:
    Cleary Cybersecurity and Privacy Watch
  • Organization:
    Cleary Gottlieb Steen & Hamilton LLP
  • Article: View Original Source

Have questions? Call 1-800-913-0988 or email sales@lexblog.com.
Facebook LinkedIn Twitter RSS
  • About LexBlog
  • Our Beliefs
  • Our Team
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • RSS Terms of Service
  • Syndication Terms of Service
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center
  • Blogging 101
Copyright © 2025, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo