Are you adequately protecting your employees’ sensitive personal and financial data? The Pennsylvania Supreme Court recently ruled that an employer owes a “duty to exercise reasonable care to protect” employees against an unreasonable risk of harm arising out of the act of storing employees’ personal data in its computer systems. (Dittman v. UPMC, __ A.3d __, No. 43 WAP 2017, 2018 WL 6072199 (Pa. 2018))

In Dittman, a data breach occurred, and the personal financial information of all 62,000 employees of UPMC was stolen and used to file fraudulent tax returns on their behalf. This information included birth dates, social security numbers, addresses, tax information, and banking information – all information the employer required from the employee as a condition of employment.

The employer argued that any duty of reasonable care in protecting the information was eliminated by the “third-party criminality” of the party responsible for the theft. The Court disagreed, finding that where the employer “realized or should have realized the likelihood” that a situation in which a third person might be afforded an opportunity to commit a tort or crime could be created by the negligent conduct (storing the personal data with inadequate protections here), the duty to protect that information was not eliminated. (Dittman at *17)

The Court made no prescriptions for what collection/storage safeguards would constitute “reasonable care” in this, or any future, matter. Are you doing enough? Call bit x bit to help determine how to best  protect your employees’ data from theft. We can provide essential services including information governance, risk assessment, and incident response planning.