News & Events

Pennsylvania Supreme Court Finds That Employers Have A Duty To Keep Employee Personal Information Safe

On November 21, 2018, the Pennsylvania Supreme Court held, in Dittman v. UPMC, No. 43 WAP 2017 (2018), that employers have a legal duty to use reasonable care to safeguard their employees’ sensitive personal information stored by the employer on an internet-accessible computer system, and that employees can recover damages for the breach of this duty.

The employees alleged that, because of a data breach, the personal and financial information of all 62,000 employees of UPMC was accessed and stolen. The information included names, birth dates, social security numbers, addresses, tax forms, and bank account information. This was information employees were required to provide to UPMC as a condition of employment.

The court held that the employees’ complaint had sufficiently alleged that UPMC had engaged in an affirmative action, by requiring that employees provide it with their personal and financial information. The court held that a possible breach of information was reasonably foreseeable, and that the employer therefore had the duty to provide adequate security measures, such as proper encryption, adequate firewalls, and an adequate authentication protocol. The court held that “in collecting and storing Employees’ data on its computer systems, UPMC owed Employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.” Id. at 17.

The employer had argued that it could not be held responsible for the criminal acts of the third party which had actually stolen the information. The court disagreed, stating that, to the extent UPMC failed to take adequate security measures to protect the employees’ information, the possibility of criminal acts of cyberhacking by third parties was foreseeable, and therefore did no alleviate UPMC of its duty to protect the information. The employer also argued that no such liability was contemplated by the Pennsylvania legislature, which enacted the Data Breach Act, imposing only a duty to provide notification of a data breach. The court held that the Data Breach Act had no bearing on whether an entity also has a duty to exercise reasonable care to protect data from a breach.

The court also examined whether Pennsylvania’s economic loss doctrine generally permits claims to recover for purely economic damages, as long as the plaintiff can establish a breach of a legal duty independent of any contractual duties existing between the parties. The court held that, if a duty arises because of a contract between the parties, an action sounding in negligence will not lie. However, where there is no contract addressing the legal duty, a negligence claim based solely on economic damages is available.

Based on the allegations in the complaint, the court held that the employees’ action should move forward.

What Does This Mean For You? The Pennsylvania Supreme Court has now recognized that employers who collect personal and financial information of employees have a duty to exercise reasonable care in the collection and storage of the information. You should review the types of information you require employees to provide. You should not ask for information that is not necessary. In addition, your company should review its IT policies, procedures and security precautions to make certain it has sufficient protections in place to prevent cyberhacking. While an initial IT audit is helpful, performing reviews of IT security precautions should be an ongoing process. Even if you outsource this function to a third party to administer, your company needs to ensure that the third party is taking sufficient precautions to prevent cyberhacking.

If you have any questions about this case or any other employment or labor law matters, please contact Whitney Rahman at 717-509-7237 or, or Grace Nguyen Bond at 717-509-7226 or

**This update is provided for informational purposes only and
should not be construed as legal advice or as creating an
attorney-client relationship where one does not already exist.**