Recently, in Dittman v. UPMC, the Pennsylvania Supreme Court ruled that an employer has a common law duty to use reasonable care to safeguard its employees’ personal information stored on an internet-accessible computer. This decision paves the way for a much broader application because the case was decided based on the mere act of collecting and storing sensitive information (and not the employer/employee context).
The case relates to a data breach of the University of Pittsburgh Medical Center’s (UPMC) network and the theft of sensitive personal information belonging to more than 60,000 employees (e.g., Social Security numbers, confidential tax information, and bank account information). The employees sued but lost in the trial court, which held that Pennsylvania law did not recognize a duty to secure employee data stored on internet-accessible computers.
The Supreme Court of Pennsylvania’s Decision
The Supreme Court of Pennsylvania reversed the ruling and stated that it was not creating a “new affirmative duty” under common law but instead was applying the “existing duty to a novel factual scenario.” According to the court, when an employer collects employee personal information it creates a foreseeable risk of a data breach (even by cybercriminals). As a result, the employer must secure its employees’ personal information “against an unreasonable risk of harm arising out of [the employer’s data collection practices].” The court concluded UPMC should have known that “a cybercriminal might take advantage of the vulnerabilities…and steal [its employees’] information; thus, the data breach was ‘within the scope of the risk created by’ UPMC.”
This case addressed common law negligence based on the general concept of negligence (something all states have) not a violation of a Pennsylvania statute. The same obligations could be placed on employers in any state. As for states with a data security statute, such as California and Massachusetts, liability is even more clear: employers can be found negligent if they do not comply with the statute and protect employee data.
More importantly, anyone who collects sensitive data in any context (employee, customer, vendor, partner, etc.) will be required to take appropriate measures to protect it.
Courts are finally catching up to statutes like the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Federal Trade Commission Act, and numerous state data breach notification laws that require companies to take “reasonable” security measures to protect sensitive information. If your company possesses sensitive employee or customer information (and it probably does) then you are probably legally required to protect it via “reasonable policies and procedures.”
The best way to do this is determined by the form the data is in. Focus on these four security aspects:
Control access to files, rooms, and buildings where sensitive information is stored. Require employees to put files away, log off their computers, and lock their file cabinets and office doors when they are not using them.
Computer security isn’t just an IT issue. All employees must contribute to making your company electronically secure. You should consider implementing firewalls, password management, anti-virus, encryption, patching programs, and two-factor authentication as needed.
Intrusion (breach) detection is an important part of electronic security as well. A good intrusion detection program monitors incoming and outgoing traffic and maintains and reviews central security log files.
- Employee Training
A well-trained workforce is the best defense against a data breach. Create a “culture of security” through regular employee training and teach employees about the dangers of phishing and other forms of social engineering—the leading data breach causes.
- Vendor Management
Ask potential vendors about their security policies and procedures. Get all answers and representations in writing before retaining them. Also, obligate them to notify you immediately if they experience a data security incident.