The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.

Skip to Content

Building an Ark: Protecting Employee Data in the Data-Breach Era

Recent years have seen not so much a leak as a flood of data breaches affecting companies nationwide. But the traditional systems devised to safeguard against data breaches won’t withstand the vulnerabilities created when information is shared with third-party providers. And although companies are somewhat buoyed by legislation to protect against cyberattacks, companies are often left adrift in a sea of uncertainty as the wave of cybersecurity risks threatens to rise.

As risk levels rise, however, so too does an employer’s responsibility to re-evaluate its data security practices. On November 21, 2018, in Dittman v. UPMC, the Pennsylvania Supreme Court held that employers have a common-law duty to protect their employees’ sensitive personal information stored on an internet-accessible computer.

In Dittman, a group of employees filed a class action lawsuit against their employer after a data breach resulted in the theft of sensitive personal information of thousands of employees. The stolen information, which the employees were required to provide as a condition of employment, was stored on the employer’s computer systems and ultimately used to file fraudulent tax returns, resulting in damages to the employees. The employees asserted claims of negligence and breach of implied contract, alleging that the employer failed to maintain adequate security measures — including in accordance with industry standards on cybersecurity — to safeguard employees’ information.

The trial court dismissed the case, holding that the economic-loss doctrine, as decided in prior appellate rulings, precluded the employees’ claims, which asserted solely economic losses. The trial court also declined to impose a new affirmative duty of care to protect data, noting that the financial impact of doing so could put entities out of business. On appeal, the Superior Court upheld the dismissal and held that the trial court properly determined that the employer owed no duty to its employees under Pennsylvania law.

The Pennsylvania Supreme Court reversed the lower courts’ decisions, applying an existing duty of care to a novel factual scenario, and held that the employer’s affirmative conduct in requiring its employees to provide personal information as a condition of employment gave rise to a duty to exercise reasonable care to safeguard that information. The duty of reasonable care includes a duty to implement reasonable security measures to protect against the foreseeable risk of a data breach, especially considering that an employer’s inadequate data collection and storage practices evidently create the risk of a data breach.

Dittman has been touted as a warning to employers — but the decision has ramifications beyond those with an employer-employee relationship. Any service provider hosting or handling employee data should take heed. Therefore, it has become even more imperative that employers address the vulnerabilities created by information sharing with third-party product and service providers. And especially in industries where there is no established regulatory framework outlining specific requirements, Dittman is clear: build a better boat.

©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.