When a data breach occurs at a company, not only is customer data vulnerable but so is employee information. But what obligations do employers owe their employees?
This issue was recently decided in part, at least with respect to Pennsylvania employers, in Dittman v. UPMC, 43 WAP 2017, 2018 WL 6072199, at *14 (Pa. Nov. 21, 2018). In Dittman, a group of employees sued their employer, the University of Pittsburg Medical Center, for failure to take reasonable care to protect their personal private information. On appeal, the Supreme Court of Pennsylvania overturned the decision of the lower court and held that an employer owes a common law duty of care to its employees to use reasonable care to safeguard their sensitive data as stored on the employer’s internet-accessible computer system. Notably, the employees’ position was not that the employer engaged in any misfeasance, but nonfeasance for failure to prevent the harm from occurring. The Supreme Court found that the mere fact that third parties committed the wrongdoing – the data breach – did not negate the duty of the employer to safeguard the employees’ sensitive information that they were required to provide the employer as a condition of employment.
The Dittman case is certainly not the first time a group of employees sued an employer based upon a data breach of the employer’s computer system that resulted in the disclosure of the employees’ personally identifiable information. In Sackin v. TransPerfect Global, Inc., 278 F. Supp. 739 (S.D.N.Y. 2017), the employer moved to dismiss a class action filed by the employees, which motion was denied, in part. Among other things, the district court found that the complaint sufficiently stated a cause of action for breach of common law duty of care and that the employer violated its duty to take reasonable steps to protect the employees’ data. The court also found that a viable cause of action existed for breach of the implied contract between the employer and employees, but not for breach of the terms of the employment contract. With respect to the former, the conduct and course of dealing between the parties was deemed to rise to the level of an implied contract because, as a prerequisite of employment, the employees were required to provide the employer with certain sensitive data, and given how commonplace data and identity theft are in the current day and age, the court found an implied assent by the recipient to protect that data.