Duty To Safeguard Data

On November 21, 2018, the Pennsylvania Supreme Court decided the much anticipated case of Dittman v. UPMC, holding that an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an internet-accessible computer system.

Lawyers who store sensitive information of employees or clients utilizing the cloud or a computer that is connected to the internet must immediately take heed of this decision and adopt reasonable safeguards to protect sensitive information. Lawyers who already have safeguards in place should reevaluate now and often in light of this decision.

This case arose when the personal and financial information of 62,000 UPMC employees and former employees was accessed and stolen from UPMC’s computer systems. Some of the data was utilized to file fraudulent tax returns on behalf of the victimized employees, resulting in actual damages. Other employees averred they were at risk in the future. The employees asserted a negligence claim and breach of implied contract claim asserting that UPMC had a duty to exercise reasonable care to protect their personal and financial information within its possession or control from being compromised, lost, stolen, misused and/or disclosed to unauthorized parties.

The trial court dismissed the case, declining to recognize a duty of care. Of importance to its decision, the trial court recognized that the Pennsylvania Legislature has imposed a statutory duty on entities to provide notice of a data breach only. In a split opinion, a panel of the Superior Court affirmed, finding also that no duty was owed by UPMC.

In its decision reversing the trial court and vacating the Superior Court, the Supreme Court agreed with the employees’ position that they were not advocating for the creation of a new duty of care, but application of an existing common law duty to a novel factual scenario. By utilizing this analysis, the Court avoided a full blown public policy assessment, as might be required in the event of a newly recognized duty. The duties, as averred by the plaintiffs, included:

  • Designing, maintaining and testing security systems; and
  • Implementing processes that would timely detect a breach.

Although the Dittman plaintiffs have simply earned the right to proceed at this stage of the litigation, the following types of conduct are what the Court found sufficient to state a claim if proven: 1) failing to adopt, implement and maintain adequate security measures to safeguard information; 2) failing to adequately monitor the security of its network; 3) failing to recognize the breach in a timely manner; and 4) violating current data security industry standards, including use of encryption, adequate firewalls and adequate authentication protocol.

Lawyers must not ignore their obligation to safeguard information. To the extent there was any room for doubt as to a lawyer’s ethical duty to safeguard information, the Supreme Court–which has the exclusive authority to regulate the conduct of Pennsylvania lawyers–has spoken. In addition, a lawyer can be exposed to third party tort liability in the event of a breach of client and employee data if reasonable safeguards are not in place.

For the full Supreme Court Opinion, inclusive of the Court’s analysis and rejection of the economic loss doctrine, follow this link: Dittman.