In a ruling that should make employers everywhere sit up and take notice, the Pennsylvania Supreme Court recently decided that workers could bring a negligence claim (in other words, a lawsuit alleging that they were hurt by their employer’s unreasonable carelessness) against their employer over a data breach that compromised their personal information.
The case involved more than 60,000 current and former employees of the University of Pittsburgh Medical Center (UPMC). Hackers broke into the UPMC’s computer systems and stole employees’ names, birthdates, Social Security numbers, salary records, bank information and tax information. The hackers then used this information to file false tax returns in employees’ names in order to receive tax refunds.
The employees brought a lawsuit against UPMC in state court seeking to be compensated for damages stemming from the fraudulent returns and the increased exposure to identity theft that the breach caused them. According to the employees, proper firewalls, data encryption and stronger authentication protocols could have prevented the harm. They also argued that they were required to provide information to the employer as a condition of employment, giving the employer a duty to safeguard the information.
UPMC moved to have the case thrown out, arguing that state law doesn’t recognize negligence claims by employees in situations that don’t involve any physical injury or property damage. Because this case only involved economic losses, it had to be dismissed, UPMC argued.
The trial judge agreed and dismissed the lawsuit, and a midlevel appeals court affirmed the decision.
But the Pennsylvania Supreme Court reversed the ruling and ordered that the suit be reinstated. According to the high court, the duty to act with reasonable care toward those who could foreseeably be hurt by your failure to do so applied to this situation.
This is one decision by a court in one state. However, this reasoning could potentially apply elsewhere too. Call an employment lawyer in your state to discuss your own data-security issues and what kinds of legal exposure they could potentially create for you.