In Pennsylvania, Employers Have A Legal Duty To Protect Employee Data

November 29, 2018

On November 21, 2018, the Pennsylvania Supreme Court issued an opinion in the case of Dittman et al. v. UPMC holding that an employer has a legal duty to use reasonable care to safeguard its employees’ sensitive personal information.

The case arose from a class action suit filed in 2014 by employees and former employees of a large healthcare organization. The employees alleged that that a data breach had occurred through which the personal and financial information, including names, birth dates, social security numbers, addresses, tax forms, and bank account information of 62,000 of the organization’s employees and former employees was accessed and stolen from the employer’s computer systems. Employees further alleged that the stolen data, which consisted of information that the employer required employees to provide as a condition of their employment, was used to file fraudulent tax returns on behalf of the victimized employees, resulting in actual damages.

The employer brought preliminary objections to the employees’ complaint arguing, among other things, that analysis of the legal factors for creation of a duty between parties yielded a conclusion that no general duty by an employer to protect employee information exists. The employer also asserted that a duty to employees should not arise from the unforeseeable criminal acts of third parties. The trial court granted the employer’s preliminary objections and dismissed the employees’ claim. The Pennsylvania Superior Court affirmed the trial court’s decision.

In reversing the Superior Court, the Pennsylvania Supreme Court observed that “[W]e agree with Employees that, in collecting and storing Employees’ data on its computer systems, the employer owed the employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act. Further, to the extent that the employer argues that the presence of third-party criminality in this case eliminates the duty it owes to Employees, we do not agree.”

The impact of the decision is that employers in Pennsylvania that require employees to provide sensitive personal information as a condition of employment may be exposed to claims by employees arising from a breach or compromise of that information, where the employers failed to exercise reasonable care to safeguard the employee data.

This Data Security & Privacy Alert is intended to keep readers current on developments in the data security & privacy world and in the law, and is not intended to be legal advice.  If you have any questions, please contact: Sandy B. Garfinkel, Chair of the firm’s Data Security & Privacy Group, at 412‐566‐6868 or

Share This Post