A court in Pennsylvania recently held that an employer does not have a legal duty to act reasonably in managing its computer systems to safeguard sensitive personal information collected from its employees, when the employer elects, for purposes of its own business efficiencies, to store and manage such sensitive employee data on its internet-accessible
computer system, leaving it vulnerable to computer hackers, in the absence of reasonable safeguards. In an appeal from an Order of the Court of Common Pleas of Allegheny County, PA, a Superior Court panel upheld the finding that the University of Pittsburgh Medical Center (UMPC) owed no duty under Pennsylvania law to safeguard sensitive employee electronic information. In a data breach, the names, birth dates, social security numbers, tax information, addresses, salaries, and bank information of approximately 62,000 current and former UPMC employees were accessed and stolen from UPMC’s computer systems. The plaintiffs claim that the stolen information was used to file fraudulent tax returns and steal the tax refunds of certain employees. The digitally-stored data consisted of personal information that UPMC required employees to provide as a condition of their employment. The Court used a five factor test to determine whether UMPC, as an employer, had a legal duty to its employees to safeguard their sensitive electronic information:
- the relationship between the parties;
- the social utility of the actor’s conduct;
- the nature of the risk imposed and foreseeability of the harm incurred;
- the consequences of imposing a duty upon the actor; and,
- the overall public interest in the proposed solution.
The Superior Court upheld the lower court’s ruling that the fourth and fifth factors were controlling and “weighed in favor of not imposing a duty on UPMC.” The Court recognized that “data breaches are widespread.” However, the Court stated that “[n]o judicially created duty of care is needed to incentivize companies to protect their confidential information.” The Court further stated that “[e]mployers strive to run their businesses efficiently and they have an incentive to protect employee information and prevent these types of occurrences.” However, ultimately, the Court held “[w]e find it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether.” This result is surprising and may not hold up on appeal. The result would probably not be the same if the employees claimed injury from a fire at their place of employment.