The recent Pennsylvania Supreme Court landmark decision in Dittman v. UPMC, established a common law duty on the part of Pennsylvania employers “to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an Internet-accessible computer system.” 196 A.3d 1036, 1038 (Pa. 2018). The decision saved from dismissal a putative class action premised on claims of negligence and breach of implied contract. The employees claimed that their sensitive personal identifying information (PII) was stolen from UPMC following a criminal hack. Id. at 1038-39. The Dittman court held that Pennsylvania common law required employers who affirmatively undertake the collection and storage of their employees’ sensitive PII to implement “reasonable care” and “adequate” security measures. Id. at 1048. The opinion suggests that the duty of reasonable care includes: encrypting, establishing “adequate” firewalls, and implementing “adequate authentication protocol[s].” Id.
The Dittman court expressly disavowed any intention to create new affirmative duties under the law; rather, it emphasized that the holding was applying the Restatement (Second) of Torts §302 requiring protection and reasonable care where an actor engages in affirmative conduct. Id. However, as the Dittman court correctly observed in reviewing UPMC’s arguments, the Pennsylvania Legislature, by statute, chose to create only a duty of notice on the part of employers experiencing breaches. See id. at 1041 (citing Pennsylvania’s Data Breach Act, 73 P.S. §§2301-2309). Clearly then, Dittman does recognize obligations on the part of Pennsylvania employers not embodied by prior Pennsylvania statute or case law.
The Legislative/Regulatory Approach
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.
For questions call 1-877-256-2472 or contact us at [email protected]
