Pennsylvania Says Employers Are Liable For Breach of Employee Data – Is Minnesota Next?

The Pennsylvania Supreme Court just ruled that employers may be liable for not using reasonable care to protect employee information stored on their computers.  Might Minnesota courts do the same?

In what is believed to be the first time that the highest court of a state has addressed the issue, the Pennsylvania Supreme Court took a bold new step in data breach litigation in ruling that an employer has a common law duty to use reasonable care to safeguard employees’ personal information stored on an internet-accessible computer.

While most of us assume that employers do seek to protect such information, there is a big difference between that assumption and an actual legal duty to do so. Pennsylvania has now imposed that legal obligation upon employers in that state and their employees can now sue if there is a breach.

What Happened?

In 2014, the University of Pittsburgh Medical Center (UPMC) experienced a data breach involving the theft of confidential information of 62,000 employees.  The breach included Social Security numbers, birthdates, addresses, and bank account information.  The employees filed a lawsuit alleging negligence, invasion of privacy, and breach of implied contract.  As part of their negligence claim, the employees alleged that UPMC breached its common law duty to use reasonable care to secure their personal information.

The case was initially dismissed because the trial court decided that Pennsylvania law did not recognize a legal duty to secure employee data.  The first level of appellate court, the Superior Court of Pennsylvania, affirmed the dismissal.  However, on November 21, 2018, the Pennsylvania Supreme Court unanimously reversed and remanded the case back to trial to evaluate the claims under this new legal duty..

Legal eagles believe this new decision may have a significant impact on cybersecurity-related litigation, and not just in Pennsylvania.  Since the Pennsylvania Supreme Court determined that common law negligence is a viable cause of action for inadequate data security, other states may also find that their negligence laws provide similar paths to recovery.  Minnesota certainly recognizes the common law claim of negligence so it is possible that our courts will follow Pennsylvania’s lead and impose a common law duty on employers in the Gopher State to protect personal information.

Bottom Line

All employers should evaluate their current cybersecurity policies and procedures to ensure that they are taking reasonable measures to protect employees’ personal information.  It is generally most cost effective for employers to work proactively to help mitigate the risk of a breach by putting in place reasonable security measures. Such security measures include both traditional and technology-based solutions.

Similarly, if an employer has employees in various states, and/or internationally (particularly the European Union), additional risk factors should be carefully analyzed and appropriate compliance programs implemented.