In this day and age, employers routinely store confidential employee information electronically. This information may consist of employees’ names, addresses, phone numbers, social security numbers, birth dates and bank account information.
The efficiencies in storing this information electronically is undisputed. However, the storing of this information electronically, in a recent Pennsylvania Supreme Court decision, clearly places a duty of care on employers.
In the decision, known as Dittman, et al. v. UPMC, the Pennsylvania Supreme Court held that an employer has an affirmative duty to protect employees’ personal and financial information that is stored electronically.
The Pennsylvania Supreme Court specifically rejected the employer’s argument that the disclosure of the employee’s personal and financial information was the product of criminal activity; the employer’s computer system had been “hacked” by a third party. The Court held that, in this day and age, it is foreseeable that electronically stored information may be “hacked” and that employers must implement safeguards against this type of foreseeable criminal activity.
The Pennsylvania Supreme Court did not address what type of safeguards must be implemented in order to shield an employer from a negligent or breach of contract claim.
The plaintiffs in the Dittman case alleged that the employer, UPMC, not only failed to properly encrypt the confidential employee data, but also failed to establish adequate firewalls and to implement authentication protocol to protect the confidential information maintained within UPMC’s computer network, which resulted in 27,000 employees’ personal and financial information being compromised.
Additionally, 788 employees were alleged to have been the victims of tax fraud due to a third party “hacking” in UPMC’s network and stealing the information. The “hackers” used the employees’ stolen data to file fraudulent tax returns and receive tax refunds under the victims’ names and social security numbers.
In ruling that UPMC had an affirmative duty of care, the Pennsylvania Supreme Court also rejected UPMC’s argument that employees are unable to recover monetary damages since their damages were purely pecuniary.
This ruling clarifies prior appellate court decisions, which generally held that any negligence-based claims, such as a duty of care, must include damages of personal injury or property damages. The plaintiffs in the Dittman case argued not only does the nature of the employer/employee relationship warrant imposition of a duty of care, but the fact that the employer made a business decision to increase efficiencies by storing employees’ personal and financial information electronically constituted a business decision, having no social utility, which warranted an award of damages. The plaintiffs also argued that the breach and resulting damages were not only foreseeable, but that public policy requires imposing this duty of care upon employers.
The Pennsylvania Supreme Court clearly is sending a strong message that employers must take affirmative steps to protect employees’ personal information. Since the Dittman case only addressed whether there was a duty of care, further details are unknown: The case has been returned to the trial court so that the parties can engage in the discovery process and, if the case does not settle, proceed to a trial. It will be interesting to see how damages are quantified and how a jury weighs competing theories on damages.
For example, if an employee has been the victim of credit card fraud because of someone hacking into an employer’s computer system, how is the employee to be compensated? Likewise, how is the employee to be compensated if a medical condition is obtained and subsequently published by someone hacking into an employer’s computer system?
The Pennsylvania Supreme Court’s decision is silent as to how long after an employer’s system is hacked it can be held liable. Normally, one must bring an action within two years of the negligent act(s). However, if a computer system is “hacked” in 2018, and an employee’s personal information is used in a credit card scam in 2025 that is based upon the information “hacked” in 2018, can the employer be held liable?
While the ramifications of this decision will undoubtedly be tested in future cases, it is clear that employers must take reasonable steps to protect employees’ sensitive information that is stored electronically. This includes not only safeguarding employees’ social security numbers, home addresses, and dates of birth; but extends to medical information that is maintained by an employer due to an employee’s family medical leave request or accommodation.
For those employers who are providing self-insured health care benefits and electronically saving claims-related information, one needs to have systems in place to safeguard against the disclosure of sensitive medical information due to “hacking.” In so doing, employers should work with not only experts in technology, but should also review whether existing insurance policies provide coverage for these types of claims.
Lastly, given this recent Pennsylvania Supreme Court decision, business owners would be wise to consult with an attorney so that exposure to this type of a lawsuit is minimized. A lawsuit cannot only be expensive to defend, but can result in publicity which can harm an employer’s business reputation.
Ellen Schurdak is a partner with KingSpry law firm in Bethlehem. She can be reached at firstname.lastname@example.org.