The Superior Court balanced the value of employers storing employee data electronically against the risk of data breaches and hacking, concluding that: "Although breaches of electronically stored data are a potential risk, this generalized risk does not outweigh the social utility of maintaining electronically stored information." This practical rationale acknowledged that because "there is no true way to prevent data breaches altogether," it is "unnecessary to require employers to incur potentially significant costs to increase security measures." Further, the Superior Court refused to create a judicially-imposed duty of care for employers, finding that companies do not need extra incentive to protect their current and former employees' confidential information. It was noted that Pennsylvania already has statutory safeguards, the Breach of Personal Information Notification Act, in place to prevent the disclosure of confidential employee information.
This decision, and its implications on how courts will likely handle cases involving breaches of human resource databases in the future, should be encouraging to employers. However, employers should take reasonable steps to address hacking issues because, as the Superior Court's opinion illustrates, courts will apply a balancing test which weighs numerous factors on a case-by-case basis to data breach suits. That is, the factual circumstances of a particular data breach may result in a court finding that the employer owed a duty of reasonable care to its current and former employees.
In light of Dittman v. UPMC, employers maintaining confidential employee information electronically should:
• Realize that hackers may target your Human Resources database;
• Talk to your electronic security and IT personnel regarding the risks of hacking and data breach;
• Obtain and maintain the best electronic data security you can afford;
• Institute monitoring protocols to ensure that in the event of a data breach you will be made aware of such breach promptly; and
• Know your legal obligations regarding notification of current and former employees in the event of a data breach.
If you have any questions about employer obligations regarding data breaches of electronically stored employee information, contact Andrew Ruxton at (412) 394-2573 | email@example.com, or another member of Clark Hill's Labor and Employment Practice Group.