In this digital age, we are aware of the potential dangers of electronically storing our personal information. We all know someone that has been hacked, but do we think of these dangers in the context of providing our information to an employer? Probably not. Employers should be aware of the potential dangers of electronically storing employees’ personal information and of how to avoid liability.
May 28, 2019 Article
Cybersecurity Obligations and Best Practices for Employers
Be aware of the potential dangers of electronically storing employees’ personal information and of how to avoid liability.
By Alyssa M. Hicks
There is no definitive duty of care to protect employee’s personal information, but that does not mean employers should not take the proper precautions. Employers store a wide variety of sensitive information including tax documents, bank account information, benefits material, etc. This information can often include the employees’ significant others and family members. With cybersecurity attacks on the rise, and many companies lacking the proper safeguards, employers need to reevaluate how they protect sensitive information electronically stored.
Recently, the Pennsylvania Supreme Court found that employers owe a duty of care when electronically storing its employees’ personal information. In Dittman v. University of Pittsburgh Medical Center, a class of University of Pittsburgh Medical Center (UPMC) employees filed a negligence action alleging that UPMC breached a duty of care by not protecting their electronically stored information. 196 A.3d 1036. The class action lawsuit stems from a UPMC data breach that led to the fraudulent use of employee information on tax returns. Id. at 1037.
The Pennsylvania Supreme Court vacated the Superior Court’s judgment and concluded that if an employer collects and electronically stores employees' sensitive personal information on an internet-accessible computer system, then the employer has a duty to protect that data from any foreseeable risk of harm. Id. at 1047. Like many employers, UPMC requested and then stored its employees' financial and personal information on an internet-accessible computer system without implementing adequate security measures to protect that information. Id. at 1037, 1056. As a result of the lack of proper safeguards, UPMC experienced a data breach and employees incurred damages. Id. at 1037. The court agreed with the employees that a data breach of their electronically stored information was within the scope of the risk created by UPMC's affirmative act, collecting and storing their information, and thus UPMC violated its duty to use reasonable care. Id. at 1056.
The court further denied UPMC's argument that the economic loss doctrine precluded the employees’ requested damages. Id. at 1056. The court opined that "recovery for purely pecuniary damages is permissible under a negligence theory provided that the plaintiff can establish the defendant’s breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract," as was the case here. Id. at 1038. Thus, if employees can establish that an employer had a duty to protect electronically stored information and the employer breached that duty, then the employees may recover for purely pecuniary damages.
This may be the start of a trend across the United States of an increase in cybersecurity obligations for employers. A United States District Court for the Northern District of California in Castillo v. Seagate Tech., LLC, also found that the employer owed a duty of care. 2016 U.S. Dist. LEXIS 187428 *13. Although the court concluded that the plaintiffs had not properly demonstrated damages, it did conclude that when the employer “asked for and obtained the personal identifying information of its employees . . . it assumed a duty to protect that information . . . .” Id. at *13-14.
As a general matter, cybersecurity litigation is increasing and is easier to pursue. Employers need to be on notice that cybersecurity liability may extend beyond its customers to its employees. An employer should not only make sure it possesses the proper safeguards to protect sensitive information, but also make sure to educate its employees on computer use.
It is important to develop policies regarding internet use and then properly train employees on these policies. Employee training should discuss actions that amount to cyber risks including general internet use, downloading information and programs, and phishing/fraudulent email solicitations. Opening Word documents from unknown sources can lead to an attack. Phishing is one of largest causes of security breaches and should not be overlooked when training employees. Simple acts like instructing employees to change passwords frequently, monitoring internet use, and removing outdated sensitive information can all make an impact on decreasing cybersecurity liability.
All employers should be on notice that courts are willing to protect employees’ electronically stored information if the employer is not properly protecting personal information. Employers that request such information need to ensure they do not breach their duty of care by assessing how the information is being stored and if the proper safeguards are in place to prevent data breaches.
Alyssa M. Hicks is an associate attorney at Norris McLaughlin in Allentown, Pennsylvania.
Copyright © 2019, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).