Employers now have a duty to protect employees’ electronically held personal and financial information.
Until recently, it was unsettled whether an employer could be held liable for the disclosure of employees’ electronically held personal and financial information. The Pennsylvania Supreme Court, in its recent decision captioned as Dittman v. UPMC, held that an employer has an affirmative duty to protect employees’ personal and financial information that is stored electronically.
In making this ruling, the Supreme Court specifically rejected the employer’s argument that the disclosure of the employees’ personal and financial information was the product of criminal activity; the employer’s computer system had been “hacked” by a third party. The court held that, in this day and age, it is foreseeable that electronically stored information may be “hacked” and that employers must implement safeguards against this type of foreseeable, criminal activity.
The Supreme Court also rejected the employer’s argument that the employees are unable to recover monetary damages since the employee’s damages are purely pecuniary in nature. This ruling is a departure from prior rulings and sends a strong message from the Court that employers must take affirmative steps to protect employees’ personal information. Further details on this case are unknown since the case has been returned to the trial court.
It will be interesting to see how damages are quantified and how a jury weighs competing theories on damages. For example, if an employee has been the victim of credit card fraud because of someone hacking into an employer’s computer system, how is the employee to be compensated? Likewise, how is the employee to be compensated if a medical condition is obtained and subsequently published by someone hacking into an employer’s computer system?
The court’s decision is silent as to how long after an employer’s system is hacked, can it be held liable. Normally, one must bring an action within two years of the negligent act(s). However, if a computer system is “hacked” in 2018, and an employee’s personal information is used in a credit card fraud scam in 2025 that is based upon the information “hacked” in 2018, can the employer be held liable?
While the ramifications of this decision will undoubtedly be tested in future cases, it is clear that employers must take reasonable steps to protect employees’ sensitive information that is stored electronically.
This includes not only safeguarding employees’ social security numbers, home addresses, and dates of birth; but extends to medical information that is maintained by an employer due to an employee’s family medical leave request or accommodation.
For those employers who are providing self-insured health care benefits and electronically saving claims related information, one needs to have systems in place to safeguard against the disclosure of sensitive, medical information due to “hacking.” In so doing, employers should work with not only experts in technology, but should also review whether existing insurance policies provide coverage for these types of claims.
Given this recent Pennsylvania Supreme Court decision, employees would be wise to consult with an attorney so that exposure to a lawsuit is minimized. A lawsuit cannot only be expensive to defend, but can result in other employees resigning and publicity which can harm an employer’s business reputation.
Colorado and California have enacted laws that require businesses to address the cybersecurity issue. It would not be surprising to see Pennsylvania enact a similar law in the future.
The Eastern Pennsylvania Employment Log (EPELog) is a publication of the KingSpry Employment Law Practice Group. Jeffrey T. Tucker, Esquire, is our editor-in-chief. EPELog is meant to be informational and does not constitute legal advice.