Penn. High Court Rules Employer Has Duty to Safeguard Employees’ Personal Info


The Pennsylvania Supreme Court has ruled that an employer has a legal duty to use reasonable care in safeguarding its employees’ sensitive personal information stored on an internet-accessible computer.

This vacates earlier Trial Court and Superior Court decisions in the matter.
The case arose after the Pittsburgh Medical Center and UPMC McKeesport (UPMC) employees filed a class lawsuit against the UPMC following a data breach involving personal and financial information, including names, birth dates, social security numbers. Addresses, tax forms and bank account information – all 62,000 UPMC employees and former employees have been accessed and stolen from computer systems.

Employees were used to file fraudulent tax returns on behalf of victim employees, claiming that stolen data from UPMC information required employees to provide employment conditions, and actual damages occurred. As a result, the employees claimed the negligence allegation and the violation of the alleged contract against the UPMC.

With regard to the allegation of negligence, UPMC has assumed the duty to take reasonable care to protect the personal and financial information of its employees. As a condition of employment, UPMC requires that employees be secured, that they are lost, lost, stolen, misused, and / or disclosed to unauthorized parties. Employees claimed that violating UPMC’s duties was a direct cause of harm to employees and sought monetary losses among other forms of relief.

On 16 July 2014, the UPMC objected to the prevention of allegations that employees had not suffered any physical injury or property damage and that they did not cause any action for negligence on the grounds of ”no cause for action seb under the Economic Loss Doctrine. It exists only due to negligence resulting from economic damages, which are not material damage or property damage. ”
Court order
On October 22, 2014, the parties appeared before the Court of Jurisdiction for an oral discussion of the preliminary objections of the UPMC. Following the debate, according to the direction of the court, both sides made additional briefings stating whether the UPMC owed the employees in a way.

On 28 May 2015, the court continued the preliminary objections of the UPMC and denied the negligence of the employees. On the basis of the general definition of the Economic Lost Doctrine, the Court found that although the employees claimed that they owed a maintenance duty to the UPMC, the only losses sustained were economic.
The Trial Court further explained that esi hundreds of thousands of cases “could arise from the proposed solution to create a specific cause of negligence in order to compensate for the actual damages that would have harmed the judicial system of the employees and required significant resources to be defended against legal persons. These actions.

The Court will not be able to say with reasonable certainty that the interests of the society will be best presented through the recognition of a new positive obligation under these conditions, stating that the financial impact of doing so may lay off legal entities, according to the Supreme Court of Pennsylvania.

In addition, the Court explained that organizations that store confidential information already have an incentive to protect this information, because it will affect any infringement operations, an advanced system does not force a breach, and the parties have been victims of criminal activity.

Finally, the Court notes that the legislature is already aware of these issues and considers these matters as a violation of the Personal Data Disclosure Act. Under the Data Infringement Act, the legislative body is obliged to issue legal entities to report a violation and authorizes the Office of the Chief Public Prosecutor to take action on violation of the notification requirement. The Court therefore dismisses public policy as a matter for the legislature and for the court not to change the direction of the legislature in accordance with the document of opinion.

The employees then appealed to the Upper Court. They alleged that the Trial Court had been postponed to find the UPMC, that the employees had not shown reasonable care in the collection and storage of their information, and that the economic loss doctrine prohibited the allegations.
Superior Court Findings
According to a split view, a panel of three judges of the Supreme Court upheld the decision of the Court, which maintained the preliminary objections of the UPMC and rejected the employees’ allegations. The Court further noted that the benefits of electronically storing personal information of employees ağır to increase efficiency “outweigh the nature of the imposed risk.

The Court stated that the risk of information storage has increased electronically, as information violations become more widespread and information violations are generally predictable, while employees and consumers now benefit from the efficiency of storing more information in the electronic environment. In view of this, the Supreme Court found that the defendant had no duty to protect against the third-party offenses unless he had realized or had been required to do so.

The Supreme Court added that the Court should already adopt protective measures to prevent employers from disclosing confidential information on the grounds that there is no obligation for legal assistance to provide confidential information to companies to protect employees’ confidential information.

In addition, the Supreme Court ı found it unnecessary for employers to have to face potentially significant costs to increase security measures when there was no real way to completely prevent data breaches.
Supreme Court Decision
The Pennsylvania Supreme Court may then determine whether an employer has a legal obligation to maintain an employer’s use of reasonable care to protect his or her sensitive personal information when it is stored in a computerized system, has allowed it to appeal. a violation.

Employees argue that, in their argument, UPMC collects sensitive personal data from its employees and stores them in computer systems with internet access, they assume the task of taking reasonable care to protect them from the predictable risks that third parties will seek to access. and pillet this information. Employees claimed to be allegedly wrong on behalf of UPMC when collecting and storing sensitive personal data.

Employees also argued that the electronic data stored on computers with Internet access are in the hands of large organizations, that they have obvious targets of cybercriminals, and that a reasonable presence in the UPMC’s position could lead to data exposure if the basic security measures could not be used. and serious financial consequences for victims.

Therefore, the employees claimed that the employers demanded reasonable attention when they held and kept their employee data to protect themselves from compromise, and that there was no reason for the employers to be exempted from acting with reasonable care. Collects and stores sensitive personal information of employees.

Finally, the employees claimed that, although the final damage in this case resulted in criminal activity, the task of UPMC with reasonable care for the collection and storage of employee data was removed.

In response, the UPMC denied the allegation that employees had taken a legitimate duty to protect against a criminal infringement by the entry into force of a positive decision. The UPMC claimed that it had an information event that worked on a general employment relationship, which could not only constitute a positive action requiring the legal responsibility of third-party criminal acts. The UPMC also stated that, according to the document of thought, it was not in the business of providing data security.

According to the UPMC, employees do not claim a positive error on the part of the UPMC, because instead of the damage that the UPMC has suffered or the failure to prevent the speculative future damage. In this context, the UPMC stated that bulundu there is a rule which does not serve in the rescue / protection scenarios that are not created by the defendant because of the damage caused by the defendant Bu.

The UPMC said, ilgili [i] is not just nonsense to suggest that it is due to the danger of a data breach accused of having employee data [], ığ he said, and neither increased the risk of criminal activity nor created a specific danger to the public about public data.

With that in mind, the UPMC suggested that employees isi offered a radical restructuring proposal ma by third parties to attempt to impose responsibility on the UPMC for criminal acts.

In its view, the Pennsylvania Supreme Court stated that, as a condition of employment, the UPMC required employees to provide certain personal and financial information they had collected and stored on the Internet access computer system without adequate security measures. including proper encryption, adequate firewalls and an adequate authentication protocol.

Un These real claims are clearly the positive attitude of the UPMC, Görüş the opinion document said. Ti Employees claimed that UPMC’s positive behavior posed a risk of data breach. Therefore, we acknowledge that in collecting and storing the data of the employees on the computer system, UPMC has the duty to give employees reasonable care to collect and store their personal and financial information in their computer systems. ”

Accordingly, the Pennsylvania Supreme Court concluded that the dissolution of the Trial and Superior Courts for the determination of the UPMC had no obligation to take reasonable care to protect their sensitive personal data during the collection and storage of their employees on a computer system accessible on the internet. In addition, the lower courts concluded that Pennsylvania’s economic loss doctrine determined the negligence of employees.

As a result, the Supreme Court dismissed its decision, reversed the order of the Court’s judgment, and submitted the matter to the Court Court for further trial, consistent with its opinion.

Legal warning !
The information, comments and suggestions there are not covered by investment advice. It is based on the author's personal opinions. These views may not fit your financial situation and risk and return preferences. For this reason, based solely on this information, investment decisions may not have the appropriate consequences for your expectation. Our Site is not responsible for any direct or indirect damages incurred by the investors as a result of the use of the information on the Site, deficiencies in the sources, damages incurred by profit, moral damages, or damage to third parties.