Fall 2017

22  • PENNSYLVANIA RESTAURANT & LODGING matters • Fall 2017 LEGAL DOCKET The Attorney ask Pennsylvania Superior Court Rejects Common-Law Duty to Safeguard Employee Personal Information Erin R. Kawa, Esquire SHUMAKER WILLIAMS, P.C. General Counsel, Pennsylvania Restaurant & Lodging Association Erin R. Kawa, Esquire MANY EMPLOYERS COLLECT AND STORE SENSITIVE EMPLOYEE DATA on a computer system, compelling questions as to whether the employer has a duty to enact extra security measures to safeguard that information from increasingly common data breaches. In a recent pro- employer decision, Dittman v. UPMC, the Pennsylvania Superior Court held that an employer owes no duty to employees to store and manage sensitive employee data on internet-accessible computer systems, despite vulnerability to computer hackers. In 2014, the University of Pittsburgh Medical Center (UPMC) discovered a large-scale data breach, in which hackers accessed the private information of approximately 62,000 UPMC employees, including names, birth dates, social security numbers, tax information, addresses, salaries, and bank information. The stolen information then was used to file fraudulent tax returns and misappropriate refunds for certain employees. The data stolen was collected and stored by UPMC as a condition of employment. The affected employees instituted a class action litigation, alleging, in pertinent part, that UPMC owed a legal duty to protect their personal and financial information by preventing vulnerabilities in their computer systems. The class also alleged that UPMC created an implied contract with the employees to collect the information requiring the UPMC to reasonably safeguard its computer systems. The Pennsylvania Superior Court disagreed. Under Pennsylvania law, courts must balance five factors to determine whether a duty of care exists: (1) The relationship between the parties; (2) the social utility of the conduct; (3) the risk and the foreseeability of the harm; (4) the consequences of imposing a duty; and (5) the public interest in the solution. Balancing these factors, the Superior Court declined to impose a duty on employers. In fact, the only factor that the Court found weighing in favor of imposing a duty was the first, because of the special relationship between an employer and employee. Nonetheless, the Superior Court acknowledged that employers have an obvious need to collect and store employees’ personal information and, “in the modern era, more and more information is stored electronically and the days of keeping documents in file cabinets are long gone.” Indeed, electronic storage of information creates beneficial efficiencies for employers and employees alike. Although data breaches are becoming more common, the Superior Court decided that the risk does not outweigh the social utility of electronically storing employee information. Further, the Superior Court held that the consequences of imposing a duty weighed against doing so. Significantly, it noted that data breaches are so widespread that there is no way to truly prevent them altogether. Further, there already are safeguards preventing employers from disclosing employees’ confidential information. Therefore, the Superior Court decided that there exists no need to significantly increase security costs by imposing an additional duty to protect electronically- stored personal data. The Superior Court also rejected an argument that UPMC created an implied contract with the plaintiffs wherein it agreed to prevent disclosure of employee information in a data breach. The Court contrasted this situation with a bank’s duty of confidentiality to their customers that is created by virtue of the relationship. Although Pennsylvania law does not impose a blanket tort liability for the disclosure of employees’ personal