The convergence of new technologies allows employers to gather a staggering amount of data about employees. Understanding what data your company gathers and how it is stored is key to protecting employee information.
Companies have long sought ways to monitor and assess employee productivity and efficiency in the workplace. More recently, technologies have provided greater opportunities for companies to track, watch and listen to employees during their work day. A survey done by Gartner, Inc. in 2018 found that 22 percent of organizations worldwide and across industries are using employee-movement data, 17 percent are monitoring work-related computer usage data, and 16 percent are using Microsoft Outlook usage data. Some companies are even analyzing things like the text ofemployees’ emails, employee biometric data, how employees are utilizing their workspace, and employee calendars to assess who is meeting with who.
With all this data being gathered and analyzed, privacy advocates are concerned that if laws do not keep pace, the collection, use and storage of employee data will eventually erode any sense of privacy employees may have had in the workplace. While there are very few employee-
specific privacy laws in the United States, there is the Electronic Communications Privacy Act and the Stored Communications Act, along with various state wiretap laws, which generally address how companies can monitor information. But what, if any, obligation does an employer have to protect the information and data it gathers and stores on its employees? Some state courts have taken matters into their own hands to address this very issue. Pennsylvania is one such state.
Duty of Reasonable Care
In late 2018, the Pennsylvania Supreme Court decided the case Dittman v. UPMC. The case created a legal duty for employers to use reasonable care to safeguard the sensitive personal information it gathers on its employees. The underlying facts of the case stem from a data breach through which the personal and financial information of all 62,000 UPMC employees was stolen and used to file fraudulent tax returns. The employees alleged that UPMC required them to supply this information as a condition of their employment and that UPMC was negligent in its protection of their personal information.
One of the two main issues the Pennsylvania Supreme Court considered was whether UPMC owed its employees a duty of reasonable care to protect their electronically stored information. Despite two lower court decisions to the contrary, the Pennsylvania Supreme Court held that an employer who collects and stores employee information on its internet-accessible computer system has a legal duty to protect that data from any foreseeable risk of harm.
UPMC argued that it could not be found liable for negligence because the third-party criminal conduct (i.e., the hack) was an unforeseeable superseding event. The Court rejected this argument and stated that “criminal acts of third parties in executing the data breach do not alleviate UPMC of its duty to protect [its employees’] personal and financial information from that breach.” Dittman v. UPMC, 196 A.3d 1036, 1048 (Pa. 2018). According to the Court, UPMC should have realized that “a cyber-criminal might take advantage of the vulnerabilities in UPMC's computer system and steal [employees’] information; thus, the data breach was ‘within the scope of the risk created by’ UPMC.” Id.
In addition to imposing a legal duty on UPMC, the Pennsylvania Supreme Court also held that the state’s long standing economic loss doctrine, which generally prevents a party from recovering solely economic damages under a negligence theory of liability, did not bar the UPMC employees’ negligence claims.
Pennsylvania law, according to the Court, recognizes “that purely economic losses are recoverable in a variety of tort actions” and that “a plaintiff is not barred from recovering economic losses simply because the action sounds in tort rather than contract law.” Id. at 1052. With this limited application of the economic loss doctrine, and the creation of a legal duty to reasonably safeguard the electronically stored employee information, the Court overturned the lower court decisions that dismissed the employees’ negligence claims.
The Dittman decision has a direct impact on all employers in Pennsylvania that digitally store employee information on computer-based systems. Companies with employees in Pennsylvania should take immediate action to evaluate their existing data security policies and procedures and take proactive steps to evaluate their data security measures in order to minimize exposure to liability.
Before the Dittman decision, employees did not have a clear path to pursue claims against their employer for a data breach. Now, with the establishment of a duty of reasonable care for employers who collect and store their employees’ personal and financial information on internet-accessible computer systems, there is a clear method of recovery for employees whose information is exposed as a result of a data breach. While the Dittman decision applies to companies with operations in Pennsylvania, it appears to be a clear signal that courts are willing to address issues related to the collection and storage of employee information. Likewise, it is probably only a matter of time until other state courts take a similar approach in extending such obligations upon employers. Don’t let your company be the test case. Now is a great time to evaluate, or reevaluate, where your organization stands in terms of its protection of employee data.
Published July 3, 2019.