View all Articles

Pennsylvania High Court: Businesses Must Safeguard Employee Data

Data security is a growing area of risk for today’s employers. A groundbreaking decision published last November by the Pennsylvania Supreme Court takes the importance of safeguarding your employees’ personal data to new heights – and its ramifications are likely to extend well beyond the boundaries of a single state.

Dittman v. UPMC: The Background

In the case of Dittman v. the University of Pittsburgh Medical Center (UPMC), Pennsylvania’s highest court held, for the first time, that employers must exercise reasonable care to safeguard employees’ personal information stored on an internet-accessible computer system, and that they can be held liable in the event of a data breach. The court further held that if UPMC failed to implement security measures before storing the data, then the resulting criminal access was a foreseeable outcome.

This ruling drastically changes the data breach litigation landscape. Employers in Pennsylvania and beyond could be on the hook for damages if plaintiffs in similar suits can prove they acted negligently.

Dittman v. UPMC rose from a 2014 data breach that resulted in the theft of information for 62,000 employees and former employees, including Social Security numbers, birthdates, confidential tax and bank account information, addresses, and salaries. As a result of this class-action suit, the court held that where an employer’s collection of employee personal information creates a foreseeable risk of a data breach – even by cyber criminals – the employer has a duty to secure that information “against an unreasonable risk of harm arising out of (their) data collection practices.”

The Importance of Data Security

While Dittman v. UPMC applies to Pennsylvania employers and employees, it’s critically important to keep your cybersecurity policies and procedures up to date, regardless of where your business is located. In the wake of this decision, employers everywhere may see an increase in data breach lawsuits seeking damages.

  • Look at whether you have utilized “reasonable care” to safeguard your employee data. Depending on the size and scope of your company and the nature of data you store electronically, this could include an internal review or consultation with an outside security expert.
  • If you use cloud-based HR technology to track and store employee data, talk with your providers. Ensure that ongoing monitoring, encryption, firewalls, dual authentication and related measures meet or exceed industry standards.
  • Train your employees to recognize social engineering techniques used by hackers and cyber criminals. These include phishing emails, which attempt to trick users into providing passwords or other sensitive information.

The implications of a data breach at your company can be terrifying when you consider the potential harm to your employees, your reputation, and your financial bottom line. HR Works understands this risk and has implemented a wide range of technology safeguards to protect any data you send us. Clients with questions about the solutions and IT security partnerships that have worked for us can contact us for more information.

© 2019 HR Works, Inc. All Rights Reserved

HR Works, Inc., headquartered at 200 WillowBrook Office Park in Fairport (Rochester), New York, with an office in East Syracuse, is a human resource management outsourcing and consulting firm serving clients throughout the United States. HR Works provides scalable strategic human resource management and consulting services, including: affirmative action programs; benefits administration outsourcing; HRIS self-service technology; full-time, part-time and interim on-site HR managers; HR audits; legally reviewed employee handbooks and supervisor manuals; talent management and recruiting services; and training of managers and HR professionals.