When a data breach occurs at a company, not only is customer data vulnerable but so is employee information. But what obligations do employers owe their employees?
This issue was recently decided in part, at least with respect to Pennsylvania employers, in Dittman v. UPMC, 43 WAP 2017, 2018 WL 6072199, at *14 (Pa. Nov. 21, 2018). In Dittman, a group of employees sued their employer, the University of Pittsburg Medical Center, for failure to take reasonable care to protect their personal private information. On appeal, the Supreme Court of Pennsylvania overturned the decision of the lower court and held that an employer owes a common law duty of care to its employees to use reasonable care to safeguard their sensitive data as stored on the employer’s internet-accessible computer system. Notably, the employees’ position was not that the employer engaged in any misfeasance, but nonfeasance for failure to prevent the harm from occurring. The Supreme Court found that the mere fact that third parties committed the wrongdoing – the data breach – did not negate the duty of the employer to safeguard the employees’ sensitive information that they were required to provide the employer as a condition of employment.
The Dittman case is certainly not the first time a group of employees sued an employer based upon a data breach of the employer’s computer system that resulted in the disclosure of the employees’ personally identifiable information. In Sackin v. TransPerfect Global, Inc., 278 F. Supp. 739 (S.D.N.Y. 2017), the employer moved to dismiss a class action filed by the employees, which motion was denied, in part. Among other things, the district court found that the complaint sufficiently stated a cause of action for breach of common law duty of care and that the employer violated its duty to take reasonable steps to protect the employees’ data. The court also found that a viable cause of action existed for breach of the implied contract between the employer and employees, but not for breach of the terms of the employment contract. With respect to the former, the conduct and course of dealing between the parties was deemed to rise to the level of an implied contract because, as a prerequisite of employment, the employees were required to provide the employer with certain sensitive data, and given how commonplace data and identity theft are in the current day and age, the court found an implied assent by the recipient to protect that data.
Although a reasonable care obligation was not necessarily weighed by the court, actions brought by employees against the employer for failing to safeguard personally identifiable information date back to at least 2010 when a class action, Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), was brought by then-current and former employees of Starbucks. What makes Krottner distinctive is that the system was not hacked, but, rather, the personally identifiable information was on a laptop stolen from Starbucks. Other more recent employees versus employer lawsuits include In re U.S. Office of Personnel Management Data Security Breach Litigation, 266 F.Supp.3d 1 (D.D.C. 2017) and Corona v. Sony Pictures Entertainment, Inc., 14-CV-09600 RGK EX, 2015 WL 3916744, at *1 (C.D. Cal. June 15, 2015). In In re U.S. Office of Personnel Management Data Security Breach Litigation the issue before the court was with respect to Article III standing. For more on Article III standing, you can see our Standing Considerations in Federal Data Breach Litigation post from November 27, 2018. With respect to Corona, the complaint alleged negligence, breach of implied contract, and violation of various state statutes. The causes of action for violation of various state statutes were each denied with leave to amend the complaint, as was the cause of action for breach of implied contract. The basis for the latter was because, although the other elements for an implied contract were alleged (that the parties entered into a contract of employment in exchange for compensation for other benefits which required the employees to provide Sony their personally identifiable information and that Sony allegedly failed to maintain an adequate security system) the complaint did not allege any facts “that Sony’s acts were intended to frustrate the agreement.” Id. *6. The only cause of action that survived the motion to dismiss was the negligence claim predicated upon the alleged breach of duty to maintain adequate security measures. Id. *5.
All companies must take reasonable steps to safeguard personally identifiable information. Although none of the cases cited above address damages and liability, failure to take reasonable care to protect any and all personally identifiable information will subject a company to liability, regardless of whether the company itself is as much the victim of outside bad acts.