A few months ago I wrote about the Third Circuit Court of Appeal’s avoidance of ruling on whether employers have a duty to protect their employees’ personal information. We now have an answer to that question (at least in this Commonwealth) from Pennsylvania’s Supreme Court: Yes, yes it does.
On the eve of Thanksgiving the Pennsylvania Supreme Court released its decision in Dittman v. UPMC. This lawsuit was brought by employees of the University of Pittsburgh Medical Center over a data breach that leaked the employees’ names, birth dates, social security numbers, and bank account information. But the existence of a duty by UPMC to protect this personal information remained in doubt. The Court ended this debate by ruling:
an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an internet-accessible computer system.
For employees, this is a decision that should be heralded as an important protection against identity theft. After all, what choice does an employee have but to give personal data to their employer? That the employer must protect that information is just common sense.