You start your job and give your employer all your personal information: your home address, social security number, perhaps even confidential medical and financial data. Did you know your employer has no duty to keep your confidential information safe from hackers? In a recent 2 – 1 vote, a three-judge panel of the Pennsylvania Superior Court ruled that employers cannot be held responsible for a data breach of employee information even if the employer was not utilizing current best practices to prevent a breach.
In the case of Dittman v. University of Pittsburgh Medical Center, decided January 12, 2017, the names, addresses, birthdates, salaries, social security numbers and other valuable data of 62,000 employees were stolen from University computers. The breach resulted in as many as 788 employees falling victim to tax fraud and identity theft. Yet, the court’s majority concluded that since data breaches are widespread and cannot be prevented entirely, it should not create a rule that would force employers to spend significant sums on technology when data breaches remain an unavoidable hazard.
The court did not evaluate the technology UPMC had in place, its cost, or the cost of more expensive measures that might have prevented the breach. In a stinging dissent, Judge Musmanno chided the majority for failing to even allow the plaintiffs the opportunity to demonstrate the University was aware of the threat of cyberattacks and did not act reasonably within budgetary constraints to safeguard employee information. The Dittman decision has far-reaching implications. To the delight of hackers, it may encourage some employers to spend less on data security, or at least on the security of data that doesn’t affect the employer’s bottom line if it is compromised. Look for this one to go up to the Pennsylvania Supreme Court. In the meantime, employees might want to spend a little themselves on LifeLock or similar services to protect their confidential information.