By Aaron Wais
Recently, there has been much discussion about the Superior Court of Pennsylvania’s ruling in Dittman v. UPMC, which affirmed a lower court’s order dismissing an employee class action against their employer over a data breach. While this was a significant victory for employers, non-Pennsylvania employers should temper their enthusiasm. As one recent federal court decision in California makes clear, the reasoning of Dittman may not extend far beyond, if at all, the borders of Pennsylvania. Moreover, regardless of their outcomes, both cases also reinforce the need for employers to maintain legally compliant, written policies for safeguarding private information and responding to data breaches.
In Dittman, a data breach resulted in the theft of the personal information (e.g., names, birth dates, social security numbers, banking information) of approximately 62,000 UMPC current and former employees. The information was used to file fraudulent tax returns and steal tax refunds from certain employees.
A putative class of former and current employers filed suit, alleging claims for negligence and breach of an implied contract. As to negligence, the class alleged the UPMC owed them a legal duty to protect their personal and financial information, but that UPMC had failed to adequately protect their information (e.g., UPMC was alleged to have not properly encrypted data, established adequate firewalls or implemented adequate authentication protocols). As to the breach of an implied contract, the class alleged that they had provided the information in expectation that it would be adequately protected. The company was also alleged to have delayed in notifying affected employees of the breach and the information taken.
The appellate court affirmed the dismissal of all claims. As to negligence, the Court held that while the employee-employer relationship gives rise to duties, the duty to protect the employee’s personal information was not one of them. The Court held that while a data breach is generally foreseeable, the possibility did not outweigh the social utility of maintaining personal data electronically or the added cost it would impose on employers to protect their employees’ information. In addition, the Court found notable that UPMC was not alleged to have encountered a prior specific threat of intrusion.
As to the breach of contract claim, the Court held that there were no objective manifestations of UPMC’s intent to enter into a contract to protect employees’ information. In addition, the Court concluded there was no consideration because the employees provided the information to UPMC in consideration for their employment – not in consideration for its safekeeping.
This is in marked contrast to last year’s federal district court ruling in Castillo v. Seagate in the Central District of California. Similar to Dittman, in Castillo, a data breach resulted in the theft of all former and current employees’ W-2 statements, which included salary, benefit information, names and social security numbers of the employees and spouses. This information was used to file fraudulent tax returns.
Also similar to Dittman, a putative class action was filed alleging claims for negligence, violation of California’s Unfair Competition Law (“UCL”) and breach of an implied contract.
This, however, is where the similarities to Dittman end. The Castillo court held that Seagate owed a legal duty to its former and current employees, as well as their spouses and dependents, to protect their personal information. It also found that Seagate had breached this duty by allegedly failing to reasonably safeguard the employees’ personal information. The Court further ruled that a cognizable, non-speculative harm had been alleged; among other things, the Court cited the economic damage resulting from the filing of false returns and the out-of-pocket expenses of paying for identity theft protection.
Notably, the Court still dismissed the claim, with leave to amend, pursuant to the economic loss doctrine, which says that absent a special relationship, a plaintiff cannot recover purely economic damages for a negligence claim unrelated to physical injury or property damage. No such damages were alleged and the Court concluded that there was no “special relationship” because, while data breaches are foreseeable, there were no allegations that Seagate was on notice of the vulnerabilities of its own system (i.e., it had not been subject to similar acts in the past such that it should have been on the lookout for fraudulent requests for W-2 information.). That being said, the Court explicitly stated that “Plaintiffs may be able to state a claim by offering facts establishing Seagate was aware of similar phishing scams or even that they failed to alert those with access to employees’ personal identifying information about how to protect against phishing attacks.”
The Court also held that plaintiffs had stated a claim pursuant to the UCL. Specifically, the Court held that California’s Customer Records Act, which requires companies to protect the personal information of customers, also encompassed employees and could serve as the predicate statute for an UCL claim. While the Court dismissed the claim for failure to seek restitution or injunctive relief – the only relief available under the UCL – it granted plaintiffs leave to amend.
Finally, the Court held that plaintiffs had stated a claim for breach of an implied contract because, in contrast to Dittman, while “Seagate made no explicit promises as to  ongoing protection, it is difficult to imagine in today’s day and age of data and identity theft, how the mandatory receipt of SSN and other personally sensitive pieces of information would not imply the recipient’s assent to protect the information sufficiently.” In that regard, the Court held that the consideration for employees’ providing the information was not only employment but also the assurance that reasonable measures would be taken to protect this information.
So what should employers take away from the foregoing discussion? For California employers, as well as employers in other states who make the protection of personally identifiable information a priority like Massachusetts and New York, the following principles are of paramount importance:
- Employers likely have a duty to take reasonable measures to safeguard their employees’ personal information. Such measures likely include (but are not limited to) ensuring the appropriate use of encryption, establishing adequate firewalls, implementing adequate authentication protocols for accessing computer systems and training employees on how to protect against data breaches (e.g., how not fall victim to phishing attacks).
- Employers also have a duty to advise employees in a timely and legally compliant manner about data breaches.
- To mitigate potential liability, employers should memorialize and train employees on the safeguards that are implemented. Employers should also memorialize a data breach response plan.
- Employers should review their employee handbooks and consider language that might limit their potential contractual liability for data breaches.
In sum, taking preventative measures now – whether to protect employees’ information or your customers’ information – can go a long way to remediating the situation when your computer systems are hacked and personal information is taken.