data-breach

Data Breaches: An Employer’s Duty to Protect Employees’ Personal Information

By Aaron Wais

Recently, there has been much discussion about the Superior Court of Pennsylvania’s ruling in Dittman v. UPMC, which affirmed a lower court’s order dismissing an employee class action against their employer over a data breach.  While this was a significant victory for employers, non-Pennsylvania employers should temper their enthusiasm.  As one recent federal court decision in California makes clear, the reasoning of Dittman may not extend far beyond, if at all, the borders of Pennsylvania.  Moreover, regardless of their outcomes, both cases also reinforce the need for employers to maintain legally compliant, written policies for safeguarding private information and responding to data breaches.

In Dittman, a data breach resulted in the theft of the personal information (e.g., names, birth dates, social security numbers, banking information) of approximately 62,000 UMPC current and former employees.  The information was used to file fraudulent tax returns and steal tax refunds from certain employees.

(more…)

Data Breaches: An Employer’s Duty to Protect Employees’ Personal Information

By Aaron Wais

An appellate court in Pennsylvania recently dismissed an employee class action against their employer over a data breach, holding that the employer did not have a duty to protect its employees’ personal information (e.g., names, birth dates, social security numbers, bank information, etc.).  While this was a significant victory for employers, non-Pennsylvania employers should temper their enthusiasm because courts in other states, including California, have made clear that employers do have a legal duty to protect their employees’ personal information. These courts have also made clear that the liability for a data breach differs when an employer has legally compliant, written policies for safeguarding private information and responding to data breaches in a timely manner.

(more…)

Importance of Maintaining Cybersecurity Measures – Assessing the Ashley Madison Data Breach Settlement

By Aaron Wais

Daily headlines of data breaches, resulting class actions, governmental investigations and enforcement actions, and the settlements of those actions serve as constant reminders of the need to implement and maintain reasonable cybersecurity measures. Yet another example can be found in the recent announcement by the Federal Trade Commission, which states that the operators of Ashley Madison have agreed to settle the charges brought against them by the FTC and over a dozen state attorneys generals arising out of the July 2015 data breach of Ashley Madison’s network. Analyzing the settlement also provides additional guidance on what regulators mean when they refer to reasonable safeguards.

(more…)