Pennsylvania Supreme Court recognizes negligence tort for employer’s failure to protect private employee information
Employers are well aware of various statutory obligations that companies have to protect employee (and consumer) private information, including for example social security numbers, medical records, etc. One example is Colorado‘s relatively recent statute.
The Pennsylvania Supreme Court has extended statutory data privacy laws now, for companies in Pennsylvania, to be a common law principle. Even without — or in addition to — existing statutory data privacy laws and any contracts that the company may have entered into that promised data privacy protections, the Pennsylvania Supreme Court has ruled that employers have a common law duty — as part of the duty not to engage in negligence — to use reasonable steps to protect the private information of its employees. It is not clear whether this duty extends to the private information stored for customers (and anyone else).
(W)e hold that an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an internet-accessible computer system.
What specific steps should an employer take? The court did not say, but, in an aside, one comment from the court suggests that companies should consider, at the very least, “implementing adequate security measures to protect against data breaches, including encrypting data properly, establishing adequate firewalls, and implementing (an) adequate authentication protocol.”
Source: Dittman v. University of Pittsburgh Medical Center, 196 A.3d 1036 (Penn. 11/21/18).