Data Breaches: An Employer’s Duty to Protect Employees’ Personal Information
Recently, there has been much discussion about the Superior Court of Pennsylvania’s ruling in Dittman v. UPMC, which affirmed a lower court’s order dismissing an employee class action against their employer over a data breach. While this was a significant victory for employers, non-Pennsylvania employers should temper their enthusiasm. As one recent federal court decision in California makes clear, the reasoning of Dittman may not extend far beyond, if at all, the borders of Pennsylvania. Moreover, regardless of their outcomes, both cases also reinforce the need for employers to maintain legally compliant, written policies for safeguarding private information and responding to data breaches.
In Dittman, a data breach resulted in the theft of the personal information (e.g., names, birth dates, social security numbers, banking information) of approximately 62,000 UMPC current and former employees. The information was used to file fraudulent tax returns and steal tax refunds from certain employees.