CSG Law Alert: Data Breaches Are a Foreseeable Risk and Companies Owe a Common Law Duty of Care When They “Create” the Risks
On November 21, 2018, the Pennsylvania Supreme Court, the highest ranking state court in Pennsylvania, ruled that an employer had a common law duty to exercise reasonable care to protect employees’ personal data where, as a condition to employment, the employer (i) required employees to provide sensitive data, (ii) the employer chose to store such data, and (iii) the collection and storage of that information by the employer could foreseeably expose the employees to “unreasonable risk of harm.” Dittman v. UPMC, No. 43 WAP 2017, 2018 WL 6072199 (Pa. Nov. 21, 2018).
In a class action, the Court accepted the employees’ argument that this duty included the obligation to take “reasonable measures to protect” the data from “foreseeable risk that [hackers] would attempt to access and [comprise and/or steal] that information.” The court further accepted the employees’ position that the intervening criminal action by the hackers did “not eviscerate the duty …to take reasonable anticipatory measures against foreseeable criminal conduct…”
Note that the Court stopped short of defining what “reasonable” care would have been in this case, but the Court for purposes of this ruling accepted the employees’ statement that the employer failed to encrypt the data at issue, did not have appropriate firewalls or other “reasonable” measures.
It is critical for employers in any jurisdiction to take note of this ruling. Pennsylvania, like the majority of states in the US, does not currently have a statute requiring companies to affirmatively protect sensitive information. However, the Court here found that this duty exists in common law.
Moreover, it is reasonable to assume that the next retailer hit with a major credit card breach will be subject to similar claims and have potential liability where, customers, if paying by credit card, must provide personal payment information to the retailer, unless that retailer can prove it adopted “reasonable” measures to guard against the “foreseeable” risk that such data may be subject to compromise.
In light of the Pennsylvania court’s ruling and two recent decisions in the U.K. and North Carolina, companies are strongly urged to take action now – if they have not already – to undertake “reasonable” measures to (i) identify the sensitive data they collect and store, (ii) protect that data from foreseeable compromise – considering the type of data stored, and the company’s size and resources, (iii) be vigilant in monitoring its systems to detect compromises quickly, and (iv) have a written response plan for when, not if, an attack occurs.
And for those resisting cyber insurance and crime coverage, you may wish to reconsider in light of these rulings.