An employee improperly accesses his employer’s computer network and steals the names, birthdates, and social security numbers of his fellow employees to use for illegal financial gain. A criminal hacks into that same network for similar illegal purposes. Because employers regularly obtain, store, and use confidential employee personally identifiable information (“PII”) as part of their business operations, they are targets for this kind of activity. But what legal responsibility do employers have to their employees when PII is misappropriated by an employee, or stolen by hackers in a data breach? Two Pennsylvania courts have recently shined some light on this issue. In both cases, which involved large-scale data breaches affecting thousands of employees, the courts absolved the employers of any potential liability because either (1) they owed no duty in tort to their employees to protect PII against data breaches or (2) the employer had no express or implied contractual obligation to protect the PII.Read More
About William BerglundBill Berglund achieves diverse solutions to complex legal problems for pharmaceutical, medical device, and other product manufacturers in federal and state court litigation nationwide. Bill also represents and counsels hospitals, individual health care providers, and other regulated businesses with respect to medical privacy and data security issues and federal and state law compliance.
Phase 2 of the U.S. Department of Health and Human Services Office for Civil Rights’ (“OCR”) HIPAA audit program is in process. Unlike OCR’s initial Phase 1 Pilot audits, which addressed only Covered Entities, Phase 2 also focuses on Business Associate compliance with HIPAA’s Privacy, Security, and Breach Notification Rules. These audits seek to enhance industry awareness of HIPAA compliance obligations and the information obtained will be used to develop OCR’s permanent audit program. All Covered Entities and Business Associates are eligible to be audited.Read More