An employee improperly accesses his employer’s computer network and steals the names, birthdates, and social security numbers of his fellow employees to use for illegal financial gain. A criminal hacks into that same network for similar illegal purposes. Because employers regularly obtain, store, and use confidential employee personally identifiable information (“PII”) as part of their business operations, they are targets for this kind of activity. But what legal responsibility do employers have to their employees when PII is misappropriated by an employee, or stolen by hackers in a data breach? Two Pennsylvania courts have recently shined some light on this issue. In both cases, which involved large-scale data breaches affecting thousands of employees, the courts absolved the employers of any potential liability because either (1) they owed no duty in tort to their employees to protect PII against data breaches or (2) the employer had no express or implied contractual obligation to protect the PII. See Enslin v. Coca-Cola Co. (E.D. Pa. Mar. 31, 2017); Dittman v. UPMC (Pa. Sup. Ct. Jan. 12, 2017), reargument denied Mar. 20, 2017.
While these cases resulted in pro-employer outcomes, and will be helpful in similar future litigation, they should not give employers the idea that they can be lax in their data privacy and security practices involving employee PII. Employers should consider these additional points regarding these cases and having data privacy and security practices that can meet the threats posed by today’s disloyal employees and hackers:
- Enslin and Dittman were decided under Pennsylvania law and are not binding on courts in the other 49 states. Case law in this area is still in its infancy and courts are deciding these issues differently. For example, see Hapka v. Carecentrix, Inc. (D. Kan. Dec. 19, 2016), in which the court concluded that a similar employee data breach case could go forward against the employer, at least past the initial pleading stage. Ensuring that you have good privacy and security practices not only lessens the risk of a data breach, but also serves as helpful evidence should a court allow a lawsuit to go forward against you in the event of a breach.
- A court’s determination of your duties to your employees will likely be influenced by whether you were aware of previous threats to the security of the PII stored in your computer networks. An employer that knows about deficiencies and fails to address them might be held liable if PII is later stolen in a data breach.
- The Dittman court observed that “[t]here are still statutes and safeguards in place to prevent employers from disclosing confidential information.” That may be overstating the law a bit, but in the two cases, the employers provided notices to their employees because Pennsylvania law required those notices, and those notices led to what we have to assume has been time consuming and expensive litigation. Employers must comply with other statutory and regulatory laws governing their data privacy and security practices, including the Health Insurance Portability and Accountability Act (“HIPAA”), Federal Trade Commission regulation, and other federal and state requirements. Also, employers have a financial and reputational incentive to protect against data breaches. Even if you may have no civil liability to your employees in the wake of a breach, having a robust data privacy and security program is still a legal requirement that makes good business sense.