The writing is more than on the wall. It’s scrawled everywhere you look, and it’s in bright, flashing letters that can’t be ignored. It screams at you, at everyone that passes, a single and undeniable truth: businesses must protect their employees.
This is neither a new concept nor a revolutionary idea. It is a belief many of us hold to be self-evident. And now, it is written into law.
Let’s take a closer look at what a recent Pennsylvania Supreme Court (PSC) ruling means for Pennsylvania businesses, their employees, and the entire nation. But first, some context.
A brief history of the UPMC data breach
Back in 2014, the University of Pittsburgh Medical Center (UPMC) experienced an unprecedented data breach: Hackers stole the personal information of more than 60,000 former and current employees.
Cybercriminals used victims’ names, Social Security numbers, addresses, banking information, and other sensitive data to file fraudulent tax returns. The thieves were then able to collect the victims’ tax refunds — a trend that has been growing significantly in recent years.
Affected employees brought a class action lawsuit against the medical center. Victims felt that, since they were required to exchange this sensitive information for employment consideration, UPMC had a responsibility to protect that data.
After a series of trials and appeals, the case reached the Pennsylvania Supreme Court. And on November 21, 2018, the highest court in Pennsylvania sided with the aggrieved employees.
The landmark decision of Dittman v. UPMC
There were many notable elements of PSC’s ruling, but the most significant is the logic the court used to reach their decision and the far-reaching implications this will likely have.
The Pennsylvania Supreme Court found that UPMC’s practice of collecting and storing sensitive employee data constituted affirmative conduct. As such, the company had a responsibility to protect all sensitive data and provide adequate security measures. Because UPMC failed to do this, the court concluded that the data breach was “within the scope of the risk [UPMC] created.”
The PSC further protected employees’ right to sue negligent employers. According to the court, employees can take legal action against a company even if their employer didn’t explicitly promise to protect the data it collects. A contract is not needed, as this responsibility is the employer’s “common law duty.”
What this means for the rest of us
Dittman v. UPMC is about much more than an isolated data breach. It is bigger than one medical center’s failure to protect its employees. It’s even bigger than the 62,000 employees who had their data compromised.
Instead, it is about one simple truth: businesses must protect their employees.
We didn’t need a court to tell us this. But now that they have, you can expect a lot more to follow suit. Long before PSC’s ruling, the legal system had been increasingly holding employers responsible for employee data breaches and identity theft.
This isn’t a bad thing. It is a necessity — one that stems from the numerous challenges posed in today’s Digital Era. Helping companies meet these challenges is the whole reason we started InfoArmor.
We believe that everyone deserves peace of mind, and it is this belief that powers everything we do. It’s why we’re committed to protecting the places people work, the relationships they build, and the data they share.
If you’d like to learn more about how we do this, please send us an email, fill out our contact us form, or give us a call. We’d love to help you protect your company’s most valuable asset — your employees.