On November 21, 2018, in Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center, the Supreme Court of Pennsylvania held that an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored on an internet-accessible computer. Dittman is notable because it is the first time a state’s highest court has broadly held that a company owes a duty to its employees to protect their personal data that it collects and stores. Also, by rejecting the economic loss doctrine, the court opened the door to the potential recovery of pecuniary damages in data breach cases alleging a negligence theory. If the holding of Dittman is adopted by courts in other states, employers could face increased risk of financial liability following a data breach that compromises personal information of employees.
Plaintiffs originally brought the action against UPMC d/b/a the University of Pittsburgh Medical Center and UPMC McKeesport (collectively, “UPMC”) in June 2014, seeking to represent a class of current and former employees whose sensitive personal and financial information was compromised (and in some cases used to file false tax returns) following a data breach of UPMC’s systems. Plaintiffs brought a negligence claim, among others, alleging that UPMC had a duty to secure their information because it had required plaintiffs to provide the information as a condition of employment and breached that duty by failing to maintain adequate cybersecurity measures to safeguard their information.
The Pennsylvania Supreme Court reversed the trial court’s dismissal of plaintiffs’ negligence claim. First, the court held that UPMC owed plaintiffs a duty of reasonable care to safeguard their personal information. In doing so, the court rejected the trial court’s conclusion that any such duty would be newly created in the law. Instead, the court determined that plaintiffs’ claim merely applied a traditional duty of reasonable care to a novel factual circumstance—a criminal data breach of an employer’s computer system. The court held that UPMC’s collection of plaintiffs’ sensitive personal and financial information as a condition of employment was affirmative conduct that triggered a duty to exercise reasonable care to protect plaintiffs from risk. The court also held that the hacker’s criminal conduct did not eliminate UPMC’s duty because plaintiffs sufficiently alleged that UPMC created the risk by failing to implement adequate security measures.
Second, the court held that Pennsylvania economic loss doctrine did not bar the employees’ claim for purely economic damages. In rejecting UPMC’s assertion of the economic loss doctrine, the court held that UPMC’s duty to act with reasonable care in collecting and storing its employees’ sensitive data exists independently from any contractual obligations between the parties.
Companies that collect and store employees’ personal data should be mindful of the reasonable care duty imposed by the court in Dittman—and which may be imposed by other courts and states in the future—as they create and implement policies regarding the protection of employee personal data. Pennsylvania’s ruling also caps off 2018 as a year marked by notable protections for employee data, including the passage of the California Consumer Privacy Act — which some have noted could include employees among the “consumers” whose data is protected — and the FTC’s settlement with Uber for breaches involving the personal information of its drivers.
 Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018).
 Id. at 1056.
 Id. at 1044-1048.
 Id. at 1048-1056.
 See California Consumer Privacy Act of 2018, AB 1121 (Sept 2018) (to be codified at Cal. Civ. Code. § 1798.140(g)) (defining consumer as “a natural person who is a California resident”); see also, e.g., Letter to Hon. Bill Dodd (Aug. 6, 2018), at 3 (noting definition of “consumer” is broad and proposing amendment to language to exclude employees), http://netchoice.org/wp-content/uploads/SB-1121-Final-Author-Coalition-Letter-126.96.36.1998.pdf. .