Courts Consider Whether Employers Have a Duty to Safeguard Employee Personal Information

Employers regularly collect and maintain confidential personal information about their employees, including birth dates, social security numbers, addresses, tax information, and bank information.  A data breach may put this employee information at risk.  In two recent decisions, courts have had to consider the scope of employers’ duties to their employees to protect confidential personal information and whether employers may be liable to their employees for damages stemming from such a breach.

In Hapka v. CareCentrix, Inc., 2016 U.S. Dist. LEXIS 175346 (D. Kan. Dec. 19, 2016), the District of Kansas declined to dismiss a putative class action brought on behalf of a class of current and former CareCentrix employees whose personal information was stolen by an unauthorized person posing as one of the defendant’s employees.  Shortly after the plaintiff was notified of the data breach, she received a notice from the IRS indicating that a fraudulent tax return had been filed in her name.

The Court concluded that, while there was no statutory duty which requires employers to safeguard employee information, the defendant employer did have a common law duty to exercise reasonable care in obtaining, securing, safeguarding, deleting, and protecting employees’ personal information, such that the plaintiff had adequately stated a cause of action.

A recent decision by the Superior Court of Pennsylvania reached a contrary conclusion.  In Dittman v. UPMC d/b/a University of Pittsburgh Medical Center, 2017 PA Super 8, 2017 Pa. Super. LEXIS 13 (Pa. Super. 2017), the Superior Court of Pennsylvania held that employers do not owe their employees a duty of reasonable care in the collection and storage of its employees’ information and data.  In reaching this conclusion, the court worried about the added costs to employers if such a duty were to be imposed.  The court noted that there is a “social utility of electronically storing employee information” because “employees and consumers alike derive substantial benefits from efficiencies resulting from the transfer and storage of electronic data.”  Moreover, the court stated, “we find it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether.”  The court also argued that the legislature had addressed these competing public policy concerns by requiring employers to notify employees of a data breach, while declining to create any broader right of action.

As courts are forced to address data breach claims with increasing frequency, both courts and legislatures will have to consider whether and under what circumstances to impose liability on employers for data breaches that cause identity theft damages to their employees.  It may be necessary to consider what constitutes reasonable care for the safeguarding of personal information, whether there should be a safe harbor if certain practices are followed, or whether there is any duty to mitigate harm in the event of a data breach by providing, e.g., monitoring services.