Sunday, February 26, 2017
Protect Employee Data? Not Necessary in Pennsylvania
The Pennsylvania Superior Court, ruling in Dittman v. University of Pittsburgh Medical Center, held that under state law an employer is not responsible for protecting employee data, even where the breach of such data causes economic harm. The case stemmed from a 2014 data breach that exposed the data of 62,000 UPMC employees and resulted in at least 788 of them becoming victims of tax fraud. According to the court, employees had no reasonable expectation that their data would be held securely when they turned it over to the UPMC, since data breaches are all too common and there is no way to prevent them. Laws to protect the privacy of individuals in the digital age have notably lagged in Pennsylvania, since the same fact pattern would likely lead to a quite contrary ruling in many other states. Dittman v. UPMC is a good illustration of the patchwork nature of privacy protections prevalent in the United States.