A number of states have recently imposed duties for data collectors to safely store information. For example, Illinois data collectors are now required to “implement and maintain reasonable security measures” to protect data (815 ILCS 530/45 [1]). Unfortunately, data collectors have not received guidance on what constitutes “reasonable security measures.” In the absence of this guidance from legislature, a number of courts are beginning to analyze what measures are reasonable for data storage.
For example, in Dittman v. The University of Pittsburgh Medical Center (UPMC) [2], the Superior Court of Pennsylvania affirmed the trial court’s dismissal of the plaintiffs’ negligence and breach of implied contract claims. The plaintiffs filed suit alleging that UPMC suffered a data breach involving the plaintiffs’ names, birth dates, social security numbers, tax information, addresses, salaries, bank information of approximately 62,000 current and former employees. An estimated 780 employees’ stolen information was used to file fraudulent tax returns. As of the date of the opinion, the source of the data breach was unknown.
The plaintiffs claim UPMC had a legal duty to protect their personal and financial information. Specifically, plaintiffs allege UPMC, “failed to encrypt data, establish adequate firewalls and implement adequate authentication protocols to protect the information in its computer network.”
UPMC Had No Legal Duty Related to Employee Information
The appellate court first reviewed the question of whether an employer has “a legal duty to act reasonably in managing its computer systems … collected from its employees, when the employer elects, for purposes of its own business efficiencies, to store and manage such sensitive employee data on its internet-accessible computer system, leaving it vulnerable to computer hackers, in the absence of reasonable safeguards.” The appellate court analyzed this question under the following five factors concerning legal duty:
- Relationship Between Parties Gives Rise to a Duty: Under this first factor, the appellate court held that, as an employer, UPMC had the requisite relationship to impose a duty to protect employee information.
- Social Utility of the Conduct Weighed Against the Nature of the Risk Imposed, and Foreseeability of the Harm Does Not Require Imposing a Duty: Under the second and third factors, the appellate court found that employers “have an obvious need to collect and store personal information about their employees,” and electronic storage is the most efficient method. However, the appellate court recognized that the risks of a data breach increase as the usage of electronic storage increases. However, the appellate court ultimately concludes that, “[w]hile a data breach (and its ensuing harm) is generally foreseeable, we do not believe that this possibility outweighs the social utility of electronically storing employee information.” Under this analysis, the appellate court found no duty should be imposed on UPMC.
- Consequences of Imposing a Duty Do Not Require Imposing a Duty: In finding no need to impose a duty to employees, the appellate court found no need for a “judicially created duty of care…to incentivize companies to protect confidential information.” Further, the appellate court acknowledged the fact that there is “no true way to prevent data breaches altogether.”
- Public Interest Did Not Require Imposing a Duty: The appellate court found the fifth factor, public interest, did not require the imposition of a duty on UPMC. Specifically, public interest does not require the imposition of duty because the Pennsylvania legislature had already imposed a duty to notify those individuals impacted by a breach. “It is not for the courts to alter the direction of the General Assembly because public policy is a matter for the legislature.”
Concurring Statements also filed with this decision that, while agreeing with the Majority’s decision, warn that “in this constantly developing area of law and technology we must proceed to establish precedent slowly and with caution.” Specifically, the Concurrences noted that the employees claim “that UPMC had failed to use reasonable care in the storage of their personal information by, inter alia, properly encrypting the data, establishing adequate firewalls, and implementing an appropriate authentication protocol.”
The Concurring Opinion in the Dittman decision sheds light on what court may find constitute “reasonable care” in data storage. Gaining an understanding of these standards have become even more important recently when many legislatures around the country have started to place requirements for data storage. For example, Illinois’ legislature now requires that “data collectors implement and maintain reasonable security measures to protect…records from unauthorized access….”
Consequently, while there are many questions concerning what “reasonable security measures” entail, the reasoning in the Dittman decision may provide guidance. While not controlling in any manner, in the absence of an interpretation of “reasonable security measures,” a “data collector” may want to consider the advice in the Dittman Concurrence and take steps to encrypt data, establish adequate firewalls and implement an appropriate authentication protocol to protect data.