- Privacy Risk Report - https://privacyriskreport.com -

Recent Case Sheds Light on What Courts May Find Makes Security Measures Reasonable

A number of states have recently imposed duties for data collectors to safely store information. For example, Illinois data collectors are now required to “implement and maintain reasonable security measures” to protect data (815 ILCS 530/45 [1]). Unfortunately, data collectors have not received guidance on what constitutes “reasonable security measures.” In the absence of this guidance from legislature, a number of courts are beginning to analyze what measures are reasonable for data storage.

For example, in Dittman v. The University of Pittsburgh Medical Center (UPMC) [2], the Superior Court of Pennsylvania affirmed the trial court’s dismissal of the plaintiffs’ negligence and breach of implied contract claims. The plaintiffs filed suit alleging that UPMC suffered a data breach involving the plaintiffs’ names, birth dates, social security numbers, tax information, addresses, salaries, bank information of approximately 62,000 current and former employees. An estimated 780 employees’ stolen information was used to file fraudulent tax returns.  As of the date of the opinion, the source of the data breach was unknown.

The plaintiffs claim UPMC had a legal duty to protect their personal and financial information. Specifically, plaintiffs allege UPMC, “failed to encrypt data, establish adequate firewalls and implement adequate authentication protocols to protect the information in its computer network.”

UPMC Had No Legal Duty Related to Employee Information

The appellate court first reviewed the question of whether an employer has “a legal duty to act reasonably in managing its computer systems … collected from its employees, when the employer elects, for purposes of its own business efficiencies, to store and manage such sensitive employee data on its internet-accessible computer system, leaving it vulnerable to computer hackers, in the absence of reasonable safeguards.” The appellate court analyzed this question under the following five factors concerning legal duty:

Concurring Statements also filed with this decision that, while agreeing with the Majority’s decision, warn that “in this constantly developing area of law and technology we must proceed to establish precedent slowly and with caution.” Specifically, the Concurrences noted that the employees claim “that UPMC had failed to use reasonable care in the storage of their personal information by, inter alia, properly encrypting the data, establishing adequate firewalls, and implementing an appropriate authentication protocol.”

The Concurring Opinion in the Dittman decision sheds light on what court may find constitute “reasonable care” in data storage. Gaining an understanding of these standards have become even more important recently when many legislatures around the country have started to place requirements for data storage. For example, Illinois’ legislature now requires that “data collectors implement and maintain reasonable security measures to protect…records from unauthorized access….”

Consequently, while there are many questions concerning what “reasonable security measures” entail, the reasoning in the Dittman decision may provide guidance. While not controlling in any manner, in the absence of an interpretation of “reasonable security measures,” a “data collector” may want to consider the advice in the Dittman Concurrence and take steps to encrypt data, establish adequate firewalls and implement an appropriate authentication protocol to protect data.