BreachExchange mailing list archives
Employer Owes Employees More than a Paycheck
From: Destry Winant <destry () riskbasedsecurity com>
Date: Wed, 12 Dec 2018 06:51:51 -0600
https://www.jdsupra.com/legalnews/employer-owes-employees-more-than-a-91313/ The Pennsylvania Supreme Court recently decided that employers have a duty to take reasonable steps to protect sensitive employee data from cyberattacks. The case began after employees at the University of Pittsburgh Medical Center (“UPMC”) learned that fraudsters accessed and stole their names, social security numbers, addresses, tax forms, and bank information. Employees sued UPMC for failing to take reasonable steps to secure their data. According to the employees, UPMC failed to encrypt employee data, establish adequate firewalls, and implement an adequate authentication protocol. According to the employees, UPMC had a duty to keep their data secure because they had to provide it in order to work at UPMC. The Pennsylvania Supreme Court agreed with the employees. The Court concluded that when UPMC obtained employees’ sensitive personal information and stored it on internet connected servers, UPMC had a “duty to exercise reasonable care” to protect that data. UPMC argued that it could not be liable to the employees for cybercriminals’ criminal acts. The Court rejected that argument, however, because if UPMC’s actions increased the likelihood of a fraudster accessing employee data then UPMC can still be liable for its failure to properly secure the data. The Court’s conclusion is interesting, because the Court assumes that a data breach is a foreseeable consequence of failing to take reasonable steps to secure data. This is contrary to the Eighth Circuit’s conclusion in State Bank of Bellingham v. BancInsure, Inc., previously covered by this blog, that a cyberattack is not always a foreseeable consequence of lax information security standards. This case is also contrary to a recent decision from the Third Circuit, also covered by this blog. In that case, an employee whose information was breached claimed that the employee handbook promised him that his data would be secure. He claimed his employer broke that promise, so he he was entitled to damages. The court rejected the employee’s claim. These three cases demonstrate that the law in this area remains unsettled. Employers only have a patchwork of decisions under different state laws to guide their decision making. The Pennsylvania Supreme Court’s analysis acknowledges the reality that data breaches and cyberattacks are a common feature of modern life. As the law slowly adapts to new risks from cyberattacks, the Pennsylvania Supreme Court’s analysis seems most consistent with the principle that has traditionally guided the development of tort law—the one in the best position to prevent harm should take reasonable steps to do so. Iowa employers do not have any immediate reason to be concerned about the outcome in UPMC’s case. The Court’s decision came at a preliminary stage, and there is still a long way to go before the plaintiffs ever recover anything. However, employers should view UPMC’s case as a sign of things to come, and make sure they are taking reasonable steps to secure their employee data. That doesn’t just mean installing the latest software and hardware. Reasonable security also means looking at who has access to sensitive data, and controlling the ability of any one employee to disseminate that to third parties. As previously covered by this blog, fraudsters are adept at tricking employees into sharing information through phishing schemes. Employers need to make sure they have the right policies, procedures, and technical safeguards in place to protect their employees’ information. This means consulting not only with knowledgeable technical experts, but also knowledgeable counsel to help employers assess legal and technical risks to their organization. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Employer Owes Employees More than a Paycheck Destry Winant (Dec 12)