The recent Pennsylvania Supreme Court landmark decision in Dittman v. UPMC, established a common law duty on the part of Pennsylvania employers “to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an Internet-accessible computer system.” 196 A.3d 1036, 1038 (Pa. 2018). The decision saved from dismissal a putative class action premised on claims of negligence and breach of implied contract. The employees claimed that their sensitive personal identifying information (PII) was stolen from UPMC following a criminal hack. Id. at 1038-39. The Dittman court held that Pennsylvania common law required employers who affirmatively undertake the collection and storage of their employees’ sensitive PII to implement “reasonable care” and “adequate” security measures. Id. at 1048. The opinion suggests that the duty of reasonable care includes: encrypting, establishing “adequate” firewalls, and implementing “adequate authentication protocol[s].” Id.
The Dittman court expressly disavowed any intention to create new affirmative duties under the law; rather, it emphasized that the holding was applying the Restatement (Second) of Torts §302 requiring protection and reasonable care where an actor engages in affirmative conduct. Id. However, as the Dittman court correctly observed in reviewing UPMC’s arguments, the Pennsylvania Legislature, by statute, chose to create only a duty of notice on the part of employers experiencing breaches. See id. at 1041 (citing Pennsylvania’s Data Breach Act, 73 P.S. §§2301-2309). Clearly then, Dittman does recognize obligations on the part of Pennsylvania employers not embodied by prior Pennsylvania statute or case law.
