The law has spent centuries chasing technological changes. Legal rules tend to evolve from the slow accumulation of precedent or from the difficult-to-find common ground of legislative consensus. And yet, the opportunities and risks created by society's technological hares race ahead without heed to the pace of the legal tortoises. Cybersecurity vulnerabilities at U.S. companies, and the resulting problems maintaining the privacy of personal information of employees, present the latest iteration of this age-old dilemma. Courts, legislatures and regulators have attempted to define the duties of employers concerning security and privacy, and this article explores the pros and cons of each approach. In the end, without regard to who is making the legal rules, the change is upon us and certain practical steps will best serve the interests of both employers and employees in this digital era.

The Common Law Approach

The recent Pennsylvania Supreme Court landmark decision in Dittman v. UPMC, established a common law duty on the part of Pennsylvania employers “to exercise reasonable care to safeguard its employees' sensitive personal information stored by the employer on an Internet-accessible computer system.” 196 A.3d 1036, 1038 (Pa. 2018). The decision saved from dismissal a putative class action premised on claims of negligence and breach of implied contract. The employees claimed that their sensitive personal identifying information (PII) was stolen from UPMC following a criminal hack. Id. at 1038-39. The Dittman court held that Pennsylvania common law required employers who affirmatively undertake the collection and storage of their employees' sensitive PII to implement “reasonable care” and “adequate” security measures. Id. at 1048. The opinion suggests that the duty of reasonable care includes: encrypting, establishing “adequate” firewalls, and implementing “adequate authentication protocol[s].” Id.

The Dittman court expressly disavowed any intention to create new affirmative duties under the law; rather, it emphasized that the holding was applying the Restatement (Second) of Torts §302 requiring protection and reasonable care where an actor engages in affirmative conduct. Id.  However, as the Dittman court correctly observed in reviewing UPMC's arguments, the Pennsylvania Legislature, by statute, chose to create only a duty of notice on the part of employers experiencing breaches. See id. at 1041 (citing Pennsylvania's Data Breach Act, 73 P.S. §§2301-2309). Clearly then, Dittman does recognize obligations on the part of Pennsylvania employers not embodied by prior Pennsylvania statute or case law.

The Legislative/Regulatory Approach

While Dittman is a harbinger for judicially-created obligations, it can hardly be considered an outlier for employers given that New York (and other states) have enacted or proposed regulations or statutes that require covered employers to assess, maintain and/or develop cybersecurity programs. New York, like Pennsylvania, has a statute requiring virtually all employers to provide written notice of a data breach involving certain types of PII to both affected individuals and the NYS Attorney General's Office, the NYS Division of State Police; and the Department of State's Division of Consumer Protection. See N.Y. Gen. Bus. Law §899-aa. New York regulations go much further. The Superintendent of Financial Services promulgated 23 NYCRR Part 500, a “first-in-the-nation” regulation establishing comprehensive cybersecurity requirements for certain banks, insurance companies, and other financial services institutions regulated by the New York Department of Financial Services (DFS). 899-aa regulations require covered employers to maintain a comprehensive “cybersecurity program designed to protect consumers' private data; a written policy or policies that are approved by the board or a senior officer; a Chief Information Security Officer [CISO] to help protect data and systems; and controls and plans to help ensure [] safety and soundness … .” See id. The DFS regulations impose periodic compliance, audit, reporting, and self-certification deadlines by covered entities' CISO.

The New York State Attorney General's office has also proposed Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The proposed SHIELD legislation requires covered entities to maintain “reasonable safeguards to protect the security, confidentiality, and integrity of” certain PII, including but not limited to disposal of data. The proposed SHIELD legislation includes various examples of required technical, personnel-based, and physical cybersecurity measures. Importantly, the SHIELD legislation attempted to provide safe harbors for compliance with: (a) federal or state regulations or (b) a third-party assessors' certification, provided there is no evidence of willful misconduct, bad faith, or gross negligence.