There’s good news for security pros worried that their organizations may be liable if their employees’ personal information gets hacked: a panel of judges in Pennsylvania says workers can’t collect damages from their employer if things like Social Security numbers, bank account information, birth dates, addresses and salaries are compromised in a data breach.
Even though the stolen data was used to file phony tax returns in order to get the refunds, the workers at University of Pittsburgh Medical Center (UPMC) had no reasonable expectation that the data would be safe, the Superior Court of Pennsylvania ruled recently.
The case, known as in Dittman v. UPMC, pertains solely to employee records, not customer records, and not patient records, which are protected by HIPAA.
That’s in Pennsylvania where laws don’t specifically deal with the obligations businesses have to protect employee data. And that’s just for now, because lawmakers are still struggling to write laws that apply to electronic data. The law may catch up, but for now courts are applying existing legal standards that in many cases predate the existence of digital records, and that’s not unique to Pennsylvania.
Meanwhile, the courts and parties that feel they have been wronged are left to draw on laws and previous cases that are totally unrelated to cybercrime.
For example, the workers in the Pennsylvania case turned over their personal information as a condition of employment, not for safekeeping, according to the court decision. Using reasoning employed in a case brought by account holders against their bank, the judges decided the safety of the information wasn’t guaranteed.
Referencing another old case, the court said UPMC isn’t obliged to pay up if the stolen data resulted in purely economic losses but not damages to health, safety or property. That ruling drew on a decision where workers at a tire store sued for lost wages when the business shut down for a week when the property was flooded.
The most stringent test the court used came from another, far-afield case that involved whether parents who were sexually abusing their own daughter had the right to sue the girl’s psychologist, who turned them in. Applying reasoning used to reach a decision in that case, the court came up with some sweeping conclusions about responsibility in data-breach cases.
The court said that the law shouldn’t require employers to take on the cost of boosting the security of employee data because they can’t possibly thwart all hacking attempts. “We find it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether,” the decisions says.
The ruling further says that the benefits of storing this type of data electronically outweighs the downside that the data might be compromised. “While a data breach (and its ensuing harm) is generally foreseeable, we do not believe that this possibility outweighs the social utility of electronically storing employee information,” the ruling says. “Although breaches of electronically stored data are a potential risk, this generalized risk does not outweigh the social utility of maintaining electronically stored information.”
The two judges who wrote the main decision in the case also filed a supplemental, concurring opinion to further explain the situation. They write that the medical center knew of no specific threats that they ignored, so they don’t owe the employees anything. “Had UPMC been on notice of actual or potential security breaches of its systems, or reasonably should have anticipated that the negligent handling of confidential information would have left it vulnerable to criminal activity, a different conclusion may have been reached…”
Until laws more directly address who is liable for what in data breach cases, courts should rule conservatively and wait for legislatures to lead the way. “[I]n this constantly developing area of law and technology we must proceed to establish precedent slowly and with caution,” the judges wrote.