By: Joshua Mooney
Recently, the Supreme Court of Pennsylvania issued a landmark decision in Dittman v. UPMC, 2018 Pa. LEXIS 6051 (Pa. Nov. 21, 2018) in which employers now have an independent duty to protect employee data from cyberattacks. The case was explained in an alert published last week. Here are five quick thoughts on the decision:
- Dittman likely extends beyond the employment context. Because the Supreme Court did not base its decision on the existence of an employment relationship, and instead relied upon longstanding principles of tort law, courts potentially will apply this duty to other contexts. Also, with Dittman’s determination that the economic loss doctrine was inapplicable, absent a valid standing challenge, Dittman effectively waves goodbye to early dismissals of class action data breach lawsuits.
- The biggest impact for the case likely will involve small and mid-sized companies, who are less likely to have undertaken adequate cybersecurity measures than larger companies. Insurance carriers who insure the small-to-medium enterprise market also may see this impact, as their policyholders get swept into litigation.
- The decision reflects the changing times. The lower courts observed that there were no generally accepted standards of care for data protection, and that employers should not have to incur significant costs in security measures when data breaches cannot be prevented. A court would never reach such a conclusion today. Regulations in cybersecurity and perceptions toward cyberattacks have changed. Standards of care have emerged, and there are recognized cybersecurity frameworks around which to build a data security program. Companies now are expected to undertake affirmative, reasonable measures to protect data.
- The dots are starting to connect in terms of what is required of U.S. companies that collect data. Dittman is another sign in a growing trend. Courts, statutes, and regulators are requiring companies to undertake reasonable, affirmative measures to protect data.
- Companies should heed Dittman and ensure that they comply with the standard of care. They should conduct annual risk assessments and amend/implement cybersecurity programs geared to protect the confidentiality, integrity, and availability of the data they collect. Companies also should hire outside cyber counsel when conducting a risk assessment and implementing a data security program to try to keep any surprises or hiccups within the scope of attorney-client privilege. Preparing now does not have to be expensive, and it will be a lot less expensive than poor cyber practices that (1) lead to a breach, and (2) result in litigation and liability.
If you have questions or would like further information, please contact Joshua Mooney (firstname.lastname@example.org; 215.864.6345).