Employers, and likely all businesses, now have a specific duty to safeguard their employees’ personal data that is stored on internet-based computer systems, according to a recent decision by the Supreme Court of Pennsylvania. Prior legislation only required companies to report potential or actual data breaches to the individuals or businesses whose information may have been, or was, compromised.

In Dittman v. Univ. of Pittsburgh Medical Center, the court held that employers have a duty to exercise reasonable care to protect their employees against an unreasonable risk of harm if the company collects and stores the employees’ data on internet-based computer systems. Further, this duty is independent of any contractual obligations between the employer and employee. The court reasoned that by collecting the data without appropriate security measures, UPMC created a foreseeable risk of a data breach. In other words, UPMC should have known a cyber-criminal might take advantage of its vulnerable computer system and steal the data.

The case involved the theft of social security numbers, dates of birth, tax information, addresses, salaries and bank account information of more than 62,000 current and former UPMC employees. UPMC gathered the sensitive information as a condition of employment. The employees sought money damages for losses due to the filing of fraudulent tax returns and for the increased and imminent risk of identity theft.

This ruling is important because the decision likely extends to any entity (not just employers) that collects and stores sensitive personal data. Additionally, defendants can no longer claim the criminal act of a third party as an intervening act to shield them from liability. As such, this new decision will force companies to incur significant expenses to update their security protocols and will expose them to more risk and potential litigation.