Workplace Law Lowdown: Employers Responsible for both Customer and Employee Information in Data Breach Cases
Reports of computer hacks and data breaches are becoming too commonplace. Large companies are often the victim and their customer information the target. But, what happens when an employer is a subject of a data breach and its employee records are hacked? The recent Pennsylvania Supreme Court decision in Dittman v. UPMC (Pa. Nov. 21, 2018) highlights employers’ obligation to protect both customer and employee information stored on their computers.
Like many employers, the University of Pittsburgh Medical Center (UPMC) collected personal and financial information from its employees. Hackers accessed UPMC’s computers and stole the personal and financial information of 62,000 current and former employees. The employees alleged that the hackers used the stolen data, which consisted of information UPMC required employees to provide as a condition of their employment, to file fraudulent tax returns.
The affected employees filed a class action lawsuit seeking to recover damages against UPMC under a negligence theory. The employees alleged that UPMC had a duty to exercise reasonable care to protect their “personal and financial information within its possession or control from being compromised, lost, stolen, misused, and/or disclosed to unauthorized parties” because UPMC required employees to provide information as a condition of their employment. They also claimed that UPMC breached its duty of reasonable care to them by failing to adopt, implement, and maintain adequate security measures to safeguard the information, by failing to adequately monitor the security of the network, by failing to prevent unauthorized access to the information, and by failing to recognize in a timely manner that the information had been compromised. The employees sought money damages from their employer related to damages from fraudulently filed tax returns and “increased and imminent risk of being victims of identity theft crimes, fraud, and abuse.”
Both the trial and appellate courts dismissed the case. But, the employees found a sympathetic ear from the Pennsylvania Supreme Court which agreed with the employees that “in collecting and storing Employees’ data on its computer systems, UPMC owed Employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.”
The Court concluded that “an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an internet-accessible computer system.” Although UPMC argued that it was not responsible for third-party criminal conduct, the Pennsylvania Supreme Court concluded that liability can be found if UPMC “realized or should have realized the likelihood that such a situation might be created and a third person might avail himself of the opportunity to commit such a tort or crime.” The case was returned to the trial court where the employees were required to prove UPMC’s negligence and their damages.
Michigan has laws which address notice of data breaches, but not damages that arise from data breaches. Data breach notification obligations are triggered by the unauthorized acquisition of unencrypted personal information. In order to take advantage of the notice exception, the employer must evaluate the breach and the encryption measures in place and determine whether the hacker also stole the key to unlock the encrypted data.
Although a negligence claim in Michigan may be viable after a data breach, concrete damages are required. “Damages ‘incurred in anticipation of possible future injury rather than in response to present injuries’ are not cognizable under Michigan law.” Doe v. Henry Ford Health Systems, 308 Mich App 592 (2014). In Doe, the Court ruled that even the cost of a credit-monitoring service does not necessarily “relate to a present, actual injury” but rather were “incurred in anticipation of possible future injury.” Because “these economic losses are wholly derivative of a possible, future injury rather than an actual present injury,” the Court determined that the costs of these credit-monitoring services are not cognizable under Michigan’s negligence law.
In Leibovic v. United Shore Mortgage, LLC (E.D. Mi. 2016), the federal court allowed a data breach case to go forward under a negligence theory where the plaintiff alleged actual damages from attempts to liquidate his investment accounts, attempts to open credit cards, and the issuance of fraudulent checks from his bank account.
The lessons for Michigan employers are obvious. In addition to the obligation to safeguard customer information, they must also safeguard employee information and confirm the viability of their encryption methods. Employers cannot rely on the difficulty of proving actual damages to avoid costly data breach claims. Contact any member of Bodman’s Workplace Law Group with questions or to help evaluate whether you have appropriate systems and policies in place to minimize risk in a data breach situation.
To view a pdf of the article, click here.