In a recent ruling, the Pennsylvania Supreme Court said that employers are legally responsible for protecting workers’ sensitive information, and that companies who don’t safeguard personnel data can now be found negligent and become subject to financial losses.
The case is rooted in a data breach that occurred at the University of Pittsburgh Medical Center in 2014.
The birth dates, addresses, and social security numbers of 62,000 employees were stolen. Because of this, numerous false tax returns were filed and many of the employees were unable to collect their tax refunds. The group banded together to file a class action suit with the hospital to seek damages.
The case reached the state’s high court, and justices ruled that companies in the state must use “reasonable care” to safeguard their employee data.
“The criminal activity, and the cyber-security risk is ever-present in our society. And they just have to acknowledge that that’s the context in which they’re storing this information electronically, and they have to act reasonably,” said Gary Lynch, the attorney representing the employees.
Lynch said he has not yet calculated how much money in damages he will now seek for his clients. He hopes this case will set a precedent for courts in other states to compel companies to better protect employees.
The Pennsylvania Chamber of Commerce believes the ruling will hurt businesses in the state.
“We’re concerned that this ruling sets a precedent that increases liability on employers,” Harris says. “It increases litigation; it makes it easier for plaintiffs to seek economic damages. So it opens the door for plaintiffs and trial lawyers to go after job-creators,” said Tricia Harris, a spokesperson for the organization.
According to a Gemalto, a leading digital security outlet, about 4.5 billion records from companies worldwide have been stolen so far this year.