Blogs > Employment Law Blog

Employers Face Increased Cybersecurity Obligations


The Pennsylvania Supreme Court recently decided a case that may increase an employer’s cybersecurity obligations for electronically stored employee information.  In Dittman v. University of Pittsburgh Medical Center (UPMC), a class of UPMC employees filed a negligence action alleging that UPMC breached a duty of reasonable care by not protecting their electronically stored information.  The action stems from UPMC experiencing a data breach that lead to the fraudulent use of employee information on tax returns.

The Pennsylvania Supreme Court concluded that if an employer collects and electronically stores employees’ sensitive personal information on an internet-accessible computer system, then the employer has a duty to protect that data from any foreseeable risk of harm.  UPMC requested and then stored its employees’ financial and personal information on an internet-accessible computer system without implementing adequate security measures to protect that information.  As a result of the lack of proper safeguards, UPMC experienced a data breach and employees incurred damages.  The Court agreed with the employees that a data breach of their electronically stored information was within the scope of the risk created by UPMC’s affirmative act, collecting and storing their information, and thus UPMC violated its duty to use reasonable care.

The Court further denied UPMC’s argument that the economic loss doctrine precluded the employees’ requested damages.  The Court opined that “recovery for purely pecuniary damages is permissible under a negligence theory provided that the plaintiff can establish the defendant’s breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract,” as was the case here.  Thus, if employees can establish that an employer had a duty to protect electronically stored information and the employer breach that duty, then the employees may recover for purely pecuniary damages.

This case places additional cybersecurity obligations on employers that request sensitive personal information that is then stored on internet-accessible computer systems.  Employers that request personal information need to ensure they do not breach their duty of care by assessing how the information is being stored and if the proper safeguards are in place to prevent data breaches.

For questions about this or any other labor and employment topic, please do not hesitate to contact me at