Advertising Disclosure Email Disclosure

Legal Update for Privacy and Data Security

November 26, 2018
Presented by the Privacy and Data Security Practice Group

PA Supreme Court: Companies Have a Common Law Duty to Protect Their Employees' Personal Information

By David J. Shannon, Esquire

       The Pennsylvania Supreme Court recently ruled that businesses have a common law duty to protect their employees' electronically-stored data. This decision overruled both the trial court's and the superior court’s earlier rulings that dismissed a class action lawsuit brought against a medical facility after tens of thousands of employees’ personal information was compromised by an unknown hacker.

       In Dittman v. UPMC, the court held that UPMC owed their employees “a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of the storage of their personal and financial information.” The company owed this duty since it required its employees to provide personal and financial information as part of their employment.  The court held that the risk of a cyber criminal exploiting vulnerabilities in UPMC’s computer system and stealing employees' information was one that could be within UPMC’s common law duty of care. As a result, the plaintiffs had the right to proceed with the lawsuit alleging negligent acts by UPMC. The criminal acts of the cyber criminal in creating the data breach did not alleviate UPMC of its duty to protect its employees' personal information.

       The decision is an important one for businesses and other entities in Pennsylvania since they now have a legally-recognized common law duty to protect their employees’, and likely their customers’, personal information from the actions of a cyber criminal. The standards for that duty will have to be addressed in the now-resumed, ongoing litigation. This decision will also certainly be used by plaintiffs’ counsel in other states to argue that businesses have a common law duty of care to protect individuals' personal information. As a result, an increase in litigation over data breaches will likely occur, which reinforces the priorities that business entities should place on having proper cyber insurance in place to cover against such claims.


The material in this law alert has been prepared for our readers by Marshall Dennehey Warner Coleman & Goggin. It is solely intended to provide information on recent legal developments, and is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. We welcome the opportunity to provide such legal assistance as you require on this and other subjects. To be removed from our list of subscribers who receive these complimentary Privacy and Data Security updates, please contact If however you continue to receive the alerts in error, please send a note to

ATTORNEY ADVERTISING pursuant to New York RPC 7.1
© 2018 Marshall Dennehey Warner Coleman & Goggin. All Rights Reserved.

Affiliated Attorney

David J. Shannon
Chair, Privacy and Data Security
(215) 575-2615

Practice Areas

Before you send this email please note:

You are attempting to send email, through a link on our website, to an attorney of Marshall Dennehey Warner Coleman & Goggin or an employee in our firm. Please note that your email may not be treated as confidential and does not create an attorney-client relationship. You should not rely upon the transmission of an email through this website if you are seeking to enter into such a relationship. Until such time as we have agreed to represent you, no information in your email will be treated as confidential. Please contact us directly by telephone at 1.800.220.3308 if it is your intent to seek legal counsel with our firm or convey confidential information.

If it is still your intent to send this email, knowing that it may not be treated as confidential, you may accept our terms of agreement by pressing "OK". If you choose not to accept these terms of agreement you may navigate away from this page by pressing "Cancel."