Presented by the Privacy and Data Security Practice Group

Legal Updates for Privacy and Data Security - November 2018

PA Supreme Court: Companies Have a Common Law Duty to Protect Their Employees' Personal Information

By David J. Shannon, Esquire

       The Pennsylvania Supreme Court recently ruled that businesses have a common law duty to protect their employees' electronically-stored data. This decision overruled both the trial court's and the superior court’s earlier rulings that dismissed a class action lawsuit brought against a medical facility after tens of thousands of employees’ personal information was compromised by an unknown hacker.

       In Dittman v. UPMC, the court held that UPMC owed their employees “a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of the storage of their personal and financial information.” The company owed this duty since it required its employees to provide personal and financial information as part of their employment.  The court held that the risk of a cyber criminal exploiting vulnerabilities in UPMC’s computer system and stealing employees' information was one that could be within UPMC’s common law duty of care. As a result, the plaintiffs had the right to proceed with the lawsuit alleging negligent acts by UPMC. The criminal acts of the cyber criminal in creating the data breach did not alleviate UPMC of its duty to protect its employees' personal information.

       The decision is an important one for businesses and other entities in Pennsylvania since they now have a legally-recognized common law duty to protect their employees’, and likely their customers’, personal information from the actions of a cyber criminal. The standards for that duty will have to be addressed in the now-resumed, ongoing litigation. This decision will also certainly be used by plaintiffs’ counsel in other states to argue that businesses have a common law duty of care to protect individuals' personal information. As a result, an increase in litigation over data breaches will likely occur, which reinforces the priorities that business entities should place on having proper cyber insurance in place to cover against such claims.


The material in this law alert has been prepared for our readers by Marshall Dennehey Warner Coleman & Goggin. It is solely intended to provide information on recent legal developments, and is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. We welcome the opportunity to provide such legal assistance as you require on this and other subjects. To be removed from our list of subscribers who receive these complimentary Privacy and Data Security updates, please contact If however you continue to receive the alerts in error, please send a note to

ATTORNEY ADVERTISING pursuant to New York RPC 7.1
© 2018 Marshall Dennehey Warner Coleman & Goggin. All Rights Reserved.