Pennsylvania Employers Have a Duty to Protect and Secure Employee Data

Brandon S. Williams, Esq.

In a recent decision, the Pennsylvania Supreme Court found the University of Pittsburgh Medical Center liable to employees for not taking reasonable care to protect employee data.  UPMC, which had gathered the personal data from employees as a condition of employment, was hacked and the personal information of 62,000 employees and former employees was compromised.  Although the hackers acted illegally in obtaining the information from UPMC computer systems, the Court ruled that UPMC should have anticipated the possibility of hackers attempting to access the information and should not have stored the information on its internet-accessible computer system which lacked adequate security measures, including proper encryption, adequate firewalls, and adequate authentication protocol.  The Court held that employers are expected to exercise “reasonable care” – including taking measures to prevent hacking – in securing employee data.

Employers are now on notice that they have a duty to ensure their systems are equipped with security measures to guard against data breaches and should do so by:

  1. Reviewing and tightening internal policies and procedures related to data protection in the area of both data collection and storage.
  2. Engaging information technology professionals to develop and regularly update effective ways to protect employee data.
  3. Training employees regarding data security.
  4. Maintaining documentation of data protection efforts.
  5. Developing a protocol to be followed in case of a data breach.

Contact Brandon Williams, Esq. at or 717-233-4101 for more information.