There’s good news for security pros worried that their organizations may be liable if their employees’ personal information gets hacked: a panel of judges in Pennsylvania says workers can’t collect damages from their employer if things like Social Security numbers, bank account information, birth dates, addresses and salaries are compromised in a data breach.
Even though the stolen data was used to file phony tax returns in order to get the refunds, the workers at University of Pittsburgh Medical Center (UPMC) had no reasonable expectation that the data would be safe, the Superior Court of Pennsylvania ruled recently.
The case, known as in Dittman v. UPMC, pertains solely to employee records, not customer records, and not patient records, which are protected by HIPAA.
That’s in Pennsylvania where laws don’t specifically deal with the obligations businesses have to protect employee data. And that’s just for now, because lawmakers are still struggling to write laws that apply to electronic data. The law may catch up, but for now courts are applying existing legal standards that in many cases predate the existence of digital records, and that’s not unique to Pennsylvania.
Meanwhile, the courts and parties that feel they have been wronged are left to draw on laws and previous cases that are totally unrelated to cybercrime.
For example, the workers in the Pennsylvania case turned over their personal information as a condition of employment, not for safekeeping, according to the court decision. Using reasoning employed in a case brought by account holders against their bank, the judges decided the safety of the information wasn’t guaranteed.
Referencing another old case, the court said UPMC isn’t obliged to pay up if the stolen data resulted in purely economic losses but not damages to health, safety or property. That ruling drew on a decision where workers at a tire store sued for lost wages when the business shut down for a week when the property was flooded.
The most stringent test the court used came from another, far-afield case that involved whether parents who were sexually abusing their own daughter had the right to sue the girl’s psychologist, who turned them in. Applying reasoning used to reach a decision in that case, the court came up with some sweeping conclusions about responsibility in data-breach cases.
The court said that the law shouldn’t require employers to take on the cost of boosting the security of employee data because they can’t possibly thwart all hacking attempts. “We find it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether,” the decisions says.
Sign up for CIO Asia eNewsletters.