The ruling further says that the benefits of storing this type of data electronically outweighs the downside that the data might be compromised. “While a data breach (and its ensuing harm) is generally foreseeable, we do not believe that this possibility outweighs the social utility of electronically storing employee information,” the ruling says. “Although breaches of electronically stored data are a potential risk, this generalized risk does not outweigh the social utility of maintaining electronically stored information.”
The two judges who wrote the main decision in the case also filed a supplemental, concurring opinion to further explain the situation. They write that the medical center knew of no specific threats that they ignored, so they don’t owe the employees anything. “Had UPMC been on notice of actual or potential security breaches of its systems, or reasonably should have anticipated that the negligent handling of confidential information would have left it vulnerable to criminal activity, a different conclusion may have been reached…”
Until laws more directly address who is liable for what in data breach cases, courts should rule conservatively and wait for legislatures to lead the way. “[I]n this constantly developing area of law and technology we must proceed to establish precedent slowly and with caution,” the judges wrote.
Sign up for CIO Asia eNewsletters.