Repercussions of Landmark PA Supreme Court Case
If you have not started to tackle a risk assessment for your agency and built (or strengthened) your Information Security Program and your Cybersecurity Policy, make it a priority. In Dittman v. UPMC, the Supreme Court of Pennsylvania addressed an employer’s proper treatment of its employees’ personal information. The court held that:
- Employers have an independent duty to safeguard their employees’ personal and financial information collected and stored on its computer systems, and
- Employees can pursue a negligence claim against the employer when they have only suffered economic loss without physical injury or property damage.
The Court rejected the argument that it was creating a “new affirmative duty,” but instead stated it was applying an existing duty to a new set of facts. Based on the arguments made and retained, this legal duty is likely to extend beyond employment. Therefore, the need to exercise reasonable care in safeguarding against a possible data breach is more necessary than ever.
WHAT ABOUT AGENCIES?
While agencies have had to comply with a number of requirements regarding privacy and their handling of personal information for years, the focus and scope were not the same.
- The Dittman v. UPMC case is expanding the safeguards from customer and consumer information to include employee information.
- More importantly, the nature of the duty that is asserted in Dittman makes a negligence claim for “economic damages only” easier against a business that was breached.
This decision should serve as a reminder to all businesses that they must exercise due diligence in assessing their risks and use adequate cybersecurity measures, even though what adequate measures are or what qualifies as “reasonable care” have not yet been determined with any certainty. This decision could also have repercussions on the cyber insurance market, both in terms of coverage and pricing.
IS THERE A SILVER LINING?
Agents should be ahead of the curve in understanding cybersecurity and cyber insurance. Opportunities to guide customers and to offer cyber insurance likely will continue to increase as more businesses grasp their exposures.