The Pennsylvania Superior Court has ruled that the institute of University of Pittsburgh Medical Center has no duty under state law to secure employee information and dismissed a class action lawsuit against the delivery system.
The ruling, which is in reaction to a February 2014 tragedy that instantly affected all of UPMC’s 62,000 present and former employees, has ramifications not just for healthcare agencies, but for all businesses in the state, observers claims.
Data compromised in the breach involve names, dates of birth, Social Security numbers, tax information, addresses, and salary and bank information. In the year of April, 2014, UPMC confirmed compromised data for as many as 27,000 workers with at least 788 employees becoming victims of tax fraud, and a month later confirmed all workers were compromised, in accordance to the Pennsylvania Superior Court filings.
Attorneys for the employees argued in the Pennsylvania Superior Court that UPMC had a legal duty to secure employee information and that the organization didn’t properly encrypt data, develop firewalls and implement appropriate user authentication protocols.
A trial court ruled that UPMC didn’t owe a duty of reasonable care in gathering and storing employee information. The Superior Court agreed, pointing put the pervasiveness of electronic storage of information with an obvious social utility to promote efficiency. Moreover, the Pennsylvania Superior Court in its opinion said the mere duty that Pennsylvania’s legislature has enforced on companies in the state is notification of a data breach, and it is not for the courts to change the direction of the legislature because public policy is a matter for the legislature.
“While a data breach (and its ensuring harm) is basically foreseeable, we don’t consider that this possibility outweighs the social utility of electronically storing employee information,” the Pennsylvania Superior Court pointed out in its decision. “In the modern era, more and more data is stored electronically and the days of keeping documents in file cabinets are long gone. Without doubt, workers and consumers alike derive substantial benefits from efficiencies resulting from the transfer and storage of electronic data.”
The Superior Court doubled down on its assertions, saying a judicially created duty of care is not required to incentivize companies to secure their confidential information. “We find it unimportant to need employers to incur potentially significant charges to increase security measures when there is no true way to stop data breaches altogether. Employers strive to run their businesses efficiently, and they have an incentive to secure employee information and stop these types of occurrences.”
Appellants, the court ruled, didn’t provide their information to UPMC for the consideration of its safe keeping but for employment purposes. The full ruling is available here.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment