Josh Mooney Comments on PA Supreme Court Cybersecurity Decision in Law360
Josh Mooney, Co-chair of the Cyber Law and Data Protection Group, weighed in on The Pennsylvania Supreme Court's recent ruling that employers have a duty to protect employee data from cyberattacks. The court agreed that by requiring its employees to provide it with personal information, the University of Pittsburgh Medical Center (UPMC) owed a duty to exercise reasonable care to protect the data.
"The court was pretty clear that it wasn't relying upon any special relationship between the employer and the employee to render its decision, so I think courts will apply Dittman to data protection cases outside of the employment context," he said, also suggesting that the ruling would result in increased litigation.
Josh also noted that given the number of regulatory regimes around cybersecurity that have sprung up in recent years, including enforcement actions from the Federal Trade Commission and the European Union's new General Data Protection Regulation, it’s likely that larger companies are already taking steps to exercise the kind of "reasonable care" the Pennsylvania Supreme Court is now demanding.
"I think certainly larger companies have taken steps to either comply with these out-of-state data protection requirements in other jurisdictions, or they've taken steps to come into line with expectations that federal agencies… have laid out," Josh added. "Those companies are in a much better position to say they've undertaken reasonable measures to protect data and that they’ve already met the duty of care that’s been pronounced under Dittman."
Read the full article (subscription required).
For further background, you can read Josh's alert "PA Court Denies Common-Law Duty of Employers to Safeguard Employee Information."
If you would like to receive additional news alerts, event notifications, or correspondences pertaining to this and other industry-specific topics, please sign up by visiting the Contact Us page. Be sure to provide your contact information, including email address, and list the areas of practice or industries for which you would like to receive information.
This correspondence should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult a lawyer concerning your own situation with any specific legal question you may have.