Court ruling raises cyber stakes for employers
A recent Pennsylvania Supreme Court ruling involving cyber security issues and a data breach affecting employees at the University of Pittsburgh Medical Center could have a significant impact on companies statewide, observers note.
The case - known as Dittman for one of the UPMC employees who sued the Pittsburgh-based medical center - is heading back to a trial court after the Supreme Court determined that lower courts had erred in throwing the case out.
Legal observers noted that the reasoning offered by the Supreme Court, which issued its ruling Nov. 21, will have a profound effect on what companies will have to do to protect workers’ and customers’ sensitive data.
"I think the Dittman decision makes it clear that under Pennsylvania law companies that collect data now are expected to protect that data by undertaking reasonable security measures," said Joshua A. Mooney, an attorney who specializes in data security issues with the Philadelphia law firm of White and Williams LLP. Mooney said that the ruling "effectively waves goodbye to early dismissals of class-action data-breach lawsuits."
"I believe that the biggest impact for the case likely will be felt by small and midsized companies, who are less likely to have undertaken adequate cyber security measures than larger companies," he added in an email. "Insurance carriers who insure this market also may see this impact, as their policyholders get swept into litigation."
How it started
The case stems from an incident that led UPMC employees to file a class-action suit in June 2014, according to court records. The workers alleged that a data breach exposed the names, dates of birth, social security numbers, addresses, tax forms and bank account information of 62,000 UPMC workers and former employees. The stolen data was then used to file fake tax returns, which resulted in financial loss for some workers, court records also show.
The suit further alleged that UPMC, one of the state's largest health systems, was negligent by not taking reasonable care to protect the data.
When the case reached the courts, the lower courts determined that there were no generally accepted standards for protecting data and that employers should not have to pay significant costs for security when data breaches cannot be prevented, Mooney explained. Since the UPMC data breach, however, standards of care have emerged and companies are expected to take reasonable measures, which the Supreme Court confirmed, he added.
"Dittman reflects these changes in expectations and perceptions," Mooney said.
Devin Chwastyk, an attorney with the Harrisburg firm of McNees Wallace & Nurick and the chair of the firm's privacy and data security group, agreed that the long-awaited ruling is a game-changer for state businesses. He added that there are a number of data-breach cases pending in state courts.
"This really breathes new life into cases," he said.
Attorneys statewide will be examining the ruling to determine how it might apply to other situations, such as whether companies need to review how contracts are worded and how companies and entities outside of Pennsylvania might be affected. For example, a company that collects data on state residents but is located elsewhere might want to change or adapt to protect itself, he said.
"It’s not just Pennsylvania entities that need to be concerned about this," Chwastyk said.
Because the original case never reached trial, he added, the details of what security UPMC had in place at the time of the breach aren’t clear. UPMC might settle the case and those details might never be known. But the Supreme Court ruling shows that companies will be vulnerable to lawsuits if they do not take reasonable steps to protect sensitive data, he said.
UPMC did not respond to a request to be interviewed or to provide comments in writing.
Mooney said that the Supreme Court ruling is written in a way that goes beyond data on employees collected by an employer and can apply to other contexts, such as data collected on consumers.
"I also think that Dittman is a sign that the dots are starting to connect in terms of what is required across the U.S. of companies that collect data," Mooney wrote in an email. "Whether it’s the SEC or FTC, New York regulators, or whether you look at newly enacted privacy statutes like in California, Ohio or elsewhere, companies are being required to undertake reasonable, affirmative measures to protect data."
Within a week of the Supreme Court ruling, the Marriott hotel chain reported that cyber thieves had accessed its database, exposing 500 million reservations, making it one of the largest breaches ever.
"Alarm bells are ringing - or should be ringing - throughout America," Chwastyk said about the Marriott breach.
Jason McNew, founder and CEO of Stronghold Cyber Security in Adams County, said spectacular data breaches seem like a daily occurrence.
"Your eyes just glaze over when you see these," McNew said. "They are not a surprise anymore, even for me."
Steps to take
While companies can take a number of common-sense steps to protect themselves, McNew said, he is surprised to learn how often they aren't taken.
His company will perform audits to find security vulnerabilities but the companies need to commit to adopting formal cyber-security protocols. Unless forced to adopt protocols - such as federal rules regulating the release of sensitive medical information - a lot of companies will do the minimum, which often isn’t enough, he said.
"The onus is on these companies to voluntarily adopt plans so they don’t get sued," he said. McNew said that commitments need to be made at the top, but often company leaders will look at their IT departments as places to save money.
Most IT professionals are trained in cyber security and take it seriously, so they need support from management, he said. Cyber security is a specialty in the IT world, where additional training is needed beyond the basic IT roles, he added.
McNew said he isn’t optimistic about a long-term fix.
When it comes to identify theft, he said, there are two categories: "Either you have had your data stolen or it’s going to be stolen."
Social Security numbers were never intended to be a national ID but have become a central component to how people do everything from getting hired to seeking credit. Those numbers, however, are extremely vulnerable to theft and misuse, so until they are replaced, a large problem will exist, he said.
"We have a massive problem that is going to take a few decades to resolve," said the Air Force veteran who likes to speak in military analogies. "I am not optimistic it is going to get fixed anytime soon."
Among his advice: "Decrease your attack surface," he said, explaining that people and companies should look to ways to keep vulnerabilities to an absolute minimum. The rumor among IT professionals, he said, is that Russian intelligence agencies have going back to using typewriters. While that isn’t feasible for modern businesses, he added, companies and people should consider whether they can simplify how their data is accessed.
Mooney put it this way: "Companies should heed Dittman. They should ensure that they comply with the standard of care with written records showing it. It’s not difficult to do. Companies should conduct annual risk assessments and amend/implement cyber security programs geared to protect the confidentiality, integrity, and availability of the data they collect."
"Preparing now does not have to be expensive, and it will be a lot less expensive than poor cyber practices that, one, lead to a breach, and, two, result in litigation and liability," Mooney added.