Pennsylvania Justices Rule That UPMC Must Protect Workers’ Personal Info. On November 21, 2018, in a putative class action over a data breach involving the personal information of tens of thousands of University of Pittsburgh Medical Center (UPMC) employees, the Pennsylvania Supreme Court ruled that employers in Pennsylvania have an affirmative legal duty to protect workers’ sensitive data from cyberattacks. In an opinion written by Justice Max Baer on behalf of the court, the justices stated that UPMC’s collection of workers’ personal data as a condition of employment saddled the health care giant with the duty to take reasonable care to protect that information against the risk of potential cyberattacks. “Employees have sufficiently alleged that UPMC’s affirmative conduct created the risk of a data breach,” the opinion stated. “Thus, we agree with employees that, in collecting and storing employees’ data on its computer systems, UPMC owed employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.” The case involved claims filed in the Allegheny County Court of Common Pleas seeking damages after a data breach exposed the names, dates of birth, Social Security numbers, addresses, salaries, and bank and tax information of 62,000 UPMC employees. According to court records, the stolen information was then used to file fraudulent tax returns and steal tax refunds. Both a trial judge and the state’s appellate court, however, agreed that the consequences of imposing an obligation on employers to safeguard the personal data of their workers would be too burdensome and that adequate incentives already existed without judicial intervention to get companies to put protections in place. The state supreme court reversed, holding that UPMC owed the workers a responsibility to protect their personal information. Dittman et al. v. UPMC, case number 43 WAP 2017, before the Supreme Court of Pennsylvania.