At least in Pennsylvania, a court says the answer is no. Here are the details.
The University of Pennsylvania Medical Center was hacked and employee’s personal information was taken and used to file phony tax refunds. Information taken included names, socials, birth dates, addresses and salaries.
The Superior Court of Pennsylvania recently ruled that employees had no reasonable expectation that the data will be safe.
Really? You have to be kidding!
In the court’s defense, the court claims that Pennsylvania law does not require employers to protect employee’s personal data.
The court says that the workers turned over their data as a condition of employment, not for safekeeping, therefore no expectation of it being kept safe.
The court went on to say that businesses should not be required to spend the money to protect employee’s data since there is no guarantee that they won’t be hacked.
That seems sort of like saying that car makers shouldn’t have to spend money on making your car safe since it is not possible to guarantee that nothing will ever go wrong with your car.
The judge claimed that the benefit of storing this information electronically outweighed the downside that the data may be compromised,
This is good news for employers in Pennsylvania since, apparently, they don’t have to spend any money protecting employee records and bad news for employees since they apparently have no recourse if employers do not adequately protect their information.
The Superior Court is one of the appeals courts in Pennsylvania; it is unclear what recourse the employees might have to appeal this further.
It also only applies in Pennsylvania, so, maybe, the rest of the country may still be safe.
The challenge, of course, is that the law moves very slowly compared to the rest of the world. And for the rest of the world, that is a problem.
I don’t pretend to be a lawyer, even on the Internet, so this may be a perfectly legally reasonable decision. As a non-lawyer, this seems like an insane decision. These people were hurt. Since the hackers filed false tax returns, when the employees filed real returns later, those people won’t get their refunds or will have to spend time and money to get their refunds.
This court, in their decision said, why should employers have to spend money to protect employee’s information, but they, apparently, are perfectly fine to force employees to spend money to deal with their employer’s lack of security. That doesn’t seem right to me.
The courts are basically saying that the Pennsylvania legislature needs to deal with the problem, not the courts, and I can understand that, but in the mean time, 60,000 employees are left with a mess not of their making, but of their cost to deal with.
Information for this post came from Network World.