The Pennsylvania Supreme Court enlivened the Thanksgiving holidays of privacy lawyers in 2018 with its decision in Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018), which held that an employer has a legal duty to exercise reasonable care to safeguard employees’ personal information (at least when such information is “stored by the employer on an internet-accessible computer system”).

While the scope of the decision technically was confined to the employer-employee relationship, the court’s reasoning implies that such a duty of reasonable care may arise in any scenario where one party engages in the collection of personal information, such as Social Security or financial account numbers, from another party, and the first party fails to implement adequate security measures to protect that information from a data breach. The common law duty recognized by the court does not seem bound exclusively to the employment context, and so the decision would seem equally applicable in any context, including that of any business and its customers. Indeed, as noted below, the Dittman decision has been cited in recent litigation arising out of merchant data breaches.