Although data breaches are often discussed in the context of the impact on consumers, it is equally important to consider the employer-employee relationship. After all, many employers gather and store a significant amount of data regarding their employees and independent contractors. So what legal obligations, if any, must an employer meet when handling confidential or otherwise sensitive employee information?
Spade v. United States: Prison Guard Sues Over Release of Personnel Files to Inmates
The Philadelphia-based U.S. Third Circuit Court of Appeals recently addressed a case that raises further complications by looking at the potential application of state and federal data privacy laws to a public employee. In this case, Spade v. United States, the plaintiff was a correctional officer at a prison owned by the federal government. According to the plaintiff’s lawsuit, the government improperly provided an unredacted copy of his personnel file to an inmate who filed a Freedom of Information Act (FOIA) request. FOIA exempts from public release any “information that, if disclosed, would invade another individual’s personal privacy.” This typically includes personnel and medical records of federal employees.
Here, the plaintiff said the release of his unredacted personnel file led several inmates at the prison to make threats against him and his family.
The plaintiff brought his lawsuit under the Federal Tort Claims Act (FTCA). The FTCA is a congressional statute that waives the federal government’s normal “sovereign immunity” from being sued in court. This waiver basically allows anyone to sue the government under state law for the negligent acts of one of its employees in the same manner as a private business. But this also means that the government’s liability can be greater than that of a “similarly situated private party.”
For this reason, a federal judge in Pennsylvania dismissed the plaintiff’s FTCA claims, noting that no Pennsylvania state law imposed liability on a private employer for the “negligent handling or disclosure of personal information” regarding an employee. The plaintiff then appealed this ruling to the Third Circuit.
The Dittman Ruling
While the plaintiff’s appeal in Spade was pending, the Pennsylvania Supreme Court issued a decision in an unrelated case, Dittman v. UPMC, in which a group of employees at a state-owned hospital filed suit after a data breach exposed the “names, birth dates, social security numbers, addresses, tax forms, and bank account information of all 62,000 [hospital] employees and former employees.”
Similar to the plaintiff in Spade, the Dittman employees asserted the hospital’s failure to prevent the data breach constituted negligence under Pennsylvania law. The Supreme Court agreed with the employees that an employer has a common-law duty in Pennsylvania “to exercise reasonable care in collecting and storing their personal and financial information on its computer systems.” Furthermore, this duty “exists independently from any contractual obligations between the parties.” This is important, because it means the employees do not need to prove they sustained any direct “economic loss” as a result of the data breach; they only need to show the employer was negligent in handling their personal information.
Does Dittman Apply? Or Is This a Workers’ Compensation Case?
Going back to the Spade lawsuit, the Third Circuit asked the plaintiff and the federal government to address the potential impact of Dittman. In response, the government asked the appeals court to remand (or return) the case to the trial judge to deal with a separate issue–the potential application of another federal statute, the Federal Employees’ Compensation Act.
FECA is the federal equivalent of workers’ compensation law. It is designed to provide an “exclusive remedy” for any federal employee who sustains a “personal injury” while performing any work-related duties. Here, the government pointed to some prior decisions by the U.S. Department of Labor that suggested “releasing an employee’s  personnel file to a nongovernmental organization” could be considered a personal injury covered by FECA.
Given all this, the Third Circuit said the Department of Labor would have to make a determination as to whether or not the plaintiff’s alleged injuries are covered by FECA. If so, that preempts his FTCA lawsuit. But if the Department ultimately decides FECA does not apply, than the trial judge will have to reconsider his earlier decision to dismiss the case in light of the Pennsylvania Supreme Court’s Dittman ruling.