Employer Did Not Owe Legal Duty to Protect Employees’ Hacked Personal and Financial Records

In Dittman v. UPMC, the plaintiffs brought a class action alleging UPMC was negligent in securing the data and breached an implied contract. A divided panel of the Pennsylvania Superior Court ruled that UPMC did not owe a legal duty to its current and former employees to protect their personal and financial information from hacking.

Continue Reading

Improving Tribal Consultation and Tribal Involvement in Federal Infrastructure Decisions

Based on Tribes’ input, this Report articulates a set of principles that should inform agency practices in the realm of infrastructure. Among other things, this includes appropriate staffing, training, and resource allocations, as well as guidance as to how Tribal interests should be incorporated into agency decision-making processes in both formal and informal ways. These recommendations should help agencies fulfill their dual responsibilities of complying with applicable treaty and trust responsibilities and ensuring a smooth runway for infrastructure investments.

Continue Reading

Three States Join Others to Expand Personal Information Definition to Include Usernames or Email Addresses

, and

A key issue in determining whether notification is required following a data breach is whether “personal information” (PI) was acquired by an unauthorized person. US states vary significantly in defining what information qualifies as PI. As part of a recent trend, some data breach notification statutes have been expanding the definition of PI, including by adding usernames and email addresses.

Continue Reading