PICPA  >  CPA Now
CPA Now
Mar 08, 2019

Safeguarding Clients’ Personal Data: Are You Meeting Your Legal Duty?

Carianne TorrissiBy Carianne P. Torrissi, Esq.


On Nov. 21, 2018, the Pennsylvania Supreme Court issued an opinion in the Dittman v. UPMC case, holding that employers have a legal duty to exercise reasonable care in safeguarding their employees’ sensitive personal information stored by the employers on internet-accessible computer systems. (See more here.)

Secure lock on electronic dataThis decision has an immediate impact on employers in Pennsylvania, but it will also likely extend beyond the employer/employee context and affect any entity that stores or collects the personal data of Pennsylvania citizens, including CPA firms. Specifically, as the state Supreme Court imposed a common law duty of care in Dittman, plaintiffs in security breach claims may attempt to extend this decision to argue that any entity that stores the same type of personal data as the employee data is required to exercise that same level of reasonable care when collecting or storing that data. If the court is willing to extend the Dittman decision outside of the employer/employee context, any entity collecting and storing personal information of Pennsylvania citizens may be liable for the breach or theft of such data, even if the breach or theft is caused by a third party’s wrongful conduct. CPAs frequently collect and store the personal information of their clients, so they will likely fall within the category of parties that have a legal duty to exercise reasonable care in safeguarding that information and protecting it from breach or theft by third parties.

CPA firms in Pennsylvania should start taking action now to ensure that they are taking reasonable measures to protect their clients’ personal information. This includes reviewing their current data security policies and procedures, and making any necessary updates to protect clients’ personal information from unauthorized access or acquisition. Finally, if they do not already have one in place, CPA firms should prepare a protocol for immediate and proper response to any data breach or theft that may occur in the future.


Carianne P. Torrissi, Esq., is a partner in the law firm Goldberg Segalla in Philadelphia. She focuses her practice on employment and labor dispute defense.




Leave a comment

Follow @PaCPAs on Twitter