PA Supreme Court: Businesses Have Duty to Safeguard Sensitive Employee Information
The Pennsylvania Supreme Court has drastically changed the data breach litigation landscape by holding that an employer has a common law duty to use reasonable care to safeguard its employees' personal information stored on an internet-accessible computer. The court further held that Pennsylvania's economic loss doctrine permits recovery for "purely pecuniary damages" on a negligence claim premised on a breach of such a duty.
This decision is likely to have a very significant impact on cybersecurity-related litigation in and beyond Pennsylvania, as negligence is now a viable cause of action for inadequate data security under Pennsylvania law.
Dittman v. UPMC arose from a 2014 data breach of the University of Pittsburgh Medical Center's (UPMC) network, which resulted in the theft of sensitive personal information for 62,000 employees—including Social Security numbers, birthdates, confidential tax information, addresses, salaries, and bank account information. UPMC employees filed a putative class action asserting negligence, invasion of privacy, and breach of implied contract claims. The plaintiffs alleged that UPMC breached a common law duty of reasonable care to secure their personal information, which they provided as a condition of their employment. The plaintiffs sought damages for economic losses associated with the filing of fraudulent tax returns in their names, as well as "increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse."
In 2015, the Allegheny County Court of Common Pleas dismissed the plaintiffs' claims. As to the negligence claim, the trial court held that Pennsylvania law did not recognize a duty to secure employee data stored on internet-accessible computers and that Pennsylvania courts should not create "a new affirmative duty of care that would allow data breach actions to recover damages recognized in common law negligence actions." Doing so, the trial court noted, could result in "hundreds of thousands of lawsuits" without a clear standard of reasonable care in data security. The trial court also held that the economic loss doctrine precluded negligence claims where the plaintiffs did not allege bodily injury or property damage. The Superior Court affirmed the dismissal on direct appeal.
The Supreme Court of Pennsylvania unanimously reversed the lower court rulings and remanded the action for further proceedings. The court rejected the notion that it was creating a "new affirmative duty" under common law, and instead held that it was applying the "existing duty to a novel factual scenario." The plaintiffs alleged that—as a condition of employment at UPMC—they were required to provide certain financial and personal information. They further alleged that UPMC collected and stored that information on its internet-accessible computer system without the use of adequate security measures, including proper encryption, adequate firewalls, or adequate authentication protocols.
The court held that where an employer's affirmative collection of employee personal information creates a foreseeable risk of a data breach (even by cybercriminals), the employer has a duty of reasonable care to secure its employees' personal information "against an unreasonable risk of harm arising out of [the employer's data collection practices]." UPMC should have realized, the court concluded, that "a cybercriminal might take advantage of the vulnerabilities in UPMC's computer system and steal [its employees'] information; thus, the data breach was 'within the scope of the risk created by' UPMC." As to the 'duty' element of the negligence claim, "the criminal acts of third parties in executing the data breach do not alleviate UPMC of its duty to protect [its employees'] personal and financial information from that breach."
The court also held that Pennsylvania's version of the economic loss doctrine does not preclude all negligence claims seeking "purely economic damages." Rather, "if a duty arises independently of any contractual duty between parties," economic damages flowing from a breach of that duty are recoverable under a negligence claim. Here, the duty to reasonably secure employee personal data arises under negligence law. Accordingly, "the economic loss doctrine does not bar the employees' claim."
Because the court's recognition of a legal duty to protect data is tied to the very act of collecting and storing such data, this new legal principle is unlikely to be limited to the employment context. Any entity that collects and stores the sensitive information of any person likely will be subject to a duty to exercise reasonable care to safeguard it against the foreseeable risk of a data breach—even one committed by hackers.
Moreover, the economic loss doctrine will not bar negligence claims for inadequate cybersecurity resulting in "purely economic damages." Under the Pennsylvania Supreme Court's rationale, a common law duty to protect personal information seemingly will arise in every case in which an entity collects and stores such data. Because there always will be a cybersecurity duty independent of a contractual relationship in such cases, it is difficult to see how the economic loss doctrine survives at all in this context.
With the possible exception of standing challenges, defendants are unlikely to win early dismissal of negligence claims premised on allegations of data breaches resulting from inadequate cybersecurity. As a result, we will likely see a spike in data breach-related claims brought in Pennsylvania courts and under Pennsylvania negligence law.
Entities that operate in Pennsylvania or collect personal information about Pennsylvania residents should evaluate their current cybersecurity policies and procedures to ensure that they are taking "reasonable" measures to protect personal information from unauthorized access or acquisition. Entities also must be prepared to respond to data breaches with an eye toward limiting liability in litigation that increasingly is likely to follow.
Members of Ballard Spahr's Privacy and Data Security Group provide a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors and help clients around the world identify, manage, and mitigate cyber risk. Our team of more than 50 lawyers across the country includes investigators and advocates with deep experience with cyber-related internal and governmental investigations, regulatory compliance and enforcement matters, cyber-related crisis management, and civil and criminal litigation.
Copyright © 2018 by Ballard Spahr LLP.
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.