Because there is no reason to limit security protections to employee personal information, it is only a matter of time before this decision is applied to all sensitive personal information collected by a business, including customer personal information.
On November 21, 2018, the Pennsylvania Supreme Court ruled that the University of Pittsburgh Medical Center (UPMC) had a legal duty to exercise reasonable care to protect sensitive employee information against an unreasonable risk of harm when that information is stored on an internet-accessible computer system. Dittman v. UPMC, No. 43 WAP 2017 (Pa. Nov. 21, 2018). In doing so, the Court made clear that the criminal acts of third parties who may breach a computer system do not alleviate the legal duty on a business to protect such information. The Court further held that the economic loss doctrine (a doctrine that precludes tort cases where the loss is purely monetary) did not apply in this case because the legal duty to protect sensitive employee information exists independently from any contractual obligations between the parties.
This decision has widespread implications for all businesses. Pennsylvania employers now have a legal duty to provide reasonable security for sensitive personal information. Because there is no reason to limit security protections to employee personal information, it is only a matter of time before this decision is applied to all sensitive personal information collected by a business, including customer personal information.
Obligations to provide reasonable security protections for personal information already exists in a number of other contexts. Businesses in regulated industries have an obligation to secure certain personal information, and a number of states (not including Pennsylvania) require businesses to provide reasonable security measures to protect the personal information of its citizens. The FTC has also been active in bringing enforcement actions against organizations that fail to maintain appropriate security for sensitive consumer information.
This decision makes clear that it is incumbent on all businesses to adopt a security program that adequately protects the personal information it collects, stores and maintains. The risks of not having an appropriate security program are major and can be fatal to a business.
The decision may also open the floodgates to tort litigation by creating a broad exception to the economic loss doctrine. Before, defendants had a powerful defense that could prevent a plaintiff from alleging money damages if they could not establish a physical harm. Now, if a plaintiff alleges a breach of a common-law duty that is independent from a contractual duty, that lawsuit may move forward despite the fact that alleged injury is purely financial.
Factual and Legal Background
In 2014, UPMC announced that it suffered a data breach of its computer system, resulting in the theft of sensitive personal and financial information of 62,000 UPMC employees and former employees. Employees alleged that information UPMC required employees to provide as a condition of employment was then used to file fraudulent tax returns, resulting in actual damages.
A group of employees filed a class action suit against UPMC in June 2014, alleging negligence and breach of an implied contract. In 2015, the trial court judge granted UPMC’s preliminary objections to the complaint and dismissed both counts. The trial court rejected the idea that there should be a new affirmative duty to protect sensitive information. With regard to data breaches, it noted that the Pennsylvania Legislature only established a duty to provide notice of a data breach and it was not for the courts to alter the Legislature’s decision. The trial court ultimately held that the economic loss rule barred the negligence claim.
The employees appealed the decision to the Superior Court. In 2017, the Superior Court affirmed the trial court’s decision by 2-1. The employees then appealed the case to the Pennsylvania Supreme Court.
The Supreme Court’s Ruling
All six of the Pennsylvania Supreme Court justices hearing the case (Justice Donohue did not participate) agreed that the case should not have been dismissed at the preliminary stage, though there was a 4-2 split as to the basis for such decision.
In the majority opinion, written by Justice Baer, the Court issued two holdings: (1) “an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an internet-accessible computer system” and (2) “under Pennsylvania’s economic loss doctrine, recovery for purely pecuniary damages is permissible under a negligence theory provided that the plaintiff can establish the defendant’s breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract.”
In determining that employers have a legal duty to reasonably protect employee data, the Court found that UPMC created the risk of the data breach through affirmative conduct. The plaintiffs alleged that UPMC required employees to provide certain personal and financial information as a condition of employment. UPMC then stored that data on an internet-accessible computer system without “adequate safety measures.” The Court specifically noted the allegation that UPMC failed to provide “proper encryption, adequate firewalls, and an adequate authentication protocol.” Such actions represent affirmative conduct that created a risk of data breach.
UPMC argued that it cannot be held liable for third party criminal conduct that could conceivably occur. The Court dismissed such arguments finding that the possibility of cybercriminals taking advantage of vulnerabilities in the system was within the scope of risk created by UPMC.
Finally, the Court held that the economic loss doctrine did not apply to the circumstances of this case. It is here that the two other judges disagreed with the majority. To date, there have been only a few narrow exceptions to the economic loss rule. The majority’s holding broadened the scope of these exceptions to include negligence claims where a plaintiff can establish the breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract. This means that plaintiffs have a new avenue to file tort claims, where previously such claims would have been dismissed. The Court remanded the case for further proceedings consistent with its opinion.
About Duane Morris
Duane Morris attorneys are experienced in data privacy, cybersecurity and employment law and can help companies navigate the myriad of relevant laws that face companies in today’s digital world.
For More Information
If you have any questions about this Alert, please contact Sandra A. Jeskie, Caroline M. Austin, Elizabeth Mincer, any of the attorneys in our Privacy and Data Protection Group, attorneys in our Employment, Labor, Benefits and Immigration Practice Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.