CYBER RISK CLIENT ALERT: Will This Become a National Trend? Pennsylvania Supreme Court Rules That Employers Have a Legal Duty to Protect Employees' Electronic Data

by

Recently, the Pennsylvania Supreme Court, in Dittman v. UPMC, ruled that employers have a have a legal duty to exercise reasonable care to safeguard employees’ electronically stored personal information.  The dispute in Dittman arose after a data breach at the University of Pittsburgh Medical Center (“UPMC”) impacted 62,000 employees.  Hackers accessed UPMC’s computer system, and stole employees’ personal and financial information including birth dates, social security numbers, tax forms, addresses and bank account information.  

According to the lawsuit, UPMC employees were required to provide the personal and financial information as a condition of their employment.  The plaintiff-employees alleged that they were damaged when the stolen information was used to generate fraudulent tax returns.  Further, the employees contended that UPMC undertook a duty of care to ensure the security of their personal information and that UPMC failed to adopt, implement and maintain adequate security measures.  More specifically, the lawsuit alleged that UPMC failed to monitor the security of its network, failed to properly encrypt data, failed to implement an adequate authentication protocol to protect the employees’ information, and failed to establish adequate firewalls to protect against a server intrusion.    

The trial court dismissed the lawsuit, explaining that the economic loss doctrine barred plaintiffs’ claims, and because the trial court was unwilling to impose a new affirmative duty of care that would permit, in data breach cases, the recovery of damages recognized in common law tort actions.  Significantly, the trial court acknowledged the frequent and widespread nature of data breaches, and opined that the creation of a private negligence cause of action to recover damages resulting from data breaches would overwhelm the court system and require businesses to invest substantial resources defending such actions.  The trial court further noted that the Pennsylvania Legislature was aware of, and considered, the issues raised by the employees as evidenced by the Pennsylvania Breach of Personal Information Notification Act (“Date Breach Act”), which only imposes a duty on entities to provide notice of a data breach.  Consequently, the trial court determined that the issue was one of public policy, for determination by the legislature and not the courts.

The appellate court upheld the dismissal of the employees’ lawsuit.  While the appellate court noted the general risk associated with the electronic storage of information and the resulting harm are generally foreseeable, the appellate court held that a defendant does not have a duty to guard against the commission of a crime by a third party, unless the defendant realized, or should have realized, the likelihood of such an occurrence.  The appellate court affirmed the trial court’s determination that UPMC did not owe a duty to its employees under Pennsylvania law. 

The Supreme Court of Pennsylvania reversed, holding that UPMC owed a legal duty to its employees to exercise reasonable care in collecting and storing their personal and financial information.  The Supreme Court concluded that the plaintiff-employees sought to apply an existing legal duty, and rejected UPMC’s contention that plaintiffs were asking the court to create and recognize a new legal duty.  More specifically, the Supreme Court stated that the defendants owed a duty “to exercise the care of a reasonable man to protect [plaintiffs] against an unreasonable risk of harm. . . .”     

The Pennsylvania Supreme Court agreed with UPMC’s position that ordinarily there is no duty to protect against the risk of third-party criminal conduct.  Nonetheless, the Supreme Court noted that UPMC’s affirmative conduct in requiring that its employees provide the information that was stored on UPMC’s computer systems without adequate security measures constituted affirmative conduct that justified the imposition of a legal duty.  Accordingly, the criminal acts of third parties in executing the data breach did not alleviate UPMC’s duty to protect its employees’ information. 

The Pennsylvania Supreme Court also rejected UPMC’s contention that the economic loss doctrine bars all negligence claims that seek only economic damages.  The Supreme Court noted that a tort action for the alleged breach of a duty is not viable if that the duty arises under a contract.  However, in Dittman, the employees asserted that UPMC’s duty arose under the common law, and was not based on any contractual obligation between the parties.  Therefore, the economic loss doctrine did not bar the employees’ claim. 

An organization that ignores or minimizes the risk of a cyber-attack does so at its own peril.  Clearly, Dittman is a significant ruling and will, no doubt, open the flood gates of litigation in Pennsylvania.  The Dittman case will almost certainly encourage similar litigation, nationwide.  Dittman, and the inevitable lawsuits that will follow, reinforce the importance of cyber-resilience, and organizations of all shapes and sizes must take reasonable steps to implement and maintain appropriate safeguards for electronic data.

Segal McCambridge Singer & Mahoney acknowledges and gives thanks to former associate John Borelli, for his contributions to this article.

Get Updates By Email

Blog Contributors