January 3, 2019 -

Pennsylvania High Court Expands Data Breach Liability

by Andrew M. Baer and Denisse Garcia

A recent Supreme Court of Pennsylvania ruling, Dittman v. UPMC, 2018 Pa. LEXIS 6051 (2018), has created a common-law duty for employers to use reasonable care in safeguarding their employees’ sensitive personal information, a landmark decision that could have unexpected far-reaching consequences and has the potential to force companies around the country to rethink their approach to data privacy and security.

In 2014, over 62,000 employees and former employees of the University of Pittsburgh Medical Center (“UPMC”) filed a class action complaint alleging that a data breach in UPMC’s computer system had exposed their personal and financial information (including names, birth dates, social security numbers, addresses, tax forms, salaries, and bank accounts), which was stolen by hackers and used to file fraudulent tax returns and steal tax refunds from certain employees.  The complaint’s negligence claim alleged that UPMC had a duty to exercise reasonable care to protect and secure this information, which, in light of the special relationship between plaintiffs and UPMC, included, among other things, a duty for UPMC to design, maintain, and test its security systems in order to ensure that its employees’ highly sensitive, confidential, and personal information was secure, as well as a duty to implement processes that would detect a breach on time.  The plaintiffs further alleged that UPMC breached this duty by failing to implement data security measures that were adequate to actually protect its employees’ information, by failing to monitor the security of its network, and by failing to recognize in a timely manner that a breach had occurred.  The complaint’s additional breach of implied contract claim, on the other hand, alleged that the relationship between UPMC and its employees was governed by an implied contract under which UPMC’s employees had agreed to provide UPMC their personal information, and UPMC had agreed to protect that information.  The plaintiffs alleged that, by failing to protect their information, UPMC had violated the implied contract.

The Court of Common Pleas of Allegheny County sustained UPMC’s preliminary objections, which argued that, under the economic loss doctrine, no cause of action for negligence existed due to the lack of physical injury or property damage sustained by UPMC’s employees.  In siding with UPMC, the court agreed that no cause of action existed under the economic loss doctrine, but it also refused to impose a new affirmative duty of care allowing for recovery of common law negligence damages in actions for data breaches.  The court’s reasoning was primarily guided by its concern over the consequences that imposing a new duty of care on entities that electronically store confidential information would have, as well as the public interest in doing so.  It ultimately found that the public interest would not be furthered by the creation of a private negligence cause of action to recover actual damages in the event of a data breach, and that because the Pennsylvania legislature has already considered this option but decided against it, it would not be up to the courts to do so.  Finally, the court also sustained UPMC’s preliminary objections on the breach of contract claim, finding that the plaintiffs did not allege enough facts to support a finding that an agreement existed between UPMC and its employees under which UPMC agreed to be liable for criminal acts of third parties, since UPMC had only asked its employees for their confidential information in order for it to be able to pay them and to comply with governmental reporting requirements.

Following the employees’ appeal, the Superior Court of Pennsylvania affirmed the trial court’s decision. The court reasoned that the employer-employee relationship between the parties warranted the imposition of a duty of care on UPMC, but that the generalized potential risk of a data breach did not outweigh the social utility of maintaining electronically stored confidential information, that no judicially-created duty of care is needed to further incentivize companies to protect their data, and that the public interest would not be served by creating a new legal duty that would expend judicial resources.  The court also agreed with the trial court that the plaintiffs did not allege sufficient facts to prove that UPMC intended to enter into a contract to protect its employees’ information, and that no consideration was given for the alleged implied contract.

Ultimately Pennsylvania’s highest court reversed the lower court’s decisions, remanded for further proceedings, and held that an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information which it stores on an internet-accessible computer system. Unlike the lower courts, the Pennsylvania Supreme Court did not decide this appeal based on whether a new, affirmative duty should be imposed on employers, but rather based on whether a longstanding, pre-existing duty should apply in this novel factual scenario. The court observed that UPMC’s affirmative conduct (requiring its employees to provide their confidential information and storing it on its internet-accessible system without adequate security measures) created the risk of a data breach, and therefore UPMC owed its employees a common-law duty to exercise reasonable care to protect them against the unreasonable risk of harm it had created.  Because UPMC allegedly had not encrypted its data properly, nor had it established adequate firewalls or implemented an adequate authentication protocol to protect its employees’ data, the risk of a data breach was within the scope of the risk it created, and the presence of a third-party criminal act did not eliminate its duty to protect the data it required its employees to disclose.

The Supreme Court’s decision has the potential to alter cybersecurity litigation and data privacy best practices not only in Pennsylvania, but everywhere across the country:  the court’s opinion has no language limiting its applicability to the employment context, nor did the court ground its holding on the existence of an employment relationship.  Given that data breaches occur daily around the world, the possibility of a third party infiltrating an internet-accessible computer system is now a foreseeable risk associated with storing any kind of data. Therefore, arguably any entity collecting confidential or sensitive personal information from Pennsylvania residents (especially those doing so in the context of an employer-employee relationship, but also potentially including website operators and mobile app developers who collect the personal information of their customers and users) is now under a common-law duty to use reasonable care to protect it.

Although it is yet to be determined which security measures courts will consider “reasonable” to protect information against a data breach (presumably widely recognized industry standards such as the ISO 27001/2 standards in addition to well-known regulatory guidelines and directives such as the FTC’s staff reports and enforcement proceedings over the last decade would be taken into account), entities using weak measures are exposed to common-law tort claims in the event of a data breach, including the possibility of punitive damages where security measures are found to be especially deficient in light of known or reasonably knowable risks.   This development represents a significant expansion in the potential liability faced by companies beyond the framework of federal-state statutory and regulatory liability that currently exists in the United States and is certain to tempt plaintiffs’ lawyers.   If they are not already doing so, companies should periodically review and update their information security programs in light of the changing threat environment and should be sure not to overlook risks associated with data being held by third-party service providers.  While these have long been considered best practices and are already required under certain regulatory frameworks (such as those governing financial services companies), the possibility that other states may follow Pennsylvania’s lead makes the need for additional attention particularly urgent.