Recommended Alerts

Sign Up For Alerts

UK’s Data Protection Regulator, the ICO, publishes a revised draft of its Direct Marketing Code of Practice

On 8 January 2018, the Information Commissioner launched a public consultation on a Direct Marketing Code of Practice, which she is required by Section 122 of the Data Protection Act 2018 to produce in order to provide practical guidance in relation to the carrying out of direct marketing in accordance with the requirements of the data protection legislation and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Accordingly, like the existing ICO Direct Marketing Guidance, which it will supersede, the proposed code sets out the law and provides examples and good practice recommendations. To a significant extent, the draft code replicates the current guidance, which was updated in 2018 to reference the General Data Protection Regulation (GDPR). When finalised, the Commissioner must take the code into account when considering whether those engaged in personal data processing for “direct marketing purposes” have complied with the GDPR and PECR. The key aspects of the draft code are summarised below, including new guidance on in-app advertising and direct marketing on social media platforms.

Read More

Pennsylvania High Court Decision Regarding Data Breach Increases Litigation Risk for Companies Storing Personal Data

Time to Read: 4 minutes Practices: Data, Privacy & Cybersecurity

Printer-Friendly Version

On November 21, 2018, the Supreme Court of Pennsylvania ruled in Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center that an employer owes a duty to employees to use reasonable care to safeguard what the court described as the employee’s “sensitive” personal data when storing it on an internet-accessible computer system. As the first state Supreme Court decision formally recognizing such a duty, the decision could increase the risk for companies facing potential class action litigation arising out of a data breach. The court also held that a negligence claim based on the breach of this duty is not barred by Pennsylvania’s economic loss doctrine, a defense frequently asserted by defendants in such lawsuits.

On June 25, 2014, Dittman and several others filed suit against the University of Pittsburgh Medical Center and UPMC McKeesport (“UPMC”) on behalf a class of employees. The employees alleged that a data breach had occurred whereby their personal and financial information was stolen from UPMC’s computer systems, and were used to file fraudulent tax returns. Asserting a negligence claim, among others, the employees contended that UPMC breached its duty to exercise reasonable care to implement security measures to safeguard the information against unauthorized access by third parties. The employees further contended that such duty existed because UPMC required that the employees provide the information as a condition of their employment.

UPMC filed preliminary objections, claiming that the employees’ claim was barred by the economic loss doctrine, which disallows recovery for purely economic damages. The parties also filed supplemental briefs addressing the issue of duty. The trial court dismissed the employees’ negligence claim, finding that factors weighed against recognizing a common law duty in safeguarding data collected, and that the claim was barred by the economic doctrine. On appeal, the Superior Court agreed with the trial court on both issues and sustained the dismissal.

Dittman appealed to the Supreme Court of Pennsylvania, raising two questions of law:
1) whether an employer has a legal duty to use reasonable care to safeguard allegedly “sensitive” information of its employees when it chooses to store such information on an internet-accessible computer system, and 2) whether the economic loss doctrine permits recovery for purely pecuniary damages resulting from the breach of an independent legal duty arising under common law, instead of a contractual duty.

A majority of the court ruled on both issues in favor of the employees. On the first question, the court held that the employer had a duty to use reasonable care to safeguard its employees’ “sensitive” information against a potential data breach. The court reasoned that a duty arises when an actor’s affirmative conduct creates an unreasonable risk of harm to others, and that UPMC’s collection of data as a condition of employment and subsequent storage allegedly without adequate security precautions constituted affirmative conduct on its part. On the second question, the court determined that Pennsylvania’s economic loss doctrine did not bar the employees’ claim, because the employees established the breach of a common law duty independent of any contractual duties.

This decision could precipitate increased data breach class action litigation against companies that retain personal data. No state Supreme Court had previously recognized the existence of a negligence-based duty to safeguard personal information, other than in the narrow context of health care patient information. See, e.g., Byrne v. Avery Center for Obstetrics & Gyno., 175 A.3d 1, 572-73 (Conn. 2018) (recognizing duty under particular facts in context of disclosure of patient information, given the physician’s duty of confidentiality to patient). In general, state and federal courts handling data breach litigation across jurisdictions have been divided on the issue of duty. Compare, e.g., Cooney v. Chi. Pub. Sch., 943 N.E.2d 23, 28-29 (Ill. App. Ct. 2010) (no duty under Illinois law); with Hapka v. Carecentrix, Inc., No. 16-2372-CM, 2016 WL 7336407, at *5 (D. Kan. Dec. 19, 2016) (finding duty under Kansas law to exercise reasonable care to protect employee personal information where harm is foreseeable).

The Dittman court’s interpretation of Pennsylvania’s economic loss doctrine also manifests an expansive view of the range of recoverable damages for negligence claims. Previous state and federal court decisions in the data breach context have reached varying outcomes on this question depending on the contours of the economic loss doctrine in the states at issue. Compare, e.g., Irwin v. Jimmy John’s Franchise, LLC, 175 F. Supp. 3d 1064, 1071 (C.D. Ill. 2016) (dismissing claim under economic loss doctrine under Illinois law), with Savidge v. Pharm-Save, Inc., NO. 3:17-CV-00186-TBR, 2017 WL 5986972, at *6 (W.D. Ky. Dec. 1, 2017) (Kentucky doctrine limited to product liability actions).

Businesses operating in Pennsylvania may wish to review their current data collection and protection policies in light of the Dittman decision. Businesses in other states should also be mindful of the increased risk of data breach litigation, because plaintiffs will seek to persuade courts in other states to follow the Pennsylvania Supreme Court’s decision. Whether those efforts will be successful, however, remains to be seen. Defendants may point out that the Dittman decision couched its holdings in terms of an employer’s duty to its employees where the employer collected the employees’ personal information as a condition of employment, potentially leaving open the question of whether and to what extent the duty also extends to other factual scenarios.

For more information regarding the Dittman decision, or to discuss cybersecurity practices generally, please feel free to contact a member of Ropes & Gray’s leading privacy & cybersecurity team.

Printer-Friendly Version

Cookie Settings