Pennsylvania High Court Decision Regarding Data Breach Increases Litigation Risk for Companies Storing Personal Data
On November 21, 2018, the Supreme Court of Pennsylvania ruled in Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center that an employer owes a duty to employees to use reasonable care to safeguard what the court described as the employee’s “sensitive” personal data when storing it on an internet-accessible computer system. As the first state Supreme Court decision formally recognizing such a duty, the decision could increase the risk for companies facing potential class action litigation arising out of a data breach. The court also held that a negligence claim based on the breach of this duty is not barred by Pennsylvania’s economic loss doctrine, a defense frequently asserted by defendants in such lawsuits.
On June 25, 2014, Dittman and several others filed suit against the University of Pittsburgh Medical Center and UPMC McKeesport (“UPMC”) on behalf a class of employees. The employees alleged that a data breach had occurred whereby their personal and financial information was stolen from UPMC’s computer systems, and were used to file fraudulent tax returns. Asserting a negligence claim, among others, the employees contended that UPMC breached its duty to exercise reasonable care to implement security measures to safeguard the information against unauthorized access by third parties. The employees further contended that such duty existed because UPMC required that the employees provide the information as a condition of their employment.
UPMC filed preliminary objections, claiming that the employees’ claim was barred by the economic loss doctrine, which disallows recovery for purely economic damages. The parties also filed supplemental briefs addressing the issue of duty. The trial court dismissed the employees’ negligence claim, finding that factors weighed against recognizing a common law duty in safeguarding data collected, and that the claim was barred by the economic doctrine. On appeal, the Superior Court agreed with the trial court on both issues and sustained the dismissal.
Dittman appealed to the Supreme Court of Pennsylvania, raising two questions of law:
1) whether an employer has a legal duty to use reasonable care to safeguard allegedly “sensitive” information of its employees when it chooses to store such information on an internet-accessible computer system, and 2) whether the economic loss doctrine permits recovery for purely pecuniary damages resulting from the breach of an independent legal duty arising under common law, instead of a contractual duty.
A majority of the court ruled on both issues in favor of the employees. On the first question, the court held that the employer had a duty to use reasonable care to safeguard its employees’ “sensitive” information against a potential data breach. The court reasoned that a duty arises when an actor’s affirmative conduct creates an unreasonable risk of harm to others, and that UPMC’s collection of data as a condition of employment and subsequent storage allegedly without adequate security precautions constituted affirmative conduct on its part. On the second question, the court determined that Pennsylvania’s economic loss doctrine did not bar the employees’ claim, because the employees established the breach of a common law duty independent of any contractual duties.
This decision could precipitate increased data breach class action litigation against companies that retain personal data. No state Supreme Court had previously recognized the existence of a negligence-based duty to safeguard personal information, other than in the narrow context of health care patient information. See, e.g., Byrne v. Avery Center for Obstetrics & Gyno., 175 A.3d 1, 572-73 (Conn. 2018) (recognizing duty under particular facts in context of disclosure of patient information, given the physician’s duty of confidentiality to patient). In general, state and federal courts handling data breach litigation across jurisdictions have been divided on the issue of duty. Compare, e.g., Cooney v. Chi. Pub. Sch., 943 N.E.2d 23, 28-29 (Ill. App. Ct. 2010) (no duty under Illinois law); with Hapka v. Carecentrix, Inc., No. 16-2372-CM, 2016 WL 7336407, at *5 (D. Kan. Dec. 19, 2016) (finding duty under Kansas law to exercise reasonable care to protect employee personal information where harm is foreseeable).
The Dittman court’s interpretation of Pennsylvania’s economic loss doctrine also manifests an expansive view of the range of recoverable damages for negligence claims. Previous state and federal court decisions in the data breach context have reached varying outcomes on this question depending on the contours of the economic loss doctrine in the states at issue. Compare, e.g., Irwin v. Jimmy John’s Franchise, LLC, 175 F. Supp. 3d 1064, 1071 (C.D. Ill. 2016) (dismissing claim under economic loss doctrine under Illinois law), with Savidge v. Pharm-Save, Inc., NO. 3:17-CV-00186-TBR, 2017 WL 5986972, at *6 (W.D. Ky. Dec. 1, 2017) (Kentucky doctrine limited to product liability actions).
Businesses operating in Pennsylvania may wish to review their current data collection and protection policies in light of the Dittman decision. Businesses in other states should also be mindful of the increased risk of data breach litigation, because plaintiffs will seek to persuade courts in other states to follow the Pennsylvania Supreme Court’s decision. Whether those efforts will be successful, however, remains to be seen. Defendants may point out that the Dittman decision couched its holdings in terms of an employer’s duty to its employees where the employer collected the employees’ personal information as a condition of employment, potentially leaving open the question of whether and to what extent the duty also extends to other factual scenarios.
For more information regarding the Dittman decision, or to discuss cybersecurity practices generally, please feel free to contact a member of Ropes & Gray’s leading privacy & cybersecurity team.