While most Americans prepared for the Thanksgiving holiday, the Pennsylvania Supreme Court issued an opinion that establishes new precedent in the ever-developing area of cybersecurity law, and also limits a longstanding tort doctrine that had previously barred a large subset of negligence claims where the plaintiff claimed only economic loss (not bodily injury or property damage).  As a result of this decision, Pennsylvania businesses and employers face increased exposure to liability.

The case, Dittman v. UPMC, arose after UPMC experienced a data breach where employee data was compromised and then used to file fraudulent tax returns.  After suffering financial loss as a result of the breach, UPMC employees sued UPMC for negligence, alleging that UPMC owed its employees a duty of reasonable care to protect their electronically stored information, and that UPMC breached that duty. The Court held that an employer who collects and stores employee information on its internet-accessible computer system has a common law duty to protect that data from any foreseeable risk of harm. The Court also held that the employees’ claims of economic loss were not barred by the longstanding economic loss doctrine, which generally prevents a party from recovering solely economic damages under a negligence theory of liability.  The Court provided much needed clarification on the doctrine’s scope, stating that it does not preclude all negligence claims where the loss is solely financial, but does bar solely financial claims where the duty arises from a contract between the parties.  Because the plaintiffs in Dittman alleged breach of a common law duty separate, apart, and independent from any contractual duty, the economic loss doctrine did not bar UPMC employees’ claims.

The Dittman ruling is significant for two major reasons.

1. It Establishes a Common Law Duty to Protect Personal Information. Before Dittman, it was very difficult for a data breach victim to recover due to the difficulty of tracking down the ultimate wrongdoer and a lack of precedent allowing recovery from those who collected and stored the compromised personal information.  By establishing a duty of reasonable care for employers who collect and store their employees’ personal and financial information on internet-accessible computer systems, the Pennsylvania Supreme Court created a clear method of recovery for employee data breach victims.  While the Court only imposed this duty on employers who collect and store employee information on internet-accessible computer systems, it is likely that the Court’s reasoning will be extended to other contexts where one party collects and stores another’s information, such as the business-consumer context or the university-student context.

Companies with employees in Pennsylvania should take immediate action to evaluate existing data security measures or impose data security measures if none are in place.  Since data breach victims will likely attempt to extend Dittman to other contexts, any business or entity that collects and stores data of Pennsylvania residents should evaluate their data security measures in order to avoid liability.

2. It Is Much Easier for Plaintiffs to Bring Negligence Claims Seeking Solely Economic Damages. Before Dittman, defendants relied on the economic loss doctrine to quickly dispose of negligence claims seeking solely economic damages (as opposed to physical injury or property damage).  Now, negligence actions seeking solely economic damages cannot be dismissed as quickly or easily.  Instead, defendants will be tasked with proving that the plaintiff alleges a breach of a purely contractual duty, not a duty separate and apart from any contractual relationship.  By clarifying and limiting the economic loss doctrine in this way, the Court has opened the door to increased litigation and slower resolution of negligence claims seeking only economic damages.

As recognized by the trial court, the Supreme Court’s decision is certain to spark increased litigation. Indeed, in dismissing UPMC employees’ claims, the trial court noted that the creation of a private cause of action for victims of data breaches would likely trigger the filing of hundreds of thousands of lawsuits each year and overwhelm Pennsylvania’s judicial system.  Interestingly, in overturning the trial court’s decision and reviving UPMC employees’ claims, the PA Supreme Court did not address the impact of its decision.