Pennsylvania’s highest court recently issued a major decision that impacts employers and their storage of sensitive employee information in two important ways. First, the court imposed a new duty on employers to use reasonable care in safeguarding sensitive employee personal information stored on its systems. Second, if an employer breaches that duty and the information is hacked, the employees can recover monetary damages. In other words, an employer now has a legal duty to take reasonable steps to protect its employees’ information from a cyber-attack and if its breach of that duty leads to data being stolen, it is liable. The case is Dittman v. UPMC, Case No. 43-WAP-2017, 2018 WL 6072199 (Pa. 2018).
Background to the Case
In the underlying case, a class action of employees sued their employer, the University of Pittsburgh Medical Center, after a 2014 data breach resulted in the exposure of personal and confidential information such as names, addresses, tax forms, bank accounts, birth dates, and social security numbers for 62,000 employees. Hackers stole the information from UPMC’s computer systems. Employees had been required to submit the information that was stolen as a condition of employment. The stolen data was used to file fraudulent tax returns, causing actual monetary damages to some of the affected employees.
Under a theory of negligence, the employees asserted that UPMC failed to exercise reasonable care in implementing industry standard safeguards to protect the sensitive information from cyber-attacks on its systems. The trial court ruled in favor of UPMC, finding that UPMC owed no affirmative duty of care to its employees in its storage of the employee data. The court also cited existing law that there can be no liability for negligence if the damages are only economic and not physical. The intermediate court affirmed the trial court’s decision.
The Court’s Reasoning
On November 21, 2018, the Supreme Court of Pennsylvania reversed and held in favor of the employees, holding that UPMC did have a duty to use reasonable care to protect its employees’ data. The court, weary of being perceived as creating new affirmative obligations, stated that it was only applying an "existing duty to a novel factual scenario." Under traditional negligence theory, an actor has no affirmative obligation to prevent a risk that he does not create, so UPMC argued that it had no affirmative duty to protect the data because it did not create the risk.
The court responded that UPMC undertook an affirmative action by collecting and storing the employee data as a condition of obtaining employment, and so at that point, UPMC then had an obligation to use reasonable care to protect the data. That a cyber-criminal might exploit these vulnerabilities should have been foreseeable to UPMC, according to the court.
After establishing that UPMC owed a duty of care and breached that duty, the court then found that the doctrine of economic loss did not prohibit the employees from recovering pecuniary damages. Generally speaking, the economic loss doctrine stands for the proposition that absent a physical injury, a defendant cannot be liable in negligence if the plaintiff sustains purely economic losses. UPMC argued that this doctrine barred the employees from recovering any damages for its negligence because they sustained no physical injuries, just monetary damages. The trial and intermediate court agreed that the doctrine barred recovery.
The high court again disagreed with the lower courts, holding that the economic loss doctrine did not apply to cases like this one where the legal duty existed through common law, independent of a contractual duty. Put another way, because the employees were able to establish that the their employer owed them a duty of care outside of their employment contract, state law permitted them to pursue economic damages.
Because the Supreme Court reversed the holdings of the trial court, the case has now been sent back to the trial court for a determination on whether UPMC breached its duty of care, and if so, what the damages would be.
Employer Takeaway
The Dittman case is significant and employers should take note of the new duty of "reasonable care" that the holding imposes on them as well as the uptick in litigation this case will cause.
When employers collect and store employee personal information as a condition of employment, they now must exercise "reasonable care" to protect that information because they owe a duty of care to their employees. The court did not opine on what standards constitute "reasonable care" but the plaintiffs argued that UPMC should have taken steps such as proper encryption, firewalls, and authentication protocols. As an important distinction, this case does not require employers to take steps to prevent all cyber-attacks, but instead, just requires steps that are "reasonable." Employers should consult with external data security experts for assistance and/or auditing of their systems.
As to economic damages, out-of-state employers should know that state law application of the economic loss doctrine varies by state, so the conclusion reached by the Pennsylvania court may not align with the case law of other states.
The Dittman case is likely to lead to an increase in class actions following data breaches at companies. Pennsylvania employers should be prepared to effectively respond to data breaches and prepare for the liability that may follow. Employers should consider the costs of implementing adequate technological safeguards or purchasing insurance against the costs of negligence liability like that faced by UPMC.
