Pennsylvania Supreme Court Holds Employers Have Duty to Protect Employee Data from Cyberattacks

White and Williams LLP
Contact
LinkedIn
Facebook
X
Send
Embed

White and Williams LLP

As much of the country’s workforce traveled on Wednesday for the Thanksgiving holiday, the Supreme Court of Pennsylvania issued a decision that some may view as a turkey: under Pennsylvania law, employers have an independent duty to protect employee data from cyberattacks. Specifically, in Dittman v. UPMC, 2018 Pa. LEXIS 6051 (Pa. Nov. 21, 2018), the court held that:

  • An employer has “a legal duty to exercise reasonable care to safeguard” employee personal data stored on internet-accessible computer systems.
  • Under the economic loss doctrine, recovery for purely pecuniary damages is permissible under a negligence theory “provided that the plaintiff can establish the defendant’s breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract.”

Translation: given that the court now recognizes a common law duty for data protection, employees now may sue their employers for purely economic loss arising from the failure to safeguard their data.

Critically, the decision is a reflection of the changing times. With more and more regulation across the country and internationally (e.g., the NY cyber regulations, recent SEC guidance, NAIC Model Law on Data Security, the GDPR, etc.), and changing perceptions toward cyberattacks, companies that collect data are expected to protect that data. Dittman makes this the clear rule of law in Pennsylvania. The decision marks an expansion of risk under business, E&O, ELP, and cybersecurity insurance. Some markets, like the small-to-medium enterprise (SME) market that has members with inadequate cybersecurity programs, may see a big impact from Dittman and a rise in costly litigation. Is this a case where plaintiffs’ attorneys may start their engines? Maybe. In so holding, the Pennsylvania Supreme Court ignored the trial court’s plea for judicial restraint. (The trial court believed imposing an affirmative duty upon employers should be left to the legislative branch.) Certainly, employers and their insurers need to understand this decision.

The Case

In Dittman, current and former employees of the Pittsburgh Medical Center (UPMC) commenced an operative class action following a data breach in which personal information, including names, birth dates, social security numbers, addresses, tax forms, and bank account information, of 62,000 employees was accessed and stolen from UPMC’s computer systems. The data, which UPMC had collected from employees as a condition of their employment, later was used to file fraudulent tax returns. Id. at *2. Plaintiffs, which asserted claims for negligence and breach of implied contract, alleged that UPMC, as their employer, had a duty of care to protect their personal information. They alleged UPMC breached this duty by: 

  • Failing to design, maintain, and test its data security program to ensure that plaintiffs’ data was adequately protected;
  • Failing to implement “processes that would detect a breach of its security systems in a timely manner”;
  • Violating “administrative guidelines”; and
  • Failing to “meet current data security industry standards,” such as proper encryption, adequate firewall protection, and authentication protocols.

Plaintiffs alleged that as a result of UPMC’s breach of the duty of care, they incurred damages from fraudulently filed tax returns and are “at an increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.” Id. at *2-4.  

The trial court dismissed the lawsuit. Because plaintiffs did not allege any physical injury or property damage, plaintiffs could not recover solely economic damages under Pennsylvania’s economic loss doctrine. The trial court also opined that the courts should not create a new affirmative duty of care that would permit such litigation. Fearing such a duty would create a wave of litigation upon an already over-burdened judiciary, the trial court stated that the decision to impose such a duty upon employers should be left to the legislative branch. Id. at *6-9. The Superior Court affirmed, noting that although the relationship between the parties favored imposing a duty upon UPMC, UPMC nevertheless did owe plaintiffs a special duty under Pennsylvania law. The Superior Court further agreed that the economic loss doctrine would prohibit recovery. Id.  at *10-12. The Pennsylvania Supreme Court reversed.

Dittman plaintiffs argued that by requiring its employees to provide it with personal information, UPMC owed a duty to exercise reasonable care to protect the data. Id. at *15. Plaintiffs contended that such a requirement fell within the general principle of tort law that “anyone who does an affirmative act is under a duty to others to exercise the care of a reasonable man to protect them against an unreasonable risk of harm to them arising out of the act.” Id. at *16. Plaintiffs contended that although this duty was limited by the concept of foreseeability, here, it was foreseeable that “troves of electronic data stored on internet-accessible computers held by large entities are obvious targets for cyber criminals.” Id. at *17. UPMC disagreed, arguing that its actions did not increase the risk of criminal activity, and that a new duty should not be created (or that it should be held liable) “merely because of the general prevalence or conceivable risk of data breaches.” Id. at *19-20. UPMC also argued that the criminal actions of a third party (i.e., the hacker) should be a superseding event that absolved it of liability. Id. at *20.

The Dittman court disagreed with UPMC, concluding as a threshold matter that the case before it did not involve the creation of a “new” duty, but instead the “application of an existing duty to a novel factual scenario.” Id. at *21. Is this semantics? Maybe. Agreeing that tort law required those who undertake affirmative acts “to exercise the care of a reasonable man to protect [others] against an unreasonable risk of harm to them arising out of the act,’” the Dittman court concluded that UPMC’s requirement that plaintiffs provide personal information triggered a duty of care:

… UPMC required them [employees] to provide certain personal and financial information, which UPMC collected and stored on its internet-accessible computer system without use of adequate security measures, including proper encryption, adequate firewalls, and an adequate authentication protocol. These factual assertions plainly constitute affirmative conduct on the part of UPMC. . . . Employees [also] have sufficiently alleged that UPMC’s affirmative conduct created the risk of a data breach. Thus, we agree with Employees that, in collecting and storing Employees’ data on its computer systems, UPMC owed Employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.

Id. at *22-24. 

The court rejected the contention that the third-party hacking created a superseding event to absolve UPMC of liability. Generally, under tort law, the wrongful actions of a third party are not deemed foreseeable and may serve as a superseding event to prohibit liability. This limitation, however, does not apply where the defendant “realized or should have realized” the likelihood that his actions could create a situation in which a third party might avail himself of an opportunity to commit a tort or crime. Id. at *24-25. In the case before it, the Dittman court held that UPMC’s data collection and storage created a situation in which UPMC knew or should have known that a third party might try to hack into its network. Thus, according to the court, “the criminal acts of third parties in executing the data breach do not alleviate UPMC of its duty to protect Employees’ personal and financial information from that breach.” Id. at *25-26.

Finally, addressing the economic loss doctrine, the Supreme Court rejected both lower courts’ readings of the economic loss doctrine to preclude recovery of solely economic damages based on negligence. Id. at *38-39. Instead, the Dittman court determined that Pennsylvania recognizes “that purely economic losses are recoverable in a variety of tort actions,” and that “a plaintiff is not barred from recovering economic losses simply because the action sounds in tort rather than contract law.” Id. at *39. With this expanded reading of the economic loss doctrine, and combined with the duty of care the court now placed on employers to protect data, the court held that the doctrine permitted recovery for the underlying data beach: 

Here, Employees have asserted that UPMC breached its common law duty to act with reasonable care in collecting and storing their personal and financial information on its computer systems. As this legal duty exists independently from any contractual obligations between the parties, the economic loss doctrine does not bar Employees’ claim.

Id. at *42-43.

What This Case Means

The Dittman holding allows current and former employees to sue their employers who suffer a data breach (or other cybersecurity incident, for that matter) involving their information. In a vacuum, the holding does not seem that extraordinary. In the context of heightening cybersecurity regulation, perhaps it should not come as a great surprise. However, when considering boilerplate claims such as “increased risk” of fraud, lost hours expended to undertake proactive measures to prevent identity theft (or remedy it), or lost value of data on the dark web, when combined with the high costs of class action litigation, the costs this decision may impose on employers and their insurance carriers are unmistakable. The greatest impact may be upon the SME market, as small to mid-sized companies are less likely to have implemented adequate cybersecurity programs. 

There are some silver linings. Increased litigation against larger companies may not materialize. Given increased regulation, whether by governmental agencies or consensus standards, and greater emphasis on risk allocation (i.e., steep indemnity provisions) in business contracts, many companies have been forced to improve their cybersecurity programs to levels that may match the duty of care now imposed by Dittman. Also, a prominent decision like Dittman, in lieu of the judicial creep of lesser-known decisions, provides companies with fair warning to assess and improve their cybersecurity programs now. Insurers also should consider the decision when assessing risks of their Pennsylvania policyholders. Finally, a decision like Dittman will lead to better overall cybersecurity among Pennsylvania companies, whether achieved by proactive measures undertaken by them, or bet-the-company litigation.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© White and Williams LLP | Attorney Advertising

Written by:

White and Williams LLP
White and Williams LLP
Contact
more
less

White and Williams LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide