In a unanimous ruling that is sure to become a landmark in state litigation over data breaches, the Pennsylvania Supreme Court on November 21 held that “an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an internet-accessible computer system.” In doing so, the Court overruled two lower courts that had reached the opposite conclusion. The Court explained that this duty arises from long-established common law principles and also held that neither Pennsylvania’s economic loss doctrine nor the criminal acts of third-party hackers bar suits by employees against employers based on this duty. Businesses and organizations with employees in Pennsylvania are now on notice that they must take steps to protect employee personal data against unauthorized disclosure or access, or else they will face potential liability even when a data breach was caused by criminals outside the organization.
The case, Dittman et al. v. UPMC, started when a number of employees of the University of Pittsburgh Medical Center (“UPMC”) filed suit against UPMC on June 25, 2014. The employees alleged that UPMC had required them to provide an array of sensitive personal information to UPMC as a condition of employment. The employees further alleged that UPMC stored this data without using adequate security measures such as sufficient encryption, firewalls, or authentication protocols. According to the employees’ complaint, hackers breached UPMC’s systems and stole personal and financial information of UPMC employees, including names, birth dates, social security numbers, addresses, tax records, and bank account information. The employees alleged that the hackers used the stolen data to file fraudulent tax returns on their behalf, causing them actual damages. The employees claimed that UPMC was liable to them under a negligence theory because it had not taken reasonable steps to safeguard their personal data.
The trial court dismissed the employees’ negligence claim and the Superior Court upheld the dismissal. Both courts reasoned that if they permitted the negligence claim to proceed, it would amount to recognizing a novel duty under Pennsylvania law, and plaintiff’s allegations did not meet the requirement for the imposition of a new duty. Both courts also determined that Pennsylvania’s economic loss doctrine, which prohibits tort claims for purely economic damages in most situations where there is a contractual relationship between a plaintiff and a defendant, served to bar the employees’ negligence claim. The Superior Court also observed that the actions of the third party hackers in this case amounted to a superseding cause of the employees’ alleged damages, cutting off UPMC’s potential liability.
The Supreme Court overruled the lower courts, recognizing the existence of a duty in this instance, and determining that the economic loss doctrine did not bar the employees' claims and that the actions of the hackers did not constitute a superseding cause of employees’ alleged damages.
On the question of duty, the Court determined that the lower courts were mistaken in characterizing the employees’ claims as seeking the imposition of a novel duty under Pennsylvania law. Rather, the Court stated, “this case is one involving an application of an existing duty to a novel factual scenario, as opposed to the imposition of a new, affirmative duty . . . .” The Court noted that it has long been established under Pennsylvania common law that in “scenarios involving an actor’s affirmative conduct, he is generally under a duty to others to exercise the care of a reasonable man to protect them against an unreasonable risk of harm to them arising out of the act.” The Court determined that UPMC’s collection and storage of employees’ personal data constituted affirmative conduct on UPMC’s part, and that UPMC therefore “owed [the] [e]mployees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.”
Because the Court was assessing the case at the preliminary objection stage, the Court was bound to accept the employees’ factual allegations as true. As such, the Court did not address whether UPMC’s data protection measures were reasonable. It only determined that the lower courts were mistaken to rule that UPMC owed no duty to its employees, and remanded the case for further proceedings. Undoubtedly, the particular measures that UPMC employed will be a key issue in those proceedings.
With regard to the economic loss doctrine, the Court concluded that the doctrine does not preclude all negligence claims seeking solely economic damages. Instead, the Court ruled, the application of the doctrine depends on the source of the alleged duty owed by a defendant to a plaintiff, and “if the duty arises independently of any contractual duties between the parties, then a breach of that duty may support a tort action.” Because the Court had determined that UPMC owed a duty to safeguard employees’ personal data under Pennsylvania common law, rather than because of its contract with its employees, the economic loss doctrine did not bar the employees’ negligence claim.
The Court also determined that the criminal acts of hackers did not cut off UPMC’s potential liability to its employees. The Court stated that a defendant employer can be found liable even in light of third-party criminal acts if the defendant “realized or should have realized the likelihood that such a situation might be created and that a third person might avail himself of the opportunity to commit such a tort or crime.” The Court reasoned that the “alleged conditions surrounding UPMC’s data collection and storage are such that a cybercriminal might take advantage of the vulnerabilities in UPMC’s computer system and steal employees’ information.” As such, UPMC should have realized that a breach was within the scope of the risk its actions created, and the hackers’ acts did not extinguish UPMC’s potential liability.
The Dittman ruling establishes new rules of the road for negligence claims against employers under Pennsylvania law arising from data breaches. By characterizing an employer’s obligation to safeguard its employees’ personal data as a common law duty, the Court has created an opening for numerous suits against employers who suffer data breaches. An analysis of potential liability under this duty should be a part of any employer’s response to breaches and its overall cybersecurity assessment. Pennsylvania courts are sure to provide more guidance on these issues as this case and similar claims proceed, and courts in other states will likely look to this groundbreaking decision when deciding whether to recognize similar claims under their own laws. Employers everywhere should work now to address their cybersecurity risks and should pay attention to further developments in the cybersecurity and privacy arena.
