Summary
On May 28, 2015, Judge R. Stanton Wettick, Jr. refused to create a new cause of action sounding in negligence allowing a claim for damages resulting from improper disclosure of confidential personal and financial information.
In Dittman v. UPMC, No. GD-14-003285 (Allegheny County C.C.P. May 28, 2015) a putative class action, some 62,000 current UPMC employees and "untold numbers of former employees" who had various personal information stolen from UPMC computers, sued, claiming that UPMC had been negligent in allowing the unauthorized access and disclosure to occur. Plaintiffs claimed that UPMC owed them a duty of care to prevent them from being victims of third-party criminal activity. For several reasons, Judge Wettick disagreed, to wit:
First, the only losses claimed were economic losses, and, under the "economic loss doctrine" in Pennsylvania, "no cause of action exists for negligence that results solely in economic losses unaccompanied by physical injury or property damage." Judge Wettick also pointed out that the Bilt-Rite exception to the economic loss doctrine did not apply, because UPMC is not in the "business of supplying information to others for pecuniary gain."
Second, Judge Wettick refused to create a new duty of care, finding that where only economic losses are involved, the economic loss doctrine has "already balanced the competing interests" which would otherwise have to be balanced to determine whether to establish a duty of care. In addition, Judge Wettick refused to find "that the courts should impose a new affirmative duty of care that would allow data breach actions to recover damages recognized in common law negligence actions" because doing so would not further any public interest and would instead, given the widespread existence of data breaches, likely inundate Pennsylvania courts with "possibly hundreds of thousands of lawsuits" annually by people whose confidential information ends up in the wrong hands. Moreover, Judge Wettick found that there are no generally accepted reasonable care standards concerning data protection obligations, and the use of "‘expert’ testimony and jury findings" are not "viable method[s] for resolving the difficult issue of the minimum requirements of care that should be imposed in data breach litigation, assuming that any minimum requirements should be imposed."
Third, Judge Wettick pointed out that the underlying issue is one better suited to a legislative solution. The Pennsylvania General Assembly, in the Data Breach Act, 73 P.S. 2301, et seq., despite several proposed amendments which would have created a duty of care and defined the scope of liability, only created one duty – the duty to notify an affected person of a data breach. It also created only one cause of action – by the Attorney General alone, to sue an entity which fails to meet the notification requirements of the Data Breach Act. In other words, the General Assembly did not create a private right of action even for the failure to notify, and refused to create any kind of a private damage action for that failure or the breach itself. As Judge Wettick stated, the "only duty that the General Assembly has chosen to impose as of today is notification of a data breach. It is not for the court to alter the direction of the General Assembly because public policy is a matter for the Legislature."*
Why Is This Decision Relevant?
In addition to reiterating the importance of the duty to notify under Pennsylvania’s Data Breach Act, the decision may provide only temporary comfort in terms of the court’s unwillingness to find a duty of care or carve out any type of exception to the economic loss doctrine. In other words, given the virtually daily headlines about data breaches and the unauthorized access to and disclosure of confidential personal and financial information, now coupled with a well-respected Pennsylvania jurist’s highlighting that the issue of a damage remedy for data breach is one for the General Assembly to grapple with, one could reasonably expect that such a "solution" might indeed be in the offing. The potential of direct and actual damage liability for negligence would only add to the ever-burgeoning costs of data protection and the expenses associated with actions required in the aftermath of a breach. At its base, then, while appearing to provide some comfort by not creating a duty of care, Dittman stands out – as if it is necessary to have any greater focus on the issue at all – as yet another warning to those who collect and maintain confidential personal and financial information to be ever-vigilant in protecting it from attack.
* Judge Wettick also refused to find an implied contract basis for liability because the factual allegations in the Complaint did not allege an adequate basis on which to find any agreement between the parties "under which UPMC agreed to be liable to its employees for criminal acts of third parties."
View Document(s):
