Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018). The Pennsylvania Supreme Court holds that employers have a legal duty to use reasonable care to safeguard sensitive personal information of their employees when the employer chooses to store such information on an internet accessible computer system. In addition, the Court holds that the economic loss doctrine does not bar purely financial damages resulting from a breach of this duty.
SUMMARY AND FACTUAL BACKGROUND
In a class action lawsuit against UPMC d/b/a the University of Pittsburgh Medical Center and UPMC McKeesport (collectively, “UPMC”), Plaintiff employees (“Employees”) alleged that a data breach had occurred through which the personal and financial information, including names, birth dates, social security numbers, addresses, tax forms, and bank account information of all 62,000 UPMC employees and former employees was accessed and stolen from UPMC’s computer systems. Employees further alleged that the stolen data, which consisted of information UPMC required Employees to provide as a condition of their employment, was used to file fraudulent tax returns on behalf of the victimized Employees, resulting in actual damages.
UPMC filed preliminary objections to Employees’ complaint arguing that, inter alia, their negligence claim failed as a matter of law. Specifically, UPMC argued that no cause of action exists for negligence because Employees did not allege any physical injury or property damage and, under the economic loss doctrine, “no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage.” The trial court sustained UPMC’s preliminary objections and dismissed Employees’ negligence claim. In a split opinion, a three-judge panel of the Superior Court affirmed the order of the trial court sustaining UPMC’s preliminary objections and dismissing Employees’ claims.
To state a claim for negligence, a plaintiff generally must demonstrate the following elements: (1) the defendant owed a duty to the plaintiff; (2) the defendant breached that duty; (3) a causal relationship between the breach and the resulting injury suffered by the plaintiff; and (4) actual loss suffered by the plaintiff․
In this case, both the trial court and the Superior Court found that UPMC owed no duty to the Employees under Pennsylvania law. In reversing the decisions of the lower courts, the Supreme Court of Pennsylvania concluded that UPMC owed the Employees a common law duty to reasonably protect against data breaches. Specifically, the Court observed that, under Pennsylvania law, “[i]n scenarios involving an actor’s affirmative conduct, he is generally ‘under a duty to others to exercise the care of a reasonable man to protect them against an unreasonable risk of harm to them arising out of the act.” Accordingly, because Employees alleged that UPMC required them to provide certain personal and financial information, which UPMC collected and stored on its internet-accessible computer system, the Court found that UPMC had a duty to protect them against an unreasonable risk of harm arising out of that requirement.
The Court rejected UPMC’s argument that the presence of third-party criminality eliminates this duty. Because data stored on internet-accessible computers held by large entities like UPMC are obvious targets for cybercriminals, the Court found that UPMC should have realized the likelihood that a third person might avail himself of the opportunity to commit such a crime and taken steps to protect the Employees’ data.
Accordingly, the Court concluded that the lower courts erred in finding that UPMC did not owe a duty to Employees to exercise reasonable care in collecting and storing their personal and financial information on its computer systems.
The Court also found that the economic loss doctrine did not bar Employees’ negligence claims. This doctrine generally bars negligence claims that result solely in economic damages unaccompanied by physical injury or property damage. The Court, however, clarified that the economic loss doctrine, as applied in Pennsylvania, does not preclude all negligence claims seeking solely economic damages. Instead, the Court set forth a “reasoned approach” to applying the economic loss doctrine that “turns on the determination of the source of the duty plaintiff claims the defendant owed.” Specifically, if the duty arises under a contract between the parties, a tort action will not lie from a breach of that duty. However, if the duty arises independently of any contractual duties between the parties, then a breach of that duty may support a tort action.
Because Employees asserted that UPMC breached its common law duty to act with reasonable care in collecting and storing their personal and financial information on its computer systems, a duty that exists independently from any contractual obligations between the parties, the Court held that the economic loss doctrine did not bar Employees’ claim.
The Dittman decision is important because the Supreme Court of Pennsylvania has determined that, in certain circumstances, employers owe a duty to protect employee data and can be liable for data breaches. Moreover, in such circumstances, the economic loss doctrine will not bar such claims.
Accordingly, to the extent school districts require their employees to submit sensitive personal or financial information (e.g., names, birth dates, social security numbers, addresses, tax forms, and bank account information), then such districts have a duty to install reasonable security measures to protect such data, including, but not limited to, proper encryption, adequate firewalls, and an adequate authentication protocol and should take all necessary steps to comply with this duty. Districts should work with their solicitors and Information Technology Department employees to determine what constitutes reasonable in this ever evolving field.