A state court in Pennsylvania recently dismissed a class action data breach lawsuit. The members of the class consisted of 62,000 employees and former employees of the University of Pittsburgh Medical Center (UMPC) who had been notified that their names, birth dates, addresses, social security numbers, tax information, salaries and bank account information were stolen from UPMC’s computer system.
The plaintiffs argued that UPMC had a duty to use reasonable care to protect their information and that UPMC breached this duty. The court declined to impose what it called “a new affirmative duty” related to data breaches. The court noted that data breaches frequently occur because of criminal activity and that imposing a general duty in law to protect such information could result in the filing of hundreds of thousands of lawsuits which would result in businesses having to spend substantial resources in responding to the lawsuits. The court also pointed to the Pennsylvania law addressing breaches and noted that the Pennsylvania Legislature required entities that suffer a breach to report the breach but that the Legislature did not authorize the affected individuals to have the right to sue the entity involved in the breach. The court further noted that under the breach notification statute the Legislature gave the Office of the Attorney General the exclusive authority to bring actions for violating the notification requirement. At least for now in Pennsylvania data breach cases face a steep uphill battle and we will continue to see these breach cases played out in state courts.