To date, Pennsylvania has not adopted a comprehensive law specifying how sensitive personal information about individuals must be secured or the protections that holders of this information must use to minimize risk of breach. [1] Pennsylvania only requires that, in the event of a breach, holders of sensitive personal information notify the affected individuals so they can take appropriate precautions against misuse of their information. Pennsylvania does have some laws specific to particular industries, such as health care and insurance, regarding how sensitive personal information may be used or disclosed, but there is no single mandate across all industries obligating holders of sensitive personal information to secure it in any particular way.
Employers, however, are a common denominator among all industries, and recently, the Pennsylvania Supreme Court in Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center held that when employers (regardless of the industry, the size of the employer, or the number of employees they hire) require their employees to provide sensitive personal information, such as Social Security numbers, bank accounts, tax returns, or other financial information, those employers have a legal duty to exercise reasonable care to safeguard that information when they store it on an Internet-accessible computer system. [2] Employers who do not exercise reasonable care to safeguard the sensitive personal information may be liable for financial damages to their employees in the event of a breach. [3]
All employers who collect sensitive personal information about their employees and maintain the information electronically on an Internet-accessible system are affected by the court’s decision. The court’s analysis also suggests that, regardless of how the information is stored (i.e., electronically or otherwise), an employer has a duty to exercise reasonable care to safeguard the sensitive personal information it collects about its employees from known threats to the information. This alert examines the court’s holding and identifies questions employers should be asking about their data requests, data security practices, and data-retention policies and procedures, and it offers suggestions for mitigating associated risks that apply regardless of whether employers store the information on an Internet-accessible computer.
What Happened?
UPMC’s Internet-connected computer system was hacked and sensitive personal information about its employees was accessed and stolen. This information included names, birth dates, Social Security numbers, addresses, tax forms, and bank account information. The hackers used the stolen information to file false tax returns, and affected employees incurred financial damages. As a result, several UPMC employees filed a class-action lawsuit against UPMC on behalf of all 62,000 current and former UPMC employees whose data were accessed and stolen. The employees alleged that:
• UPMC affirmatively required employees to provide certain sensitive personal and financial information (including names, birth dates, Social Security numbers, addresses, tax forms, and bank account information) as a condition of employment.
• UPMC had a duty to exercise reasonable care to protect their employees’ personal and financial information from being compromised, lost, stolen, misused, and/or disclosed to unauthorized parties.
• UPMC stored the employees’ sensitive personal information on its Internet-accessible computer system without adopting adequate security measures, such as encryption, adequate firewalls, and an adequate authentication protocol, to safeguard that information, which allowed hackers to access the system and steal the information.
• UPMC breached its duty to exercise reasonable care to protect the information, which allowed hackers to access the system and steal the information.
• UPMC was liable to the employees for the financial damages they incurred resulting from the breach.
UPMC filed preliminary objections to the complaint — Pennsylvania’s form of a motion to dismiss — and asserted that the economic-loss doctrine barred the employees from recovering purely economic damages. Under the economic-loss doctrine, actions sounding in tort require physical injury or property damage in order to recover for a breach of duty. [4] The trial court agreed with UPMC that the economic-loss doctrine barred recovery. [5] The trial court also found UPMC owed no existing duty to the employees as they alleged, and the “‘courts should not impose ‘a new affirmative duty of care that would allow data breach actions to recover damages recognized in common law negligence actions.’” [6] The trial court accordingly dismissed the complaint.
The employees appealed to the Pennsylvania Superior Court, and in a split decision, the Superior Court affirmed the trial court’s determination that employers did not owe their employees a duty under Pennsylvania law to exercise reasonable care to safeguard their sensitive personal information. [7] The Superior Court also agreed that the economic-loss doctrine barred recovery. [8] The Superior Court therefore affirmed the trial court’s order sustaining UPMC’s preliminary objections and dismissing the claim. [9]
The Pennsylvania Supreme Court’s Review
The Pennsylvania Supreme Court granted a discretionary appeal to determine the narrow questions of (1) whether an employer in Pennsylvania has a legal duty to use reasonable care to safeguard sensitive personal information about its employees when the employer chooses to store such information on an Internet-accessible computer system, and (2) if so, whether the employees could recover purely financial damages resulting from the breach of the duty. As discussed more fully below, the Supreme Court held that (i) employers have an existing duty to employees under Pennsylvania common law to exercise reasonable care in collecting and storing their sensitive personal information on their computer systems, and (ii) purely financial damages may be recovered if employers fail to exercise reasonable care in securing the sensitive personal information. [10]
First, the Supreme Court disagreed with the lower courts’ analysis that, if employers owed such a duty to exercise reasonable care to safeguard their employees’ sensitive personal information, such duty was a “new, affirmative duty” and was being created solely by the employees’ allegations. [11] In the Supreme Court’s view, the employees’ allegations were simply a “novel factual scenario” to apply an existing duty employers owe to the employees. [12] The Supreme Court stated that, as it has observed previously, “in scenarios involving an actor’s affirmative conduct, he is generally ‘under a duty to others to exercise the care of a reasonable man to protect them against an unreasonable risk of harm arising out of the act.’” [13] The Supreme Court concluded that, in this case, the employees alleged such affirmative conduct on the part of UPMC — namely, that “as a condition of employment, UPMC required them to provide certain personal and financial information, which UPMC collected and stored on its internet-accessible computer system without use of adequate security measures, including proper encryption, adequate firewalls, and an adequate authentication protocol. These factual assertions plainly constitute affirmative conduct on the part of UPMC.” [14] The Supreme Court also agreed with the employees that “this affirmative conduct resulted in UPMC owing the employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.” [15]
With respect to the economic-loss doctrine, the Supreme Court held that the decisions relied upon by the trial court and the Superior Court “do not stand for the proposition that the economic loss doctrine, as applied in Pennsylvania, precludes all negligence claims seeking solely economic damages.” [16] Instead, the ability to recover “turns on the determination of the source of the duty plaintiff claims the defendant owed.” [17] In cases where the duty arises outside the context of a contract between the parties, the breach of that duty may be the basis of a negligence claim. [18] According to the Supreme Court, the employees’ allegations in the complaint existed independently from any contractual obligations between the parties. Accordingly, the employees had stated a claim upon which they could recover if their allegations proved to be true.
The Implications of the Court’s Holding for Employers
Private employers in Pennsylvania (regardless of industry) who affirmatively request sensitive personal information from their new or existing employees and who maintain the sensitive personal information on Internet-connected computer systems have an existing duty to exercise reasonable care to safeguard that information. [19] As a result, employers (regardless of size or number of employees) should be evaluating their data collection and maintenance policies and procedures to mitigate the risk of being found not to have exercised reasonable care in safeguarding the information. In particular, employers should be answering the following questions:
1. Is the information really needed? Employers should be able to connect each data request to a legitimate business need (e.g., a legal requirement) and limit the data requested to the minimum amount of data required to achieve that legitimate business purpose. Some data elements are essential: names, addresses, Social Security numbers, and birth dates. This data is necessary to pay employees, to report tax withholdings, and to prevent fraud, among other purposes. Any data being requested from employees that is not absolutely necessary for a legitimate business purpose should be reevaluated and collection discontinued if it is determined to be unnecessary. Unnecessary data should also be deleted.
2. Could any of the information collected and maintained about the employees and determined to be necessary for a legitimate employer-purpose harm employees if it were stolen? To make this determination, employers must have a thorough understanding of precisely what information they maintain about employees. Information such as names and addresses likely does not qualify as sensitive personal information (although there are always exceptions) but financial information does. In order for an employer to be able to show it exercised reasonable care, it must first know the nature of the data in its possession.
3. What are foreseeable threats to the information being inappropriately accessed or stolen? Information being stored electronically is literally under attack. If employers maintain sensitive personal information about their employers electronically (or employers hire vendors who do so), they must understand these threats and how they might come to fruition. As noted above, however, the Supreme Court’s analysis applies equally to sensitive personal information in other forms, such as paper. If an employer could reasonably foresee that the paper records could be misused, the employer likewise has an existing duty to exercise reasonable care to protect it (e.g., locked file cabinets with limited access).
4. Based on the nature of the information and the identified foreseeable threats to that information, have appropriate safeguards to protecting the information been identified and implemented? Safeguards may vary depending on the nature of the underlying data and the identified foreseeable risks, although certain security practices have become or are quickly becoming fairly standard and failure to implement them would likely be seen as a failure to exercise reasonable care. At a minimum, employers should be able to demonstrate that people with appropriate experience and knowledge in safeguarding information are involved in these decisions.
5. Have the steps taken to safeguard the information been documented? The Supreme Court’s holding does not impose strict liability on employers in the event they get hacked and sensitive personal information about employees is accessed or stolen. The Supreme Court’s holding requires the exercise of reasonable care to safeguard the information from foreseeable threats. The best way to be able to support that reasonable care was exercised is to document all the steps taken including those listed above.
6. Does the cyber insurance policy cover breaches of employee data? It probably does, but employers should check the scope of coverage and ensure that nothing in the policy excludes the types of financial damages the employees in UPMC experienced.
Conclusion
The Supreme Court’s holding drives home that employers must use reasonable care in the collection of sensitive employee data and adds an incentive for doing so (the risk of incurring economic damages for breach).
NOTES:
[1] Indeed, there is no overarching definition of “sensitive personal information,” but it typically includes personal information that if acquired inappropriately could be used to harm the person to whom it belonged, such as Social Security or a driver’s license number coupled with bank account information.
[2] Dittman v. UPMC d/b/a The Univ. of Pittsburgh Med. Ctr. & UPMC McKeesport, No. 43 WAP 2017, slip op. at 1–2 (Pa. Nov. 21, 2018) (herein, “UPMC”).
[3] Id.
[4] See Bilt-Rite v. The Architectural Studio, 866 A.2d 270, 273 (Pa. 2005).
[5] See UPMC, slip op. at 4–5.
[6] See id. at 5 (quoting Bilt-Rite, supra). The trial court also “observed that the Legislature is aware of and has considered the issues that Employees sought the court to consider herein as evidenced by the Breach of Personal Information Notification Act (Data Breach Act), 73 P.S. §§ 2301 - 2329. Specifically, the court explained that, under the Data Breach Act, the Legislature has imposed a duty on entities to provide notice of a data breach only … and given the Office of the Attorney General the exclusive authority to bring an action for violation of the notification requirement … The court thus reasoned that, as public policy was a matter for the Legislature, it was not for the courts to alter the Legislature’s direction.” Id. at 6–7.
[7] Id. at 8–9.
[8] Id. at 7.
[9] Id.
[10] Id. at 1–2.
[11] Id. at 15.
[12] Id. at 10. Indeed, “[c]ommon-law duties stated in general terms are framed in such fashion for the very reason that they have broad-scale application.” Id. at 15–16. “‘Like any other cause of action at common law, negligence evolves through either directly applicable decisional law or by analogy, meaning that a defendant is not categorically exempt from liability simply because appellate decisional law has not specifically addressed a theory of liability in a particular context.’” Id. at 16 (quoting Scampone v. Highland Park Care Ctr., LLC, 57 A.3d 582, 299 (Pa. 2012)).
[13] Id. at 16 (emphasis added).
[14] Id. (emphasis added).
[15] Id. at 16–17. In arriving at this conclusion, the Supreme Court also rejected UPMC’s argument that “the presence of third-party criminality in this case eliminates the duty it owes to Employees …” Id. at 17. The Supreme Court acknowledged that an actor otherwise owing a duty “cannot be liable for third-party conduct that could ‘conceivably occur.’” Id. at 17. However, the Supreme Court agreed that “liability could be found if the actor ‘realized or should have realized the likelihood that such a situation might be created and that a third person might avail himself of the opportunity to commit such a tort or crime.’” Id. at 17–18 (quoting Mahan v. Am-Gard, Inc., 841 A.2d 1052 1061 (Pa. Super. 2003)) (emphasis added).
[16] Id. at 28.
[17] Id.
[18] Id.
[19] The court did not consider whether a cause of action would exist against local or state agencies under the limited waivers of sovereign immunity.