On November 21, 2018, the Pennsylvania Supreme Court drastically changed the data breach litigation landscape by holding that an employer has a common law duty to use reasonable care to safeguard employees’ personal information stored on an Internet-accessible computer. The Court further held that Pennsylvania’s economic loss doctrine permits recovery for “purely pecuniary damages” on a negligence claim premised on a breach of such a duty.
Dittman v. UPMC arose from a 2014 data breach of the University of Pittsburgh Medical Center’s (UPMC) network, resulting in the theft of sensitive personal information for 62,000 employees — including Social Security numbers, birthdates, confidential tax information, addresses, salaries, and bank account information. UPMC employees (“Plaintiffs”) filed a putative class action asserting negligence, invasion of privacy, and breach of implied contract claims. As pertinent here, Plaintiffs alleged that UPMC breached a common law duty of reasonable care to secure their personal information, which they provided as a condition of their employment. Plaintiffs sought damages for economic losses associated with the filing of fraudulent tax returns in their names, as well as “increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.”
In 2015, the Allegheny County Court of Common Pleas dismissed Plaintiffs’ claims. As to the negligence claim, the trial court held that Pennsylvania law did not recognize a duty to secure employee data held in Internet-accessible computers, and that Pennsylvania courts should not create “a new affirmative duty of care that would allow data breach actions to recover damages recognized in common law negligence actions.” Doing so, the trial court noted, could result in “hundreds of thousands of lawsuits” without a clear standard of reasonable care in data security. The trial court also held that the economic loss doctrine precluded Plaintiff’s negligence claims where Plaintiffs did not allege bodily injury or property damage. The Superior Court affirmed the dismissal on direct appeal.
The Supreme Court of Pennsylvania unanimously reversed the lower court rulings and remanded the action for further proceedings. The Court rejected the notion that it was creating a “new affirmative duty” under common law, and instead held that it was applying the “existing duty to a novel factual scenario.” Plaintiffs alleged that, as a condition of employment at UPMC, they were required to provide certain financial and personal information. They further alleged that UPMC collected and stored that information on its Internet-accessible computer system without the use of adequate security measures, including proper encryption, firewalls, or authentication protocols.
The Court held that where an employer’s affirmative collection of employee personal information creates a foreseeable risk of a data breach (even by cybercriminals), the employer has a duty of reasonable care to secure its employees’ personal information “against an unreasonable risk of harm arising out of [the employer’s data collection practices].” UPMC should have realized, the Court concluded, that “a cybercriminal might take advantage of the vulnerabilities in UPMC’s computer system and steal [its] [employees’] information; thus, the data breach was ‘within the scope of the risk created by’ UPMC.” As to the ‘duty’ element of the negligence claim at least, “the criminal acts of third parties in executing the data breach do not alleviate UPMC of its duty to protect [its employees’] personal and financial information from that breach.”
The Court also held that Pennsylvania’s version of the economic loss doctrine does not preclude all negligence claims seeking “purely economic damages.” Rather, “if a duty arises independently of any contractual duty between parties,” economic damages flowing from a breach of that duty are recoverable on a negligence claim. Here, the duty to reasonably secure employee personal data arises under negligence law. Accordingly, “the economic loss doctrine does not bar the employees’ claim.”
This decision is likely to have a very significant impact on cybersecurity-related litigation in and beyond Pennsylvania. Negligence is now a viable cause of action for inadequate data security under Pennsylvania law. Because the Court’s recognition of a legal duty to protect data is tied to the very act of collecting and storing such data, this new legal principle is unlikely to be limited to the employment context. Any entity that collects and stores the sensitive information of any person likely will be subject to a duty to exercise reasonable care to safeguard it against the foreseeable risk of a data breach – even one committed by hackers.
Moreover, the economic loss doctrine will not bar negligence claims for inadequate cybersecurity resulting in “purely economic damages.” Under the Supreme Court’s rationale, a common law duty to protect personal information seemingly will arise in every case in which an entity collects and stores such data. Because there always will be a cybersecurity duty independent of a contractual relationship in such cases, it is difficult to see how the economic loss doctrine survives at all in this context.
With the possible exception of standing challenges, defendants are unlikely to win early dismissal of negligence claims premised on allegations of data breaches resulting from inadequate cybersecurity. As a result, we will likely see a spike in data-breach-related claims brought in Pennsylvania courts and under Pennsylvania negligence law.
Entities that operate in Pennsylvania or collect personal information about Pennsylvania residents should evaluate their current cybersecurity policies and procedures to ensure that they are taking “reasonable” measures to protect personal information from unauthorized access or acquisition. Entities also must be prepared to respond to data breaches with an eye toward limiting liability in litigation that increasingly is likely to follow.