The Pennsylvania Supreme Court granted discretionary review in this matter to determine whether an employer has a legal duty to use reasonable care to safeguard its employees’ sensitive personal information that the employer stores on an internet-accessible computer system.
Barbara Dittman, along with six other employees, filed a class action complaint against the University of Pittsburgh Medical Center (UPMC), alleging that a data breach had occurred, resulting in the release of the personal and financial information, including names, birth dates, social security numbers, addresses, tax forms, and bank account information of all 62,000 UPMC employees and former employees. Employees further alleged that the stolen data, which consisted of information UPMC required Employees to provide as a condition of their employment, was used to file fraudulent tax returns on behalf of the victimized Employees, resulting in actual damages. Employees asserted a negligence claim and breach of implied contract claim against UPMC.
The trial court granted UPMC’s preliminary objections and dismissed the employee’s claims before discovery. The trial court’s decision was based on Pennsylvania’s long-standing “economic loss doctrine” which holds that no cause of action exists for negligence that results purely in economic losses unaccompanied by physical injury or property damage. The Supreme Court granted allowance of appeal to address two issues:
- Does an employer have a legal duty to use reasonable care to safeguard the sensitive personal information of its employees when the employer chooses to store such information on an internet accessible computer system?
- Does the economic loss doctrine permit recovery for purely pecuniary damages which result from the breach of independent legal duty arising under common law, as opposed to the breach of a contractual duty.
Duty to Use Reasonable Care
UPMC argues that because the breach was caused by “hacking” of a third party, a criminal act, UPMC was resolved of liability based on the principal that wrongful actions of a third party are not foreseeable and may absolve the employer of liability. The Pennsylvania Supreme Court disagreed with this argument stating that “liability could be found if the actor realized or should have realized the likelihood that such a situation might be created and that a third person might avail himself of the opportunity to commit such a tort or a crime.” The Court found that UPMC’s computer systems and security protocols created conditions in which a breach was more likely due to vulnerabilities which cybercriminals could take advantage of. The Court explained that it was not creating a “new affirmative duty of care” but was reinterpreting the “existing duty to a novel factual scenario.”
Economic Loss Doctrine
Pennsylvania’s economic loss doctrine generally precludes a Plaintiff from recovering under a negligence claim for purely economic damages. The Pennsylvania Supreme Court explained that the application of the doctrine “turns on the determination of the source of the duty the plaintiff claims the defendant owed.” The held that “if the duty arises under a contract between the parties, a tort action will not lie from a breach of that duty. However, if the duty arises independently of any contractual duties between the parties, then a breach of that duty may support a tort action.” In other words, the doctrine did not apply in this case because the Court found that a common law duty to act with reasonable care existed, independent of any contractual obligations between the parties.
What Employers should learn from the Decision
Employers will not have an easy time dismissing cases regarding data breaches, as they once did. Steps to secure employee data will vary between companies, but generally, employers should adhere to the following:
- What information is needed, and what is needed in digital form. The company should come up with a clear policy regarding the collection and retention of data. Do not collect or store information that is not necessary for company or HR purposes.
- Any data that is collected and stored should be stored securely. Not only should company servers and networks be secured, but any employee issued or employee-owned technology (laptops, desktops, tablets, smartphones) should be required to have password protection and follow office procedures regarding the storage and transmission of sensitive data.
- Make sure the company has a consistent policy regarding what data should be stored and how it is stored. There should be different levels of security and rules regarding different types of information. Social Security numbers and financial information are much more sensitive than names, email addresses, etc. If your company deals frequently with highly sensitive information consider bank-level encryption on your servers, and encrypted email platforms.
- Large companies should make sure they have adequate IT professionals employed. Smaller companies should hire a third party IT firm to monitor and consult on data security.
- Maintain a written record of your company’s data protection policy, efforts, and training.
- Develop a protocol for how to respond in the event of a data breach, the focus should be placed on notifying individuals affected by the breach and mitigating any further breaches.
The full decision (it is long) can be found at https://law.justia.com/cases/pennsylvania/supreme-court/2018/43-wap-2017.html