In today’s day and age, it is widely understood that no one is safe from a data breach. If you have been so fortunate as to escape fraudulent credit card purchases, data security breaches, or having your entire identity stolen, cybersecurity experts will tell you that is no longer a matter of “if,” but “when” it will happen to you. In response to national and international cybersecurity incidents during the past few years, state legislators in all 50 states (as well as the District of Columbia and several U.S. territories) have enacted data breach notification legislation that requires private entities to notify individuals of security breaches involving their personal identification information (“PII”).
State and federal judiciaries have also begun to weigh in on the issue of cybersecurity, particularly in the employment context and most recently in Pennsylvania, where the State’s Supreme Court held that employers have an affirmative duty to protect employee PII from cybersecurity incidents. Dittman v. UPMC, 2018 Pa. LEXIS 6051 (Pa. Nov. 21, 2018).
Dittman arose out of a data breach of personal information at the University of Pittsburgh Medical Center (“UPMC”) that affected all of UPMC’s 62,000 current and former employees. A class action was filed after employees’ names, birth dates, social security numbers, tax documents, and bank accounts were hacked and stolen from UPMC’s internet-accessible computer systems. The data was then used to file fraudulent tax returns. Alleging negligence and breach of implied contract, the Dittman plaintiffs argued that UPMC had a common law duty of care to protect their PII, particularly given the fact that UPMC had collected this data from them as a condition of their employment. Based on UPMC’s failure to implement a data security program (including but not limited to sufficient firewall protection, authentication protocols, encryption) and its failure to create proper processes or protocols to detect security breaches, the plaintiffs alleged that they incurred monetary damages.
The trial court dismissed the lawsuit, which Pennsylvania’s intermediate Superior Court affirmed. In their decisions, the lower courts first declined to recognize a “new” common law duty by employers to protect employee PII, holding that the creation of such a duty was outside the province of the judiciary and should be left to the state legislature. The lower courts also declined to expand Pennsylvania’s economic loss doctrine by allowing the plaintiffs to recover only economic damages without alleging any physical injury or property damage.
After granting discretionary review of the case, the Supreme Court of Pennsylvania reversed both of its lower courts in toto. First, the Court determined that, as a threshold matter, it was not creating a “new” duty, but rather was “appl[ying] an existing duty to a novel factual scenario.” Second, the Court reasoned that UPMC engaged in affirmative conduct when it required the plaintiffs to submit their PII, which triggered a duty on UPMC’s part to exercise reasonable care to protect the employees from risk of harm.
The Court also rejected UPMC’s argument that it could not be liable under general tort law principles because the actions of the third party hacker were a superseding event (i.e. not foreseeable). The Court agreed with the plaintiffs, and growing public consensus, that “troves of electronic data stored on internet-accessible computers held by large entities are obvious targets for cyber criminals” and a reasonable entity in UPMC’s position should have foreseen that “failure to use basic security measures could lead to exposure of the data and serious financial consequences…”
Lastly, with respect to the economic loss doctrine, the court confirmed that Pennsylvania law recognizes “purely economic losses are recoverable in a variety of tort actions,” and that “a plaintiff is not barred from recovering economic losses simply because the action sounds in tort rather than [in] contract law.”
Given the heightened scrutiny that is now paid to cybersecurity on the national and international stage, the Dittman decision is not completely unexpected. Employers, both big and small, should take the decision as a lesson: employers who do not take reasonable steps to protect their employees’ data put themselves at risk of costly class action litigation. Pennsylvania employers and employers elsewhere should take immediate steps to update and address critical gaps in insurance, procedures and I.T. services – if not only to meet the duty of care, but as good business practice to ensure that any eventual cybersecurity threat will minimize disruption to business operations.