August 13, 2020

Volume X, Number 226

August 12, 2020

Subscribe to Latest Legal News and Analysis

August 11, 2020

Subscribe to Latest Legal News and Analysis

August 10, 2020

Subscribe to Latest Legal News and Analysis

Pennsylvania Supreme Court Recognizes Common Law Duty to Safeguard Employees' Personal Data

The Pennsylvania Supreme Court has drastically changed the data breach litigation landscape by holding that an employer has a common law duty to use reasonable care to safeguard its employees' personal information stored on an internet-accessible computer. The court further held that Pennsylvania's economic loss doctrine permits recovery for "purely pecuniary damages" on a negligence claim premised on a breach of such a duty.

This decision is likely to have a very significant impact on cybersecurity-related litigation in and beyond Pennsylvania, as negligence is now a viable cause of action for inadequate data security under Pennsylvania law.

Dittman v. UPMC arose from a 2014 data breach of the University of Pittsburgh Medical Center's (UPMC) network, which resulted in the theft of sensitive personal information for 62,000 employees—including Social Security numbers, birthdates, confidential tax information, addresses, salaries, and bank account information. UPMC employees filed a putative class action asserting negligence, invasion of privacy, and breach of implied contract claims. The plaintiffs alleged that UPMC breached a common law duty of reasonable care to secure their personal information, which they provided as a condition of their employment. The plaintiffs sought damages for economic losses associated with the filing of fraudulent tax returns in their names, as well as "increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse."

In 2015, the Allegheny County Court of Common Pleas dismissed the plaintiffs' claims. As to the negligence claim, the trial court held that Pennsylvania law did not recognize a duty to secure employee data stored on internet-accessible computers and that Pennsylvania courts should not create "a new affirmative duty of care that would allow data breach actions to recover damages recognized in common law negligence actions." Doing so, the trial court noted, could result in "hundreds of thousands of lawsuits" without a clear standard of reasonable care in data security. The trial court also held that the economic loss doctrine precluded negligence claims where the plaintiffs did not allege bodily injury or property damage. The Superior Court affirmed the dismissal on direct appeal.

The Supreme Court of Pennsylvania unanimously reversed the lower court rulings and remanded the action for further proceedings. The court rejected the notion that it was creating a "new affirmative duty" under common law, and instead held that it was applying the "existing duty to a novel factual scenario." The plaintiffs alleged that—as a condition of employment at UPMC—they were required to provide certain financial and personal information. They further alleged that UPMC collected and stored that information on its internet-accessible computer system without the use of adequate security measures, including proper encryption, adequate firewalls, or adequate authentication protocols.

The court held that where an employer's affirmative collection of employee personal information creates a foreseeable risk of a data breach (even by cybercriminals), the employer has a duty of reasonable care to secure its employees' personal information "against an unreasonable risk of harm arising out of [the employer's data collection practices]." UPMC should have realized, the court concluded, that "a cybercriminal might take advantage of the vulnerabilities in UPMC's computer system and steal [its employees'] information; thus, the data breach was 'within the scope of the risk created by' UPMC." As to the 'duty' element of the negligence claim, "the criminal acts of third parties in executing the data breach do not alleviate UPMC of its duty to protect [its employees'] personal and financial information from that breach."

The court also held that Pennsylvania's version of the economic loss doctrine does not preclude all negligence claims seeking "purely economic damages." Rather, "if a duty arises independently of any contractual duty between parties," economic damages flowing from a breach of that duty are recoverable under a negligence claim. Here, the duty to reasonably secure employee personal data arises under negligence law. Accordingly, "the economic loss doctrine does not bar the employees' claim."

Because the court's recognition of a legal duty to protect data is tied to the very act of collecting and storing such data, this new legal principle is unlikely to be limited to the employment context. Any entity that collects and stores the sensitive information of any person likely will be subject to a duty to exercise reasonable care to safeguard it against the foreseeable risk of a data breach—even one committed by hackers.

Moreover, the economic loss doctrine will not bar negligence claims for inadequate cybersecurity resulting in "purely economic damages." Under the Pennsylvania Supreme Court's rationale, a common-law duty to protect personal information seemingly will arise in every case in which an entity collects and stores such data. Because there always will be a cybersecurity duty independent of a contractual relationship in such cases, it is difficult to see how the economic loss doctrine survives at all in this context.

With the possible exception of standing challenges, defendants are unlikely to win early dismissal of negligence claims premised on allegations of data breaches resulting from inadequate cybersecurity. As a result, we will likely see a spike in data breach-related claims brought in Pennsylvania courts and under Pennsylvania negligence law.

Entities that operate in Pennsylvania or collect personal information about Pennsylvania residents should evaluate their current cybersecurity policies and procedures to ensure that they are taking "reasonable" measures to protect personal information from unauthorized access or acquisition. Entities also must be prepared to respond to data breaches with an eye toward limiting liability in litigation that increasingly is likely to follow.

Copyright © by Ballard Spahr LLPNational Law Review, Volume VIII, Number 331


About this Author

Edward McAndrew, Ballard Spahr, Philidelphia, Washington DC, Data Security, Privacy

Edward J. McAndrew is a counselor, investigator, and trial lawyer who helps clients navigate life in the digital world. He is the Co-Practice Leader of the firm's Privacy and Data Security Group.

Named a "Cybersecurity and Data Privacy Trailblazer" by The National Law Journal, Mr. McAndrew advises clients on cybersecurity, digital privacy, cyber-incident response, social media, online speech, defamation, commercial, employment, intellectual property, corporate governance, regulatory, and criminal matters. He also advises clients on cyber-based national security issues, as...

Philip Yannella, Ballard Spahr Law Firm, Philadelphia, Data Security Attorney

As Co-Practice Leader of Ballard’s Privacy and Data Security Group, and Practice Leader of the firm’s E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.

Mr. Yannella regularly advises clients on the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), EU-US Privacy Shield, General Data Protection Regulation (GDPR), Defense of Trade Secrets Act, PCI-DSS, Telephone Consumer Protection Act (TCPA), New York Department of Financial Services Cybersecurity Regulations, ISO 27001 compliance, HIPAA Security Rules, and FTC enforcement activity, as well as eDiscovery issues—leveraging his experience serving as National Discovery Counsel for more than two dozen companies in nationwide litigation. He harnesses his deep knowledge of privacy, data security, and information governance laws to help multinational companies develop global information governance programs to comply with overlapping, and sometimes conflicting, laws. Mr. Yannella serves on the advisory board for the ACC Foundation’s Cybersecurity Survey, the largest survey of in-house counsel on cybersecurity issues.

Kristen Poetzel, Ballard Spahr Law Firm, Philadelphia, Finance and Cybersecurity Law Attorney

Kristen Poetzel is an associate in the firm's Privacy and Data Security Group who concentrates on data privacy and cybersecurity matters, including breach response and investigation, risk assessment, proactive breach planning, regulatory investigation and compliance, and privacy litigation defense. Kristen's cybersecurity clients include financial institutions, corporations from various industries, health care entities, municipalities, and educational institutions. She uses her technical knowledge of ransomware, phishing, hacking, malware, Trojans, botnets...