Pennsylvania’s highest court recently held that an employer has a common law duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored on the employer’s internet-accessible computer system. In Dittman v. UPMC, No. 43 WAP 2017, 2018 WL 6072199, --- A.3d. ---- (Pa. Nov. 21, 2018), the University of Pittsburgh Medical Center and UPMC McKeesport (collectively, UPMC) suffered a data breach that led to the disclosure of personal and financial information of 62,000 current and former UPMC employees. The information included the employees’ names, birth dates, Social Security numbers, addresses, tax forms, and bank account information.
In response, a group of employees filed a class action against UPMC asserting claims for negligence and breach of an implied contract. The employees’ negligence claim focused on UPMC’s alleged breach of the duties to protect their personal and financial information and ensure the security of their information in light of their special relationship with UPMC, whereby UPMC required employees to provide the information as a condition of their employment. The employees alleged that UPMC failed to adopt, implement, and maintain adequate security measures to safeguard employees’ information and timely recognize that the employees’ information had been compromised. The employees further contended that, as a result of UPMC’s negligence, they incurred damages relating to fraudulently filed tax returns and are now “at an increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.” Id. at 2.
The Trial Court dismissed the negligence claim, agreeing with UPMC that the economic loss doctrine barred the negligence claim as a matter of law because the employees alleged purely economic loss unaccompanied by physical injury or property damage. The Court observed that courts should not impose “a new affirmative duty of care that would allow data breach actions to recover damages recognized in common law negligence actions,” and that doing so could overwhelm the judicial system and could drive employers out of business. 2015 WL 4945713, at *3 (Pa. Comm. PL Civil.Div. Allegheny County, May 28, 2015). The Court also observed that employers already have sufficient incentive to protect employee information because any breach will affect their operations. The Court also observed that UPMC was itself a victim of the criminal activity involved.
On appeal, the Pennsylvania Superior Court affirmed dismissal of the negligence claim. However, in a concurring opinion, Judge Stabile reasoned that the decision should be limited to the facts of the case, and that “the evolution and increased use” of electronic storage of information may someday change the balance to favor employees. 154 A.3d 318, 327 (Pa. Super. 2017). In a dissenting opinion, Judge Musmanno disagreed with the majority’s conclusion that the social utility of electronically storing employee data outweighed the risk and foreseeability of the harm to employees. He wrote that the majority’s view was “untenable, given the ubiquitous nature of electronic data storage, the risk to UPMC’s employees posed by the failure to reasonably protect such information, and the foreseeability of a computer breach and subsequent identity theft.” Id. at 328. Judge Musmanno also noted that inadequate electronic data protections could entice thieves to try to steal insecure and sensitive data, and that the imposition of a duty of care would properly incentivize companies to protect confidential information it required the employees to hand provide to the employers. In addition, Judge Musmanno argued that the cost to the employees resulting from the data breach weighed in favor of imposing a duty, and opined that “[w]hile judicial resources may be expended during litigation of data breaches, the public has a greater interest in protecting the personal and sensitive data collected and electronically stored by employers.” Id. at 327-329.
The Supreme Court of Pennsylvania reversed the lower courts, agreeing with the employees that the case involved the “application of an existing duty to a novel factual scenario, as opposed to the imposition of a new, affirmative duty” requiring analysis of the factors set forth in Pennsylvania case law. 2018 WL 6072199, at *7. The Court observed that it was constrained to accept as true the employees’ objections at the preliminary objection stage. It agreed with the employees that, in requiring the employees to provide data that it stored on its computer systems without the use of adequate security, UPMC owed the employees “a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.” Id. at *8.
The Court also rejected UPMC’s argument that the fact it was the victim of theft was a superseding cause of harm to the employees that eliminated any duty UPMC owed the employees, noting that the superseding cause doctrine does not apply where “the actor at the time of his negligent conduct realized or should have realized the likelihood that such a situation might be created, and that a third person might avail himself of the opportunity to commit such a tort or crime.” Id.
Having found that the lower courts erred in finding that UPMC did not owe a duty to its current and former employees to exercise reasonable care in collecting and storing their personal and financial information on its computer systems, the Court addressed whether the employees’ claim was barred by the economic loss doctrine, finding that the doctrine does not preclude the employees’ negligence claim to the extent that the employees could establish that UPMC breach of a legal duty independent of any contractual duties existing between the parties.
Under Dittman, Pennsylvania now recognizes a common law duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored on the employer’s internet-accessible computer system. Like the Morrisons case recently decided in the United Kingdom, see WM Morrison v Various Claimants: Employer Vicariously Liable for Data Protection Breach, the Dittman decision is a reminder to employers that store employee personal and financial information to review their cybersecurity, privacy and risk management decisions and policies to make sure they are comfortable with the risks concomitant with that duty.