Stolen Employee Data: Pennsylvania Supreme Court Decision Breaks New Ground

In late 2018, the Pennsylvania Supreme Court decided that employees may sue employers for the release of stolen confidential employee data. The Court’s decision in the Dittman vs. University of Pittsburgh Medical Center, allowed University of Pittsburgh Medical Center (“UPMC”) employees to bring a class action for negligence after a data breach from UPMC’s computer systems.

The Decision’s Impact

The Court’s decision will have a far-reaching impact. First, the decision will require employers to use reasonable care to protect employees’ personal and financial information. Second, the decision allows negligence lawsuits even where the plaintiffs’ losses were purely economic and no physical injury or tangible property damage occurred. As such, the decision limits the “economic loss doctrine” that courts had used to dismiss such lawsuits.

The Back Story

The cyber attack took place in 2014. The data breach led to the theft of 62,000 employees’ names, addresses, birth dates, social security numbers, salaries, or tax and bank information. The hackers taking the information then used the stolen data to file fraudulent tax returns and steal employees’ tax refunds.

The Lawsuit

Right after the breach, a group of employees sued UPMC for negligence and breach of implied contract. The employees contended that UPMC had a duty to use reasonable care to protect employees’ personal and financial information from being compromised, lost, stolen, misused, and /or disclosed to unauthorized parties. The employees claimed that UPMC had breached this duty. Specifically, UPMC had (1) failed to undertake adequate security measures, (2) failed to monitor network security, (3) allowed unauthorized access to information, and (4) failed to recognize that information had been compromised. The employees alleged that UPMC failed to meet current standards for encryption, firewalls, and authentication.

UPMC filed preliminary objections seeking immediate dismissal of the complaint. UPMC argued that no duty of care existed to protect against data breaches, and that the economic loss doctrine barred negligence claims.

The Lower Courts Dismiss the Case

The Allegheny County Court of Common Pleas agreed with UPMC and dismissed the employees’ suit. The Court both relied on the economic loss doctrine and held that courts should not create a new affirmative duty of care to protect against data breaches. The Court had concerns that this new duty of care would flood the court system with lawsuits. The Court also said that data breach liability was a policy issue to be addressed by the legislative branch.

The employees appealed to the Superior Court, where a three judge panel upheld the lower court in a 2-1 decision. One dissenting judge stated that employers have a duty of care to protect against data breaches.

The PA Supreme Court Allows Employees to Sue for Data Breach

After accepting the case for appeal, the Pennsylvania Supreme Court overturned the two lower court decisions on both the duty of care and the economic loss issues. The Supreme Court held that UPMC had the duty to protect employee information since UPMC had taken the affirmative step to require employees to provide certain information. The Court said that this duty existed despite the intervening third party theft, because theft was foreseeable without proper data protection.

On the economic loss issue, the Court allowed a negligence claim for economic loss where a duty existed outside the parties’ contractual relationship. The Court found that the employees alleged that UPMC had a duty, outside any contract, to act with reasonable care in collecting and storing personal and financial information on computer systems. The Court’s decision is a setback for efforts to invoke the economic loss doctrine in defending against business-related tort claims.

Practical Implications: Employers Need to Use Reasonable Care to Protect Employee Data

What are the practical implications of the UPMC ruling? Employers will have to take additional steps to lock down confidential employee information. The decision will affect every employer, since all employers collect confidential data in the course of setting up basic transactions like direct deposit and tax and social security withholding. Legislative action may also provide more specific guidance on data protection. The decision will have a continuing effect in the workplace and in development of new data protection policies.

Is Crowdfunding Taxed?

An elderly man beaten with a brick on July 4th in Los Angeles is in critical condition. A German Shepherd is beaten and shot while protecting his young owner during a burglary. Then, there is the little girl born prematurely who needs tests, treatments, doctors and surgeries to survive. In each of these situations, the individuals received financial assistance by using the donation-based crowdfunding platform GoFundMe.


Crowdfunding isn’t a new concept

In their paper, a Brief History of Crowdfunding, David M. Freedman and Matthew R. Nutting define crowdfunding as “a method of collecting many small contributions, by means of an online platform, to finance or capitalize a popular enterprise.” The internet has allowed crowdfunding to reach an unlimited number of potential donations, but crowdfunding is not new. One famous example of pre-internet crowdfunding was the fundraising campaign for the Statue of Liberty’s pedestal.

When the Statute of Liberty sailed from France in 1885, there was no pedestal for her. She remained in crates on Bedloe’s Island for over a year until Joseph Pulitzer, owner of “The World” opened up his newspaper’s editorial pages to support the effort. Similar to a GoFundMe page, Pulitzer proposed to print the name of every individual who donated to the construction of the pedestal on the front page of The World, no matter how small the amount. His idea worked. By the fall of 1885 over 120,000 people had donated over $100,000, enough funds to complete the project.


Income Tax Implications

It’s unlikely that an individual who sets up a crowdfunding page considers the income tax implications of their fundraising efforts. In fact, Section 61 of the IRS Code states that “gross income means all income from whatever source derived,” unless a specific statutory exception exists. So, based on Section 61, the general rule is revenue raised from crowdfunding is includible in income unless specifically excluded elsewhere. However, a statutory exception does exist that may exclude crowdfunding revenue from an individual’s gross income. That exception arises under IRC 102(a), which is commonly known as the gift and bequest exclusion.

If a GoFundMe page is established correctly, the amounts raised may qualify for the gift and bequest exclusion under IRC 102(a). But when does a donation qualify as a gift rather than income under IRS Code Section & Regulations? The U.S. Supreme Court has defined a gift as given from ” ‘detached and disinterested generosity,’ … ‘out of affection, respect, admiration, charity, or like impulses,’ ” and not from ” ‘any moral or legal duty,’ or from ‘the incentive of anticipated benefit,'” or “in return for services rendered” (Duberstein, 363 U.S. 278, 285 (1960)). So, generous donors who make payments to GoFundMe pages should be giving based on a “detached and disinterested generosity” and should not receive any services or goods or “quid pro quo” for their donation.


Keep a paper trail

Remember the burden is upon the GoFundMe campaigner to prove the funds received qualify for the gift and bequest exclusion under IRC 102(a). Therefore, it is important to keep a paper trail and document everything in case the IRS comes knocking upon your door.

Essential steps in the paper trail include the following:

  1. Keep a list of the donors to the GoFundMe campaign; include their name, date of donation, and amount donated, and any contact information provided by GoFundMe.
  2. Clearly identify the recipient of the funds on the GoFundMe page.
  3. If the campaign is set up by someone other than the beneficiary, be sure to clearly indicate on the GOFUNDME page that the creator is acting on behalf of the beneficiary.
  4. Be sure the campaign website clearly states that donations or gifts are solicited. If possible and appropriate, the website should also state that donors will receive nothing in return for their donations.
  5. Print and keep a copy of the campaign website to show to the IRS. By the time the IRS issues a notice of deficiency, the campaign website may no longer be available and the taxpayer (whether an agent or a beneficiary) has no way of showing the IRS the information used to solicit donations.
  6. Keep documentation of all monetary transfers of the funds to the beneficiary or spent on behalf of the beneficiary. A clear paper trail or accounting should exist showing that the funds were spent as indicated on the website. Receipts, invoices and copies of checks should be maintained as well.

In the examples used above (the premature birth, the elderly man, and the German Shepherd), the funds raised are for necessities (i.e., medical treatment and care), and the donors did not receive any services or goods in return. Once donation based crowdfunding moves to patronage-oriented endeavors such as creative or artistic endeavors, where a backer receives something in exchange for their payment, or equity-based crowdfunding, where backers received equity for their payment, the funds donated no longer qualify for the IRC 102(a) gift and bequest exclusion. Instead, the crowdfunding campaign has clearly moved into the realm of generating revenue that is reportable income to the IRS.

If you have any questions about the legalities of crowdfunding, please contact us at main@highswartz.com or call (215) 345-8888. Or contact any of our estate attorneys in Bucks or Montgomery Counties. Our Wills, Trusts & Estates attorneys provide comprehensive legal services to assist in all of these matters.

The information above is general: we recommend that you consult an attorney regarding your specific circumstances.  The content of this information is not meant to be considered as legal advice or a substitute for legal representation.