In late 2018, the Pennsylvania Supreme Court decided that employees may sue employers for the release of stolen confidential employee data. The Court’s decision in the Dittman vs. University of Pittsburgh Medical Center, allowed University of Pittsburgh Medical Center (“UPMC”) employees to bring a class action for negligence after a data breach from UPMC’s computer systems.
The Decision’s Impact
The Court’s decision will have a far-reaching impact. First, the decision will require employers to use reasonable care to protect employees’ personal and financial information. Second, the decision allows negligence lawsuits even where the plaintiffs’ losses were purely economic and no physical injury or tangible property damage occurred. As such, the decision limits the “economic loss doctrine” that courts had used to dismiss such lawsuits.
The Back Story
The cyber attack took place in 2014. The data breach led to the theft of 62,000 employees’ names, addresses, birth dates, social security numbers, salaries, or tax and bank information. The hackers taking the information then used the stolen data to file fraudulent tax returns and steal employees’ tax refunds.
The Lawsuit
Right after the breach, a group of employees sued UPMC for negligence and breach of implied contract. The employees contended that UPMC had a duty to use reasonable care to protect employees’ personal and financial information from being compromised, lost, stolen, misused, and /or disclosed to unauthorized parties. The employees claimed that UPMC had breached this duty. Specifically, UPMC had (1) failed to undertake adequate security measures, (2) failed to monitor network security, (3) allowed unauthorized access to information, and (4) failed to recognize that information had been compromised. The employees alleged that UPMC failed to meet current standards for encryption, firewalls, and authentication.
UPMC filed preliminary objections seeking immediate dismissal of the complaint. UPMC argued that no duty of care existed to protect against data breaches, and that the economic loss doctrine barred negligence claims.
The Lower Courts Dismiss the Case
The Allegheny County Court of Common Pleas agreed with UPMC and dismissed the employees’ suit. The Court both relied on the economic loss doctrine and held that courts should not create a new affirmative duty of care to protect against data breaches. The Court had concerns that this new duty of care would flood the court system with lawsuits. The Court also said that data breach liability was a policy issue to be addressed by the legislative branch.
The employees appealed to the Superior Court, where a three judge panel upheld the lower court in a 2-1 decision. One dissenting judge stated that employers have a duty of care to protect against data breaches.
The PA Supreme Court Allows Employees to Sue for Data Breach
After accepting the case for appeal, the Pennsylvania Supreme Court overturned the two lower court decisions on both the duty of care and the economic loss issues. The Supreme Court held that UPMC had the duty to protect employee information since UPMC had taken the affirmative step to require employees to provide certain information. The Court said that this duty existed despite the intervening third party theft, because theft was foreseeable without proper data protection.
On the economic loss issue, the Court allowed a negligence claim for economic loss where a duty existed outside the parties’ contractual relationship. The Court found that the employees alleged that UPMC had a duty, outside any contract, to act with reasonable care in collecting and storing personal and financial information on computer systems. The Court’s decision is a setback for efforts to invoke the economic loss doctrine in defending against business-related tort claims.
Practical Implications: Employers Need to Use Reasonable Care to Protect Employee Data
What are the practical implications of the UPMC ruling? Employers will have to take additional steps to lock down confidential employee information. The decision will affect every employer, since all employers collect confidential data in the course of setting up basic transactions like direct deposit and tax and social security withholding. Legislative action may also provide more specific guidance on data protection. The decision will have a continuing effect in the workplace and in development of new data protection policies.