Lawyers in UPMC Data Breach Case Spar Over Complexity of Central Issue
Attorney Gary Lynch, arguing before the Pennsylvania Supreme Court on behalf of the plaintiffs in a closely watched case over UPMC's employee data breach, urged the justices to set aside the technical complexities associated with the field of cybersecurity and instead focus on "one of the most fundamental tenets of our common law."
April 19, 2018 at 04:52 PM
7 minute read
Attorney Gary Lynch, arguing before the Pennsylvania Supreme Court on behalf of the plaintiffs in a closely watched case over UPMC's employee data breach, urged the justices to set aside the technical complexities associated with the field of cybersecurity and instead focus on “one of the most fundamental tenets of our common law.”
“And that tenet is simply that one who does an affirmative act is under a duty to exercise reasonable care so as to protect against foreseeable harm,” he said.
When asked by Justice Debra Todd why it shouldn't be left to the state legislature to establish a duty of care for those who handle electronic data, Lynch replied, “We're not talking about establishing a new affirmative duty under the law, we're talking about application of general negligence principles.”
“So what you're arguing is that even though technology may have brought us facts that are new and factual scenarios that haven't occurred before, the fundamental legal issue and policy issue is the same,” Todd said.
“Absolutely, Justice Todd,” Lynch said.
Minutes later, however, Lynch's opponent in the case, John Conti, representing UPMC, painted the case as uncharted legal territory.
“There is nothing like cybersecurity,” he said. “Never in the history of humankind has there been a circumstance where a single criminal act can be perpetrated [by] someone around the globe—a nation state, a lone hacker, an organized criminal—that can instantaneously impact and compromise the data of thousands or millions or even billions of individuals.”
The arguments in Dittman v. UPMC, held April 10 in Pittsburgh, follow the state Superior Court's controversial January 2017 decision in which it held that UPMC could not be held liable in a suit brought by several employees who were victims of identity theft after their electronically stored employment information—including dates of birth, addresses and Social Security numbers—was stolen from the health care provider's servers. The ruling affirmed a decision from the Allegheny County Court of Common Pleas, which had tossed the proposed class action suit that had alleged negligence and breach of implied contract.
Judge Judith Ference Olson, who wrote the Superior Court's majority opinion, weighed the social utility of UPMC's use of electronic storage against the risk and foreseeability of being hacked, and determined that the court should not impose a duty on the health care company.
“In the modern era, more and more information is stored electronically and the days of keeping documents in file cabinets are long gone. Without a doubt, employees and consumers alike derive substantial benefits from efficiencies resulting from the transfer and storage of electronic data,” Olson said. “Although breaches of electronically stored data are a potential risk, this generalized risk does not outweigh the social utility of maintaining electronically stored information.”
The ruling surprised a number of cybersecurity lawyers, who said it appeared to create a nearly insurmountable hurdle for plaintiffs in Pennsylvania state court and was out of step with several other courts that have tackled similar issues.
At the Supreme Court oral argument session, the justices zeroed in on the issue of foreseeability as it relates to data breaches, comparing and contrasting the protection of electronic data with the protection of sensitive physical documents.
“Counsel, could we take IT out of it for just a moment?” Todd asked Lynch, before laying out a hypothetical scenario in which UPMC stored hard copies of employee records in a high-crime area and left the doors unlocked with no security, ultimately leading to the theft of those records.
“Is there a duty there and how would it differ from the duty you're suggesting in the IT context?” Todd asked.
Lynch replied, “In your hypothetical you made mention that it was known to be a bad neighborhood. … If there's a distinction at all between your hypothetical and this scenario we're dealing with here it's that the foreseeability of the criminal activity is absolute.”
“Every IT system that's internet-accessible lives in an environment of constant attack,” he continued, “so it's not even like the hypothetical that you presented where we're talking about a neighborhood [where] a criminal may or may not come along and try to break into the building that night. We already know that the IT system is under constant attack multiple times per minute, every moment of the day. So this is more of an environment of risk than it is worrying about an ad hoc criminal attempt.”
But Lynch said the duty to protect the data is the same in both scenarios. In the context of electronic data theft, it should be up to cybersecurity experts to then testify as to the standard of care and, ultimately, a jury to determine whether that standard was breached.
But Conti, arguing that the claims in Dittman were barred by the economic loss doctrine, said “foreseeability does not exist in this case.”
“When we talk about foreseeability we're talking about much more than the statistical likelihood that something could occur,” Conti said, adding, “In a very general sense, one can say, 'Of course, these systems are under constant attack so that is foreseeable,' but that is far different from what the notion of foreseeability is in these circumstances.”
But Justice David Wecht asked why companies hire staff and institute protocols specifically to protect against data breaches if those breaches are not foreseeable.
“We are not talking about a unique threat, we are talking about threats that can emanate from any number of sources … if you multiply those possibilities together you get a thousand different iterations of risk,” Conti replied.
“So it's not that it's not foreseeable, your argument is—and I think Judge Olson had this view basically—'We just can't control this so we're not going to allow a remedy.' That's your argument isn't it?” Wecht replied.
Conti said it was his argument but stressed that the concept of “foreseeability” under the law is different from the common-sense understanding of the word.
Chief Justice Thomas Saylor asked what harm, from a public policy standpoint, it would do for the court to decide that “there's a duty to use all reasonable means to protect employees' private personal data.”
Conti responded that because there is no well-established standard of care in the context of cybersecurity, unsophisticated businesses that don't have the resources or expertise, such as small mom-and-pop shops and nonprofits, could potentially be held to an impossible standard.
Conti added that companies potentially face “ruinous liability” because cyberattacks are not completely preventable.
“The consequences befall every purported tortfeasor, just in different ways,” Conti said. ”The cost would be, to certain extents, passed along to customers who ultimately would bear the burden. And smaller entities and nonprofits would bear the burden, perhaps in a different way, by going out of business. So the burden of litigation exists and, frankly, the businesses would be hurt and the only one that would do well I think is the trial bar.”
Wecht suggested to Conti that imposing no duty on employers to protect employees' private data would disincentivize those employers to take any measures to protect that data.
But Conti called that notion “a little cynical and flat-out wrong” given, for example, the remediation costs companies incur following data breaches.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Pa. High Court to Decide Whether Flight in a High Crime Area Can Result in an Investigative Stop
6 minute read
Lackawanna County Lawyer Fails to Shake Legal Mal Claims Over Sex With Client
3 minute read
Pa. Superior Court Rules Pizza Chain Liable for Franchisee Driver's Crash
4 minute readTrending Stories
- 1Advance Auto Parts Hires GC Who Climbed From Bottom to Top of Lowe's Legal Department
- 2Judge Rules Georgia Railroad Can Seize Land as Landowners Vow to Fight
- 3On the Move and After Hours: Einhorn Barbarito; Gibbons; Greenbaum Rowe; Pro Bono Partnership
- 4On The Move: Squire Patton Boggs, Akerman Among Four Firms Adding Atlanta Partners
- 5Is the Collateral Order Doctrine About to Have a 'Brat Summer'?
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
