Lawyers in UPMC Data Breach Case Spar Over Complexity of Central Issue
Attorney Gary Lynch, arguing before the Pennsylvania Supreme Court on behalf of the plaintiffs in a closely watched case over UPMC's employee data breach, urged the justices to set aside the technical complexities associated with the field of cybersecurity and instead focus on "one of the most fundamental tenets of our common law."
April 19, 2018 at 04:52 PM
7 minute read
Attorney Gary Lynch, arguing before the Pennsylvania Supreme Court on behalf of the plaintiffs in a closely watched case over UPMC's employee data breach, urged the justices to set aside the technical complexities associated with the field of cybersecurity and instead focus on “one of the most fundamental tenets of our common law.”
“And that tenet is simply that one who does an affirmative act is under a duty to exercise reasonable care so as to protect against foreseeable harm,” he said.
When asked by Justice Debra Todd why it shouldn't be left to the state legislature to establish a duty of care for those who handle electronic data, Lynch replied, “We're not talking about establishing a new affirmative duty under the law, we're talking about application of general negligence principles.”
“So what you're arguing is that even though technology may have brought us facts that are new and factual scenarios that haven't occurred before, the fundamental legal issue and policy issue is the same,” Todd said.
“Absolutely, Justice Todd,” Lynch said.
Minutes later, however, Lynch's opponent in the case, John Conti, representing UPMC, painted the case as uncharted legal territory.
“There is nothing like cybersecurity,” he said. “Never in the history of humankind has there been a circumstance where a single criminal act can be perpetrated [by] someone around the globe—a nation state, a lone hacker, an organized criminal—that can instantaneously impact and compromise the data of thousands or millions or even billions of individuals.”
The arguments in Dittman v. UPMC, held April 10 in Pittsburgh, follow the state Superior Court's controversial January 2017 decision in which it held that UPMC could not be held liable in a suit brought by several employees who were victims of identity theft after their electronically stored employment information—including dates of birth, addresses and Social Security numbers—was stolen from the health care provider's servers. The ruling affirmed a decision from the Allegheny County Court of Common Pleas, which had tossed the proposed class action suit that had alleged negligence and breach of implied contract.
Judge Judith Ference Olson, who wrote the Superior Court's majority opinion, weighed the social utility of UPMC's use of electronic storage against the risk and foreseeability of being hacked, and determined that the court should not impose a duty on the health care company.
“In the modern era, more and more information is stored electronically and the days of keeping documents in file cabinets are long gone. Without a doubt, employees and consumers alike derive substantial benefits from efficiencies resulting from the transfer and storage of electronic data,” Olson said. “Although breaches of electronically stored data are a potential risk, this generalized risk does not outweigh the social utility of maintaining electronically stored information.”
The ruling surprised a number of cybersecurity lawyers, who said it appeared to create a nearly insurmountable hurdle for plaintiffs in Pennsylvania state court and was out of step with several other courts that have tackled similar issues.
At the Supreme Court oral argument session, the justices zeroed in on the issue of foreseeability as it relates to data breaches, comparing and contrasting the protection of electronic data with the protection of sensitive physical documents.
“Counsel, could we take IT out of it for just a moment?” Todd asked Lynch, before laying out a hypothetical scenario in which UPMC stored hard copies of employee records in a high-crime area and left the doors unlocked with no security, ultimately leading to the theft of those records.
“Is there a duty there and how would it differ from the duty you're suggesting in the IT context?” Todd asked.
Lynch replied, “In your hypothetical you made mention that it was known to be a bad neighborhood. … If there's a distinction at all between your hypothetical and this scenario we're dealing with here it's that the foreseeability of the criminal activity is absolute.”
“Every IT system that's internet-accessible lives in an environment of constant attack,” he continued, “so it's not even like the hypothetical that you presented where we're talking about a neighborhood [where] a criminal may or may not come along and try to break into the building that night. We already know that the IT system is under constant attack multiple times per minute, every moment of the day. So this is more of an environment of risk than it is worrying about an ad hoc criminal attempt.”
But Lynch said the duty to protect the data is the same in both scenarios. In the context of electronic data theft, it should be up to cybersecurity experts to then testify as to the standard of care and, ultimately, a jury to determine whether that standard was breached.
But Conti, arguing that the claims in Dittman were barred by the economic loss doctrine, said “foreseeability does not exist in this case.”
“When we talk about foreseeability we're talking about much more than the statistical likelihood that something could occur,” Conti said, adding, “In a very general sense, one can say, 'Of course, these systems are under constant attack so that is foreseeable,' but that is far different from what the notion of foreseeability is in these circumstances.”
But Justice David Wecht asked why companies hire staff and institute protocols specifically to protect against data breaches if those breaches are not foreseeable.
“We are not talking about a unique threat, we are talking about threats that can emanate from any number of sources … if you multiply those possibilities together you get a thousand different iterations of risk,” Conti replied.
“So it's not that it's not foreseeable, your argument is—and I think Judge Olson had this view basically—'We just can't control this so we're not going to allow a remedy.' That's your argument isn't it?” Wecht replied.
Conti said it was his argument but stressed that the concept of “foreseeability” under the law is different from the common-sense understanding of the word.
Chief Justice Thomas Saylor asked what harm, from a public policy standpoint, it would do for the court to decide that “there's a duty to use all reasonable means to protect employees' private personal data.”
Conti responded that because there is no well-established standard of care in the context of cybersecurity, unsophisticated businesses that don't have the resources or expertise, such as small mom-and-pop shops and nonprofits, could potentially be held to an impossible standard.
Conti added that companies potentially face “ruinous liability” because cyberattacks are not completely preventable.
“The consequences befall every purported tortfeasor, just in different ways,” Conti said. ”The cost would be, to certain extents, passed along to customers who ultimately would bear the burden. And smaller entities and nonprofits would bear the burden, perhaps in a different way, by going out of business. So the burden of litigation exists and, frankly, the businesses would be hurt and the only one that would do well I think is the trial bar.”
Wecht suggested to Conti that imposing no duty on employers to protect employees' private data would disincentivize those employers to take any measures to protect that data.
But Conti called that notion “a little cynical and flat-out wrong” given, for example, the remediation costs companies incur following data breaches.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Pittsburgh Judge Rules Loan Company's Online Arbitration Agreement Unenforceable
3 minute read
De-Mystifying the Ethics of the Attorney Transition Process, Part 1
Risk Mitigation: Employee Engagement Results in Fewer Lawsuits (and Other Benefits)
5 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
