Pa. Justices Rule Companies Have Common-Law Duty to Protect Employees' Electronic Data
A six-justice high court unanimously ruled to reverse the lower court's rulings and reinstate the lawsuit against UPMC.
November 21, 2018 at 01:53 PM
6 minute read
The Pennsylvania Supreme Court has ruled that companies have a common-law duty to protect their electronically stored employee data, reversing two controversial lower court rulings that tossed out a lawsuit against UPMC over a data breach that exposed the personal information of tens of thousands of current and former employees.
In Wednesday's decision in Dittman v. UPMC, a six-justice high court unanimously ruled to reverse the lower court's rulings and reinstate the lawsuit against UPMC. Justice Christine Donohue did not participate in the decision.
Justice Max Baer, writing for the majority, agreed with the plaintiffs' argument that because UPMC required its employees to hand over certain personal and financial information, which it then stored on its computer systems, the company owed them “a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.”
“The alleged conditions surrounding UPMC's data collection and storage are such that a cybercriminal might take advantage of the vulnerabilities in UPMC's computer system and steal employees' information; thus, the data breach was 'within the scope of the risk created by' UPMC,” Baer said, quoting language from the 1977 Supreme Court case Ford v. Jeffries, in which the justices held that a party can be sued for a negligent act that creates the opportunity for a third party to commit a criminal act if the negligent actor realized or should have realized the likelihood of such a crime occurring. ”Therefore, the criminal acts of third parties in executing the data breach do not alleviate UPMC of its duty to protect employees' personal and financial information from that breach.”
Baer also rejected UPMC's argument that the plaintiffs' claims were barred by the economic loss doctrine.
UPMC had pointed to the Supreme Court's previous rulings in Bilt-Rite Contractors v. The Architectural Studio, from 2005, and Excavation Technologies v. Columbia Gas Co. of Pennsylvania, from 2009, to argue that the economic loss doctrine precludes all negligence claims seeking solely economic damages.
But Baer said UPMC misinterpreted both decisions, noting that Bilt-Rite held that the applicability of the economic loss doctrine turns on the source of the duty plaintiffs claim they're owed.
“Specifically, if the duty arises under a contract between the parties, a tort action will not lie from a breach of that duty,” Baer said. ”However, if the duty arises independently of any contractual duties between the parties, then a breach of that duty may support a tort action.”
“Here, employees have asserted that UPMC breached its common law duty to act with reasonable care in collecting and storing their personal and financial information on its computer systems,” Baer continued. “As this legal duty exists independently from any contractual obligations between the parties, the economic loss doctrine does not bar employees' claim.”
Baer's majority opinion was joined in full by Justices Kevin Dougherty, Sallie Updyke Mundy and David Wecht.
Chief Justice Thomas Saylor, joined by Justice Debra Todd, penned a concurring and dissenting opinion agreeing that the lawsuit should be reinstated but taking issue with the majority's analysis of the economic loss doctrine.
Saylor said he believed the plaintiffs claim in Dittman sounded in both contract and tort and that the majority went too far in holding that the economic loss doctrine is inapplicable as long as a plaintiff can establish that a duty exists independently from a contractual obligation.
“From my point of view, a proclamation negating the operation of the economic loss doctrine in the tort law arena is both unnecessary to the resolution of the present case and imprudent,” Saylor said. “Instead, particularly because of the hybrid nature of employees' claim, I find that the applicability of the economic loss doctrine should be determined more by way of a discrete social policy assessment than as a matter of mere categorization.”
Noting that he was “sympathetic to UPMC's concerns about exposure to litigation and the scale of the potential liability involved,” Saylor said other courts, including the U.S. Court of Appeals for the First Circuit, have limited the scope of economic damages recoverable in data breach cases without completely barring economic damages.
“Although any such limitations are not directly in issue here, I strike the balance here in favor of permitting recovery of at least mitigation damages—in the data breach context—in instances in which an employee or employees prove that the employer has violated the duty to exercise reasonable care in protecting confidential personal and financial data,” Saylor said.
In Dittman, the Superior Court ruled in January 2017 that UPMC could not be held liable in a suit brought by several employees who were victims of identity theft after their electronically stored employment information—including dates of birth, addresses and Social Security numbers—was stolen from the health care provider's servers. The ruling affirmed a decision from the Allegheny County Court of Common Pleas, which had tossed the proposed class action suit that had alleged negligence and breach of implied contract.
Judge Judith Ference Olson, who wrote the Superior Court's majority opinion, weighed the social utility of UPMC's use of electronic storage against the risk and foreseeability of being hacked, and determined that the court should not impose a duty on the health care company.
“In the modern era, more and more information is stored electronically and the days of keeping documents in file cabinets are long gone. Without a doubt, employees and consumers alike derive substantial benefits from efficiencies resulting from the transfer and storage of electronic data,” Olson said. “Although breaches of electronically stored data are a potential risk, this generalized risk does not outweigh the social utility of maintaining electronically stored information.”
The ruling surprised a number of cybersecurity lawyers, who said it appeared to create a nearly insurmountable hurdle for plaintiffs in Pennsylvania state court and was out of step with several other courts that have tackled similar issues.
Gary Lynch of Carlson Lynch Sweet Kilpela & Carpenter in Pittsburgh represented the plaintiffs.
Reached Wednesday for a comment on the Supreme Court's ruling, Lynch said in an emailed statement, “We are quite obviously pleased with the Supreme Court of Pennsylvania's opinion, and we are excited to have the opportunity to proceed with our clients' claims. We believe this is a very important decision in the developing field of cybersecurity tort law, not just in Pennsylvania—but also nationally—because we anticipate other courts will be influenced by the solid reasoning of the Pa. Supreme Court in recognizing that a recipient of an individual's personally identifiable information is under a general duty of care to act reasonably to protect such data from foreseeable risk of theft. Additionally, this decision puts to bed any confusion regarding the scope of the economic loss rule in Pennsylvania.”
UPMC was represented by John Conti of Dickey, McCamey & Chilcote in Pittsburgh. He did not immediately return a call for comment Wednesday.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllPlaintiffs Seek Redo of First Trial Over Medical Device Plant's Emissions
4 minute readHospital Must Provide Pre-Complaint Discovery in Privacy Breach Case, Pa. Judge Rules
4 minute readPhila. Anesthesiologist Wins Defense Verdict in Multimillion-Dollar Case Over C-Section Complications
3 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250