Photo: Shutterstock

The Pennsylvania Supreme Court has ruled that companies have a common-law duty to protect their electronically stored employee data, reversing two controversial lower court rulings that tossed out a lawsuit against UPMC over a data breach that exposed the personal information of tens of thousands of current and former employees.

In Wednesday's decision in Dittman v. UPMC, a six-justice high court unanimously ruled to reverse the lower court's rulings and reinstate the lawsuit against UPMC. Justice Christine Donohue did not participate in the decision.

Justice Max Baer, writing for the majority, agreed with the plaintiffs' argument that because UPMC required its employees to hand over certain personal and financial information, which it then stored on its computer systems, the company owed them “a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.”

“The alleged conditions surrounding UPMC's data collection and storage are such that a cybercriminal might take advantage of the vulnerabilities in UPMC's computer system and steal employees' information; thus, the data breach was 'within the scope of the risk created by' UPMC,” Baer said, quoting language from the 1977 Supreme Court case Ford v. Jeffries, in which the justices held that a party can be sued for a negligent act that creates the opportunity for a third party to commit a criminal act if the negligent actor realized or should have realized the likelihood of such a crime occurring. ”Therefore, the criminal acts of third parties in executing the data breach do not alleviate UPMC of its duty to protect employees' personal and financial information from that breach.”

Baer also rejected UPMC's argument that the plaintiffs' claims were barred by the economic loss doctrine.

UPMC had pointed to the Supreme Court's previous rulings in Bilt-Rite Contractors v. The Architectural Studio, from 2005, and Excavation Technologies v. Columbia Gas Co. of Pennsylvania, from 2009, to argue that the economic loss doctrine precludes all negligence claims seeking solely economic damages.

But Baer said UPMC misinterpreted both decisions, noting that Bilt-Rite held that the applicability of the economic loss doctrine turns on the source of the duty plaintiffs claim they're owed.

“Specifically, if the duty arises under a contract between the parties, a tort action will not lie from a breach of that duty,” Baer said. ”However, if the duty arises independently of any contractual duties between the parties, then a breach of that duty may support a tort action.”

“Here, employees have asserted that UPMC breached its common law duty to act with reasonable care in collecting and storing their personal and financial information on its computer systems,” Baer continued. “As this legal duty exists independently from any contractual obligations between the parties, the economic loss doctrine does not bar employees' claim.”

Baer's majority opinion was joined in full by Justices Kevin Dougherty, Sallie Updyke Mundy and David Wecht.

Chief Justice Thomas Saylor, joined by Justice Debra Todd, penned a concurring and dissenting opinion agreeing that the lawsuit should be reinstated but taking issue with the majority's analysis of the economic loss doctrine.

Saylor said he believed the plaintiffs claim in Dittman sounded in both contract and tort and that the majority went too far in holding that the economic loss doctrine is inapplicable as long as a plaintiff can establish that a duty exists independently from a contractual obligation.

“From my point of view, a proclamation negating the operation of the economic loss doctrine in the tort law arena is both unnecessary to the resolution of the present case and imprudent,” Saylor said. “Instead, particularly because of the hybrid nature of employees' claim, I find that the applicability of the economic loss doctrine should be determined more by way of a discrete social policy assessment than as a matter of mere categorization.”

Noting that he was “sympathetic to UPMC's concerns about exposure to litigation and the scale of the potential liability involved,” Saylor said other courts, including the U.S. Court of Appeals for the First Circuit, have limited the scope of economic damages recoverable in data breach cases without completely barring economic damages.

“Although any such limitations are not directly in issue here, I strike the balance here in favor of permitting recovery of at least mitigation damages—in the data breach context—in instances in which an employee or employees prove that the employer has violated the duty to exercise reasonable care in protecting confidential personal and financial data,” Saylor said.

In Dittman, the Superior Court ruled in January 2017 that UPMC could not be held liable in a suit brought by several employees who were victims of identity theft after their electronically stored employment information—including dates of birth, addresses and Social Security numbers—was stolen from the health care provider's servers. The ruling affirmed a decision from the Allegheny County Court of Common Pleas, which had tossed the proposed class action suit that had alleged negligence and breach of implied contract.

Judge Judith Ference Olson, who wrote the Superior Court's majority opinion, weighed the social utility of UPMC's use of electronic storage against the risk and foreseeability of being hacked, and determined that the court should not impose a duty on the health care company.

“In the modern era, more and more information is stored electronically and the days of keeping documents in file cabinets are long gone. Without a doubt, employees and consumers alike derive substantial benefits from efficiencies resulting from the transfer and storage of electronic data,” Olson said. “Although breaches of electronically stored data are a potential risk, this generalized risk does not outweigh the social utility of maintaining electronically stored information.”

The ruling surprised a number of cybersecurity lawyers, who said it appeared to create a nearly insurmountable hurdle for plaintiffs in Pennsylvania state court and was out of step with several other courts that have tackled similar issues.

Gary Lynch of Carlson Lynch Sweet Kilpela & Carpenter in Pittsburgh represented the plaintiffs.

Reached Wednesday for a comment on the Supreme Court's ruling, Lynch said in an emailed statement, “We are quite obviously pleased with the Supreme Court of Pennsylvania's opinion, and we are excited to have the opportunity to proceed with our clients' claims. We believe this is a very important decision in the developing field of cybersecurity tort law, not just in Pennsylvania—but also nationally—because we anticipate other courts will be influenced by the solid reasoning of the Pa. Supreme Court in recognizing that a recipient of an individual's personally identifiable information is under a general duty of care to act reasonably to protect such data from foreseeable risk of theft. Additionally, this decision puts to bed any confusion regarding the scope of the economic loss rule in Pennsylvania.”

UPMC was represented by John Conti of Dickey, McCamey & Chilcote in Pittsburgh. He did not immediately return a call for comment Wednesday.