Leonard DeutchmanInformation Technology and the Law: How to Start Cleaning Up the Mess (Part 2)
In this column, we will complete our discussion of "Dittman" and address the pros and cons of using common law reasoning when addressing issues pertaining to digital devices and procedures.
January 03, 2019 at 02:04 PM
13 minute read
In our last column, we began a discussion of how, in Dittman v. The University of Pittsburgh Medical Center, No. 43 WAP 2017 (PA Supreme Ct. 2018), the Pennsylvania Supreme Court used common law reasoning to determine whether the economic loss doctrine permits recovery for purely pecuniary damages which result from the breach of an independent legal duty arising under common law, as opposed to the breach of a contractual duty. In this column, we will complete our discussion of Dittman and address the pros and cons of using common law reasoning when addressing issues pertaining to digital devices and procedures.
|The Supreme Court's Reasoning
In Dittman, the Supreme Court reasoned that the appeal addressed two issues:
- Does an employer have a legal duty to use reasonable care to safeguard sensitive personal information of its employees when the employer chooses to store such information on an internet accessible computer system?
- Does the economic loss doctrine permit recovery for purely pecuniary damages which result from the breach of an independent legal duty arising under common law, as opposed to the breach of a contractual duty?
The court noted that plaintiffs argued that Althaus “applied only when determining whether to impose a new, affirmative duty not yet existing under common law, and not when a longstanding preexisting duty arises in a novel factual scenario.” The plaintiffs further contended that “the trial court and Superior Court erred in treating their claim as one seeking the creation of a new, affirmative duty requiring application of the Althaus test, and in concluding that UPMC did not owe a duty.” Quoting the Restatement (Second) of Torts, the plaintiffs asserted that, “as a general rule, 'anyone who does an affirmative act is under a duty to others to exercise the care of a reasonable man to protect them against an unreasonable risk of harm to them arising out of the act.'” The plaintiffs noted that this rule applies even when the “act” is a new one, such as here, where UPMC collected the plaintiffs' “sensitive personal data and stored it on their internet-accessible computer systems.” Plaintiffs noted that duties under the rule were “limited by the concept of foreseeability,” but then argued that “troves of electronic data stored on internet-accessible computers held by large entities” were “obvious targets for cybercriminals and that a reasonable entity in UPMC's position should foresee that a failure to use basic security measures” could “lead to exposure of the data and serious financial consequences for the victims.” Given, then, the “prevalence of electronic data storage in the employment context and the foreseeable risk of breaches of such data,” it was “appropriate to require employers to use reasonable care when handling and storing employee data in order to protect it from compromise.” The court agreed.
The court further agreed with the plaintiffs' additional argument that “the fact that the ultimate harm” here “resulted from criminal activity” did not “eviscerate the duty UPMC owed” to plaintiffs “to handle its collection and storage of employee data with reasonable care.” While acknowledging that “one generally does not owe a duty to others to protect them against criminal conduct,” the court agreed with plaintiffs that “there are many exceptions to this rule,” that the “duty to take reasonable anticipatory measures against foreseeable criminal conduct in certain scenarios has deep roots in common law,” and that the matter here was “one involving application of an existing duty to a novel factual scenario, as opposed to the imposition of a new, affirmative duty requiring analysis of the Althaus factors.” Relying upon precedent, the court noted that the common law duty at issue was one where, as here, UPMC took the affirmative action of demanding private information from plaintiffs, it was “'under a duty … to exercise the care of a reasonable man to protect” plaintiffs and their information “against an unreasonable risk of harm … arising out of the act.'”
The court next rejected UPMC's argument that “the economic loss doctrine as applied in Pennsylvania precludes all negligence claims that seek to recover for purely economic damages, save for specifically delineated and narrow exceptions,” and accepted plaintiffs' argument that “such claims are generally permitted provided that a plaintiff can establish a breach of a legal duty independent of any contractual duties existing between the parties.” UPMC's argument, the court reasoned, was based upon the misinterpretation of the court's decisions in Bilt-Rite Contractors v. The Architectural Studio, 866 A.2d. 270 (Pa. 2005) and Excavation Technologies v. Columbia Gas Company of Pennsylvania, 985 A.2d 840 (Pa. 2009). The court carefully reviewed the aforementioned opinions and found that “the economic loss doctrine does not bar negligence-based tort claims involving purely financial harm, provided that the plaintiff establishes that the defendant owed a common law duty arising independently from any contract between the parties. Since here UPMC did owe a common law duty to its employees to protect the information it required plaintiffs to submit to it, neither Bilt-Rite nor Excavation Technologies precluded the plaintiffs' claims.
The court further reasoned that, similar to the failure of negligence-based tort claims barring recovery when the harm was purely financial, the Pennsylvania Legislature's enactment of the Data Breach Act did not apply the economic loss doctrine in this case. UPMC argued that, because the Data Breach Act did not provide a private cause of action for economic losses, but instead established an enforcement action reserved exclusively for the Attorney General for violations of the notification requirement, applying the economic loss doctrine to bar this case was “consistent with the actions of the Legislature in enacting the Data Breach Act.” In response, plaintiffs disagreed and distinguished Excavation Technologies by noting that the duty in that case was statutorily imposed and, thus, the court properly looked to the One Call Act in analyzing whether an entity could be liable for economic losses, whereas “the Data Breach Act's failure to provide for a private cause of action for economic damages based upon a violation of the statutory duty to provide notification ha[d] no impact on the issue of whether a plaintiff could recover solely economic damages under a common law negligence theory for a defendant's initial failure to protect information from a data breach.
The court summarized its thinking with respect to application of the economic loss doctrine by looking to the “'reasoned approach to the rule'” expressed by the South Carolina Supreme Court in Tommy L. Griffin Plumbing & Heating v. Jordan, Jones & Goulding, 463 S.E.2d 85, 88 (S.C. 1995), which observed that, under “modern tort law,” purely “economic loss” may be “recoverable under a variety of tort theories. The question, thus, is not whether the damages are physical or economic. Rather, the question of whether the plaintiff may maintain an action in tort for purely economic loss turns on the determination of the source of the duty plaintiff claims the defendant owed. A breach of a duty which arises under the provisions of a contract between the parties must be redressed under contract, and a tort action will not lie. A breach of duty arising independently of any contract duties between the parties, however, may support a tort action.” The court concluded that Bilt-Rite and Excavation Technologies, both of which looked to the Tommy L. Griffin Plumbing & Heating opinion, did not, as UPMC argued, “stand for the proposition that the economic loss doctrine, as applied in Pennsylvania, precludes all negligence claims seeking solely economic damages,” but rather, quoting from Bilt-Rite, that “'Pennsylvania has long recognized that purely economic losses are recoverable in a variety of tort actions”” and that “'a plaintiff is not barred from recovering economic losses simply because the action sounds in tort rather than contract law.'”
|Analysis
The court's reasoning in Dittman is sound. What it foretells with regard to the legal requirements pertaining to digital activities is, however, at the very best, troubling.
Legal conflicts arising from digital activities can be governed by statute, if one is in place pertinent to the conflict, by contract, if one is in place between the conflicting parties, or by common law. Each means of governance has its own problems, arising from the differences among digital devices and processes and the varying degrees of understanding courts and lawyers possess of those devices and processes, the constant changes in such devices and processes, the improvements made by criminals to the means of gaining improper access to digital data.
- Digital Devices and Processes.
It is easy to see that promulgating laws which set forth rules with regard to responsibilities for the maintenance and processes of digital devices can lead to many problems. Devices themselves can differ greatly from a technical point of view, even if to the average user they are more or less the same: consider, for example, the differences between Apple and Microsoft devices, or the differences between various cell phones. A law which assumes that how one type of device works is how all work will quickly run into problems. To ensure that legislators draft laws appropriate to all devices and processes and that courts and lawyers understand how such laws should be interpreted as they apply to the different devices and promises is, at best, an extremely hard goal to achieve.
- Changes in Devices and Processes.
It is impossible to know anything about digital devices and processes in today's world and not know how quickly such devices and processes change. One consequence of those changes is that, even assuming that a law is promulgated that understands and suits current devices and processes perfectly, it is only a matter of time—probably less than a year—before changes in devices and/or processes will create important circumstances the law does not address or render the commands of the law inapplicable. Given the difficulty in getting any legislation passed, the probability that legislative bodies (see below for a discussion of which bodies can and will promulgate laws pertaining to devices and processes) will devote their time and energy to amending laws in light of changes in devices or processes is slim to none. Thus, laws will not, practically speaking, be able to provide for very long rules governing the maintenance and processes of digital devices.
- State, Federal and International Law.
An additional barrier to laws providing rules governing the maintenance and processes of digital devices is that there can be, generally speaking, four sources for such laws—state and federal laws in the United States, and laws of different countries as well as groups of said countries (e.g., the EU)—and all such sources can produce laws which differ from those of the other sources. Data originating in the United States may be produced from 10 different states, reside on a server in an 11th state, and be backed up to a server in a country within the EU, which is governed by the GDPR. Which of the laws of the 12 jurisdictions (10 states, the United States and the EU) governs would not be the result of a universally accepted, well-reasoned argument, but a guess.
- Changes, Improvements to Criminal Tools, Knowledge Levels and Common Law.
Given that laws, from their enactment, may misunderstand devices or processes, miss changes to devices and processes made while the laws were being enacted, may miss whole blocks of devices or processes, or miss, misstate or misunderstand how outside personnel may gain unauthorized access to devices or processes or change such devices or processes without authority, it is tempting to advocate that devices and processes should be governed by common law, which a court can more readily change due to changed circumstances than can all of the legislatures that may promulgate the laws overseeing devices and processes. Common law, however, has its share of problems as well.
The technical knowledge underlying any common law solution will come from what the courts and attorneys know in general as well as what is represented in filings and arguments particular to any subject. Those filings, on behalf of a client, can easily be one-sided, as part of the advocacy for the client but not providing a proper base for the court to rule. The general knowledge of the courts and attorneys is likely to be considerably less than that of experts in the field, and thus not a good basis upon which to base a common law ruling. Furthermore, given the changes in devices and procedures, as well as the advancement of techniques to do improper things to digital data (e.g., to access, change or destroy it without authority, to implant a malware virus, etc.), the soundness of the general knowledge of the courts and attorneys will likely decrease, making it harder for common law opinions, published over time as issues arise, to have any strong consistency. As well, these same changes and inconsistencies make it much harder for actors in the marketplace to rely upon devices or promulgate and rely upon policies, since what might be sound technology and policy today could well be unsound tomorrow. Finally, all of the sources of legal opinions—50 states in the United States plus the federal government, and many, many countries (whether by themselves or in groups) across the globe—will add to the number of voices to be heard, and possibly followed, when determining a common law solution. The flexibility, then, which a common law solution allows, in contrast with the inflexibility of a state or federal law, can and most likely will result in a lack of guidance towards solutions, meaning a lack of consistent legal solutions and so a lack of guidance for those seeking to promulgate and follow proper digital procedures.
|Conclusion
Dittman provided a good solution to the problem the court faced, but the common law is by no means the best tool with which to face the legal issues which digital devices and information. Technology present now and which will present in greater number and complexity in the future. Responsive laws, enacted by states, countries and groups of countries, will be harder to put into place than will a holding issued by a court of seven or nine Justices, but they should address the issues better and provide greater consistency than will common law solutions, which consistency should allow for actors to put into place and follow procedures confident that they will survive the challenges of the technical and commercial worlds.
Leonard Deutchman is a legal consultant recently retired from one of the nation's largest e-discovery providers, KLDiscovery, where he was vice president, Legal. Before joining KLDiscovery, he was a chief assistant district attorney at the Philadelphia District Attorney's Office, where he founded the Cyber Crime Unit and conducted and oversaw hundreds of long-term investigations involving cybercrime, fraud, drug trafficking and other offenses.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Immunity for Mental Health Care and Coverage for CBD: What's on the Pa. High Court's November Calendar
5 minute read
Rule 126(b) Citations to Unpublished Opinions: Some of Us Still Don’t Get It
6 minute read
Proposed 'Bulk Sensitive Personal Data' Rule and the DOJ’s Comprehensive National Security Regulations
7 minute read
The Importance of Plaintiffs Not Letting Defendants Dictate Settlement Tax Strategies
9 minute readTrending Stories
- 1Gibson Dunn Sued By Crypto Client After Lateral Hire Causes Conflict of Interest
- 2Trump's Solicitor General Expected to 'Flip' Prelogar's Positions at Supreme Court
- 3Pharmacy Lawyers See Promise in NY Regulator's Curbs on PBM Industry
- 4Outgoing USPTO Director Kathi Vidal: ‘We All Want the Country to Be in a Better Place’
- 5Supreme Court Will Review Constitutionality Of FCC's Universal Service Fund
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
