The Legal Intelligencer Attorney of the Year nominee, Gary F. Lynch, of Carlson Lynch, poses for a picture in his office in Pittsburgh. (Photo by Laura Mares)

Last year, Pittsburgh-based plaintiffs attorney Gary Lynch successfully argued to the Pennsylvania Supreme Court in Dittman v. UPMC that companies have a common-law duty to protect their electronically stored employee data.

The high court's decision reversed two controversial lower court rulings that had tossed out a putative class action against the University of Pittsburgh Medical Center over a data breach that exposed the personal information of tens of thousands of current and former employees.

But while Dittman was hailed as a major win for Pennsylvania plaintiffs in the burgeoning arena of cybersecurity tort actions, Lynch himself was most proud of another, broader aspect of the ruling: the Supreme Court's holding that its 2005 decision in Bilt-Rite Contractors v. The Architectural Studio did not stand for the proposition that the economic loss doctrine precludes all negligence claims seeking solely economic damages.

Instead, the court in Dittman said, the applicability of the economic loss doctrine turns on the source of the duty plaintiffs claim they're owed.

“Specifically, if the duty arises under a contract between the parties, a tort action will not lie from a breach of that duty,” Justice Max Baer wrote for the court. ”However, if the duty arises independently of any contractual duties between the parties, then a breach of that duty may support a tort action.”

Lynch said that part of the ruling was a “huge vindication” for the months and months he had spent trying to convince anyone who would listen that Bilt-Rite was being chronically misinterpreted as a blanket ban on purely economic damages in tort.

To Lynch, this was made plain by the Bilt-Rite opinion, in which the court specifically noted that “'Pennsylvania has long recognized that purely economic losses are recoverable in a variety of tort actions'” and that “'a plaintiff is not barred from recovering economic losses simply because the action sounds in tort rather than contract law.'”

As he prepared and honed his arguments in Dittman, Lynch made it a habit to press his fellow practitioners for their own interpretation of the Bilt-Rite opinion.

“I started to annoy my colleagues that do this across the country,” he said. “Any time I'd talk to one of them, I'd say, 'Do me a favor, you're a lawyer, read this page and tell me what the holding is.'”

When the Dittman ruling came down, siding with him on the economic loss doctrine issue, Lynch said, “I got at least a couple of calls from personal injury lawyers who said, 'That's going to be huge.'”

Lynch, a name partner at Carlson Lynch in Pittsburgh, is involved in just about every major cyber breach litigation in the U.S., but such cases weren't always his focus.

His practice primarily centered on wage-and-hour and consumer protection litigation until he was hired to represent a class of financial institutions suing Target over its 2013 data breach, which compromised millions of customers' payment card information.

Since then, data breach litigation has become the bulk of his practice. He was appointed last year as co-lead counsel in a national multidistrict litigation brought by over 70 financial institutions against Equifax, related to the company's 2017 data breach. He was also appointed co-lead counsel in litigation brought by financial institutions against the Wendy's fast food chain over a 2015 data breach that exposed customers' credit card information. More recently, he was appointed to the steering committee leading class actions brought by consumers over Marriott Inc.'s 2018 data breach.

But the Dittman case afforded Lynch, who spends most of his time in federal court, the rare opportunity to litigate in Pennsylvania state court.

Ultimately, the issue of whether Pennsylvania companies could be held liable for failing to protect employee data from cyber breaches came down to the question of whether they have a duty rooted in common law.

The Allegheny County Court of Common Pleas rejected that notion and declined to impose what it characterized as a “new affirmative duty” on employers to safeguard electronic data. The Superior Court affirmed that ruling.

But Lynch persisted in his argument that there was nothing new about expecting an employer to protect sensitive employee information, regardless of whether those records were kept in a filing cabinet or stored on a network.

Oral arguments before the Supreme Court in the case, held in Pittsburgh in April 2018, centered on that debate, with UPMC's counsel framing the issue as one of first impression by emphasizing the unique technical complexities of cybersecurity and Lynch urging the justices to focus on “one of the most fundamental tenets of our common law … that one who does an affirmative act is under a duty to exercise reasonable care so as to protect against foreseeable harm.”

Ultimately, the justices saw it his way. But as soon as one battle ended in Dittman, a new one began.

The parties are back before the Allegheny Court of Common Pleas and, according to Lynch, UPMC is now arguing that the case should be tossed out because the plaintiffs lack standing.

But after one hard-fought battle up to the state's highest court, Lynch is eager to proceed beyond the preliminary objections stage.

“We've made the argument to [the judge] that that ship has sailed,” he said.