Philadelphia, Penn. (January 17, 2019) - The Pennsylvania Supreme Court, in Dittman v. UPMC (196 A.3d 1036), ruled that employers have a have a legal duty to exercise reasonable care to safeguard employees’ electronically stored personal information.

Case background

The dispute in Dittman arose after a data breach occurred at the University of Pittsburgh Medical Center (UPMC). As a result of the breach, the personal and financial information, including birth dates, social security numbers, tax forms and bank account information of 62,000 UPMC employees was accessed and stolen from UPMC’s computer systems.

Significantly, the employees alleged that they were damaged when the stolen information, which UPMC required the employees to provide as a condition of their employment, was used to generate fraudulent tax returns. The employees contended that UPMC failed to adopt, implement and maintain adequate security measures to protect the information. Specifically, the employees alleged that UPMC: failed to monitor the security of its network; failed to properly encrypt the data; failed to implement an adequate authentication protocol to protect the employees’ information; and failed to establish adequate firewalls to handle a server intrusion. 

The lower courts weigh in

The trial court dismissed the employees’ complaint and held that the courts should not impose a new affirmative duty of care that would permit the recovery of common law tort action damages in data breach actions. Although the trial court noted the frequent and widespread nature of data breaches, the court opined that the creation of a private negligence cause of action to recover damages for data breaches would overwhelm the court system and require businesses to expend substantial resources defending those actions.

On appeal, the Pennsylvania Superior Court upheld the dismissal of the employees’ complaint. Although the Superior Court noted the general risk associated with the electronic storage of information, as well as the fact that data breaches and the resulting harm are generally foreseeable, the court held that a defendant does not have a duty to guard against the criminal act of a third party, unless the defendant realized, or should have realized, the likelihood of the situation. Further, the Superior Court held that the trial court properly determined that UPMC did not owe a duty to its employees under Pennsylvania law.

The Pennsylvania Supreme Court rules

In April 2018, the case came before the Pennsylvania Supreme Court. In reversing the decision of the lower courts, the court held that UPMC did owe a duty to its employees to exercise reasonable care in collecting and storing their personal and financial information on its computer systems. The court agreed with UPMC’s theory that ordinarily there is no duty to protect someone from circumstances the defendant did not create. However, the court noted that UPMCs requirement that its employees provide the information that was stored on its computer systems without adequate security measures created the risk of a data breach. As a result, the criminal acts of the third parties did not alleviate UPMC’s duty to protect the information.

The Pennsylvania Supreme Court also analyzed, and rejected, UPMC’s argument that the economic loss doctrine precludes all negligence claims that seek only economic damages. While noting that if a duty arises under a contract, a tort action will not proceed for a recovery based on an alleged breach of the duty, the court held that if the duty that arises is independent of any contractual duties, an alleged breach of that duty may give rise to a tort action. To that end, the employees’ assertion that UPMC breached a common law duty to use reasonable care in the collection and storage of the personal information was a duty that was independent from any contractual obligation between the parties. As a result, the economic loss doctrine did not bar the employees’ claim.

This Dittman case is significant as it potentially subjects employers to litigation in the event of a data breach. As such, employers must ensure they are proactively monitoring their computer systems and utilizing adequate security systems to protect employees’ information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.