In finding a common law duty to protect employees’ personal data, the Pennsylvania Supreme Court has unexpectedly, and dramatically, altered the contours of the data breach litigation landscape.
In Dittman v. UPMC, hackers penetrated the University of Pittsburgh Medical Center (UPMC) computer systems. They obtained the personal information of 62,000 current and former employees. The data included names, birthdays, Social Security numbers, addresses, salaries, bank, and tax information. The hackers used this data to file fraudulent tax returns and steal tax refunds.
The affected employees sued, arguing that UPMC had a duty of care to secure their personal data. It had allegedly breached that duty by not protecting its computer systems. They insisted UPMC should have implemented measures such as proper firewalls, data encryption, and authentication protocols. They also pointed out that UPMC required their personal data as a condition of employment.
The employee arguments did not gain traction in the lower courts. The lower courts found no statutory or policy rationale for a duty to protect data. Nor was there a common law duty in such a scenario. The Pennsylvania Supreme Court agreed to consider the matter, and reversed. Three points stand out from the decision.
First, the court found that the duty to protect data stemmed from common law negligence doctrine. UPMC had “a legal duty to exercise reasonable care to safeguard” personal data stored on accessible systems.
While it did not discuss the technical measures that would establish the standard of care, the court did cite the allegation that UPMC did not provide “proper encryption, adequate firewalls, and an adequate authentication protocol.” Those actions affirmatively increased exposure to a data breach.
Dittman opens the doors to more suits stemming from a common law duty to protect data. Since the court’s analysis hinged on classic tort law rather than the employment relationship, plaintiffs will rely on this reasoning in future cases. While it is too early to state that the floodgates have opened, hacked corporate defendants can expect a surge in litigation.
Second, Dittman reflects evolving expectations. The lower courts had stressed the lack of generally accepted standards of care for cybersecurity in finding no duty. But the Pennsylvania Supreme Court turned this around, pointing to a reasonable and prevailing expectation of affirmative measures to protect personal data.
Finally, the holding will command the attention of smaller entities and their insurers. Smaller corporations, with limited information technology resources, tend to be more vulnerable to hackers. The removal of the economic loss doctrine also makes it harder to obtain threshold dismissals of class action complaints.
Taken together, these factors encourage the prudent company to undertake affirmative measures proactively on both the technical and legal fronts to safeguard corporate interests. At a minimum, companies should consult with counsel to ensure that their defenses track the applicable standard of care.
After all, UPMC may be the first hospital or large entity to face a negligence class action stemming from a breach but it will most assuredly not be the last.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or sgul@poynerspruill.com. Mike may be reached at 919.783.2851 or mslipsky@poynerspruill.com.
Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.