The Pennsylvania Supreme Court has ruled that employers have a legal duty to use reasonable care to safeguard the sensitive personal information of employees stored on an Internet-accessible computer system.
In Dittman v. UPMC, former and present employees of the University of Pittsburgh Medical Center filed a putative class action against UPMC arising from a data breach in which the personal and financial information – including names, birth dates, Social Security numbers, addresses, tax forms, and bank account information – of all 62,000 employees and former employees were accessed and stolen from UPMC’s computer systems.
The employees alleged that the stolen data, which consisted of information UPMC required employees to provide as a condition of employment, was used to file fraudulent tax returns on behalf of victimized employees, resulting in actual damages. Based on these allegations, the employees asserted claims for negligence and breach of implied contract against UPMC. The employees further alleged that UPMC undertook a duty of care to ensure the security of their information in light of the special relationship between the university and its employees, whereby UPMC required them to provide the information as a condition of their employment.
The Court reversed the Superior Court’s grant of UPMC’s preliminary objections, holding that UPMC had an existing duty of reasonable care to safeguard the employees’ data from the foreseeable risk of a data breach. The Court found that the personal and financial information was stored without the use of adequate security measures, including proper encryption, adequate firewalls, and an adequate authentication protocol.
While the Court noted that generally there is not a duty to protect someone who is at risk due to circumstances that a defendant did not create, the employees alleged sufficiently that UPMC’s affirmative conduct created the risk of a data breach. Therefore, by collecting and storing the employees’ data on its computer systems, UPMC owed the employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising from those actions.
Significantly, the Court rejected UPMC’s argument that the presence of third-party criminality eliminates the duty it owed to the employees. The Court found that cybercriminal activity was within the scope of the risk created by UPMC and, therefore, did not alleviate UPMC of its duty to protect employees’ personal and financial information from that breach.
The Court also rejected UPMC’s economic loss argument, holding that under Pennsylvania law, recovery for purely pecuniary damages is permissible under a negligence theory provided that the plaintiff can establish that the breach of a legal duty arising under common law is independent of any duty assumed pursuant to contract.
Typically, if a duty owed arises under a contract between the parties, a tort action cannot be brought arising out of a breach of that duty. However, if the duty arises independently of any contractual duties between the parties, then a breach of that duty may support a tort action. The Court in this case held that UPMC’s legal duty to act with reasonable care in collecting and storing its employees’ personal and financial information on its computer systems exists independently from any contractual obligations between the parties. Therefore, the economic loss doctrine did not bar the employees’ claim.
This is a significant ruling by the Pennsylvania Supreme Court as courts generally are reluctant to expand duties of care. But in this interconnected world and given well-known risks of cyber-intrusions, the Court found that an employer has a duty to exercise reasonable care to safeguard employees against the foreseeable risk of a data breach. This ruling may open the floodgates to lawsuits involving data breaches in Pennsylvania, and other plaintiffs will likely test the theory in other jurisdictions. Companies should conduct cybersecurity audits, engage in comprehensive reviews of cybersecurity insurance policies, and exercise vigilance in protecting sensitive data and personal information.