Skip to content

Cyber Security, Information Governance & Privacy

On February 13, the U.S. Chamber of Commerce released model data privacy legislation and urged Congress to pass a federal data privacy law.

“Technology has changed the way consumers and businesses share and use data, and voluntary standards are no longer enough,said Tim Day, senior vice president of the Chamber’s Technology Engagement Center, or “C TEC.” “New rules of the road are necessary and it is time for Congress to pass a federal privacy law. The Chamber’s model privacy legislation puts consumers in control and ensures businesses can innovate while operating with certainty and providing transparency.”

According to the Chamber, its model legislation would:

  • Eliminate a patchwork of regulations that are confusing for consumers and businesses;
  • Empower consumers through transparency, opt-out, and data deletion;
  • Support innovation through regulatory certainty; and
  • Provide the Federal Trade Commission with additional enforcement power.

As we’ve previously reported, all signs suggest that Congress may finally enact comprehensive data privacy legislation. The patchwork of existing state laws frustrates pro-business groups like the Chamber, the Internet Association, and the Business Roundtable. Moreover, leading tech companies have lobbied Congress for data privacy legislation.

Consistent with its concern about the patchwork of existing state laws, the U.S. Chamber’s model data privacy legislation, the “Federal Consumer Privacy Act,” would preempt state and local laws (including tort laws) “to the extent that such [laws] related to, or serve as the basis for enforcement action as it relates to, the privacy or security of personal information.”

According to the Chamber, this broad preemption would support innovation by creating regulatory certainty: “Businesses would comply with one nationwide privacy framework, as opposed to having to navigate 50 unique state laws.”

The Chamber’s model legislation also includes a number of consumer-friendly provisions. The model legislation would:

  • Require businesses to be transparent about how personal information is used;
  • Require businesses to comply with requests from consumers regarding how their personal information is used or shared; and
  • Provide consumers, subject to certain exceptions, with opt-out and data-deletion rights.

A copy of the Chamber’s one-pager on its model legislation is available here, and the full text of the model legislation is available here.

On January 25, the Illinois Supreme Court sided with consumers in issuing a unanimous decision that a Six Flags season pass holder could bring a claim under Illinois’ Biometric Information Privacy Act (the “BIPA”) based on the amusement park’s collection of customer fingerprints—even absent allegations of real-world injury.  This opinion provides a boost to the state’s unique privacy law and the hundreds of pending cases involving allegations under the law.  A copy of the full opinion can be found here.

Plaintiff Stacy Rosenbach filed her complaint against Six Flags, alleging that the park had violated the BIPA.  Specifically, she alleged that the park’s fingerprinting process for issuing repeat-entry passes to its park violated the BIPA because neither she nor her minor son (1) were informed in writing or in any other way of the specific purpose and length of term for which his fingerprint had been collected; (2) signed any written release regarding taking of the fingerprint; or (3) consented in writing to the “collection, storage, use, sale, lease, dissemination, disclosure, redisclosure, or trade of, or for [defendants] to otherwise profit from,” her son’s fingerprint or associated biometric identifiers or information.  Rosenbach further alleged that Six Flags had not publicly disclosed what it had done with the information or how long it would be kept and that it did not have any written policy available to the public disclosing its retention schedule or any guidelines for retaining or permanently destroying biometric identifiers and biometric information.  She alleged that she never would have purchased a pass had she known the full extent of the company’s conduct.

The intermediate appellate court held that Rosenbach was not aggrieved within the meaning of the BIPA and could not pursue either damages or injunctive relief based on the allegations in the complaint.  The Court held that she was required to allege additional injury or adverse effect, which need not be pecuniary, but which must be more than a “technical violation of the Act.”

The Illinois high court reversed, holding that Rosenbach could be considered an “aggrieved person” based solely on the premise that her son’s fingerprint was taken without consent.  Specifically, the Supreme Court held that the Illinois legislature did not intend for consumers to have to claim that their data was separately stolen or misused to have standing under the BIPA.  The Court held that to require individuals to wait until they “sustained some compensable injury beyond violation of their statutory rights before they may seek recourse . . . would be completely antithetical to the act’s preventative and deterrent purposes.”  The Court also explained that when a private entity fails to adhere to the statutory procedures, “‘the right of the individual to maintain [his or] her biometric privacy vanishes into thin air,’” citing a recent ruling from a Federal District Court in California involving similar claims against Facebook relating to the collection and storage of user’s facial scans.  The Court dismissed arguments relating to the difficulty of compliance, holding that “whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded.”

The decision will provide support for a flood of recent lawsuits filed under the BIPA, which requires that companies that capture individuals’ biometric information, such as a fingerprint, voice sample, or retina scan, obtain written consent and disclose how they use, store, and destroy that data.  The BIPA is the nation’s only biometric privacy law with a private right of action, and hundreds of pending lawsuits allege that supermarkets, hotels, and other businesses have violated the law, including in the context of requiring employees to use fingerprint-based timekeeping systems.

Troutman Sanders will continue to monitor how state and federal courts analyze consumer data privacy issues such as this, including any developments under the BIPA.

Nearly every American with a cellphone has had it happen to them. You receive a call from an unknown number with an automated message pitching refinance options for the loan you don’t have, or consolidation options for the student loan you already paid off.

In a new report released by Hiya, a Seattle-based spam-monitoring service, it was found that approximately 26.3 billion robocalls were placed to U.S. phone numbers last year – a 46 percent increase from the 18 billion placed in 2017.  More disturbingly, one report projected that at least half of all cellphone calls in 2019 could be spam.

Automated phone calls can be a cost-efficient and incredibly effective mechanism for the many businesses that have legitimate purposes for using them, such as delivery services, banks, and mortgage services.  However, the inconceivable number of illegitimate and unwanted spam robocalls is causing Americans to not answer about half of all cellphone calls according to Hiya, thus causing Americans to miss important calls and creating a difficult challenge for legitimate users as well as regulators and phone carriers.

In its report, Hiya analyzed activity from 450,000 users of its app to identify the scope of robocalling and how those receiving the calls responded to them.  In a month’s worth of data, Hiya found that each of its app users reported an average of 10 unwanted robocalls.  An average of 60 calls per user were from unrecognized numbers or numbers not linked to a recipient’s address book.

While spam robocalling may not be going away any time soon, federal regulators have taken notice of the 52,000 consumer complaints about caller ID spoofing in 2018 and have moved to adopt rules to facilitate the rollout of new technologies to combat these calls.  Multiple cell phone carriers have pledged to implement caller authentication services that follow the same principles as website encryption.  The goal of the new protocol is to limit the effects of caller ID spoofing such as when a spammer poses as a caller from a person’s own area code to trick them into answering the call.

As technology changes, so too will the rules and regulations regarding calling practices that may have the unintended consequence of creating new hurdles for legitimate businesses using automated dialers.

Troutman Sanders will continue to monitor and report on important developments involving calling regulations.

On January 28, Thomas W. Thrash, Jr., the Chief Judge of the United States District Court for the Northern District of Georgia, issued four decisions on motions to dismiss in cases arising out of the Equifax data breach. Below are a few noteworthy takeaways. 

Factual Background

From mid-May through the end of July 2017, hackers stole personally-identifiable information of nearly 148 million American consumers by exploiting a vulnerability in certain software used by Equifax (the “Data Breach”). Litigation arising out of the Data Breach was consolidated into a Multidistrict Litigation (“MDL”) styled as In Re Equifax, Inc., Customer Data Security Breach Litigation, 1:17-md-2800-TWT.

Chief Judge Thrash issued decisions on motions to dismiss in the MDL regarding (1) the Consumer Cases, (2) the Financial Institution Cases, and (3) the Small Business Cases. Chief Judge Thrash is also presiding over a consolidated federal securities fraud class action lawsuit arising out of the Data Breach and issued an order on a motion to dismiss in that case on the same day. Each of the Court’s decisions are discussed in turn below.

The Consumer Cases

In the Consumer Cases, the plaintiffs (“Plaintiffs”) brought a variety of claims, purporting to represent a class of individuals who were allegedly injured by the Data Breach. The Court first held that Plaintiffs could not assert claims under the Fair Credit Reporting Act because Equifax did not “furnish” any “consumer report” within the meaning of the FCRA. Rather, hackers stole information about Plaintiffs which did not fall within the definition of data subject to the FCRA.

However, the Court held Plaintiffs could assert tort claims for negligence and negligence per se under Georgia common law, which applies to the case due to choice-of-law principles. The Court held Equifax had an independent duty to protect the consumers’ information because it knew of a foreseeable risk to its security systems and allegedly did not follow reasonable procedures to secure the information. Plaintiffs sufficiently alleged actual injury, as some Plaintiffs had suffered identity theft, and had sufficiently alleged concrete potential injury in the form of an increased risk of harm. The criminal nature of the hackers’ behavior did not cut off Equifax’s potential liability because a jury could conclude such conduct is reasonably foreseeable in light of the many other data breaches that have occurred.

The Court further held Plaintiffs failed to assert claims for breach of contract because Equifax’s Privacy Policy prohibited damages, and Plaintiffs could not assert an implied contract due to the valid merger clause in Equifax’s Terms of Use. The Court also reached Plaintiff’s unjust enrichment claim given the lack of a contractual relationship and absence of any allegation that Plaintiff had provided anything of value to Equifax.

Plaintiffs’ claims under various Georgia statutes—the Georgia Fair Business Practices Act (“GFBPA”), the Georgia Uniform Deceptive Trade Practices Act (“GUDTPA”), and Georgia’s statute regarding notification after a personal information data breach—all failed. Under current Georgia law, the GFBPA and GUDTPA do not apply to data breaches, and Georgia’s law regarding notification after a data breach is not privately enforceable. Plaintiffs also asserted claims under other states’ Uniform Deceptive Trade Practices Act laws and other states’ data breach notification laws, some of which survived the motion to dismiss. Finally, Plaintiffs’ claim for attorneys’ fees under Georgia law was allowed to proceed because the Plaintiffs’ made sufficient allegations of “bad faith.”

The Financial Institution Cases

In the Financial Institution Cases, various banks, credit unions, and associations sought to remedy the financial losses they allegedly suffered and continue to suffer as a result of the Data Breach. The claims asserted by these Plaintiffs include negligence, negligence per se, negligent misrepresentation, and claims under various state business practices statutes.

Equifax moved to dismiss Plaintiffs’ claims, arguing, among other things: (1) Plaintiffs lack standing and fail to allege any cognizable injuries; (2) Plaintiffs fail to establish a duty or causation as required to proceed with their negligence-based claims; (3) Plaintiffs’ negligence per se claim fails because the statutes relied upon do not set out any specific statutory duty to protect personally identifiable information; and (4) Plaintiffs failed to plead their negligent misrepresentation claim with the required specificity as required under Rule 9(b).

Ultimately, Equifax’s motion was granted in part and denied in part. With respect to standing, the Court found the Plaintiffs in this case can be categorized into two groups.  The first group was made of the “Financial Institution” Plaintiffs, who allegedly spent time and money: (1) responding to the compromise of the credit reporting system and personal information they rely upon for their business; (2) assessing the impact of the Data Breach as required by applicable law; and (3) mitigating the alleged “substantial risk” of future fraudulent activity. The second group of Plaintiffs, the “Financial Institution Card Issuers,” assert the same allegations plus a fourth – they allege they issued payment cards compromised in the Data Breach and have spent time and money reissuing payment cards or reimbursing customers.

After dividing Plaintiffs into these two categories, the Court found Plaintiffs adequately pled standing as to the Financial Institution Card Issuers but failed to adequately plead standing with respect to the Financial Institution Plaintiffs. In support of this conclusion, the Court found that reissuing payment cards and reimbursing customers for fraudulent charges, as alleged only by the Financial Institution Card Issuers, “are not speculative and are not threatened future injuries, but are actual, current, monetary damages.” Because the same type of concrete and particularized injury had not been alleged by the Financial Institution Plaintiffs, and because their alleged injuries were not actual or imminent, their case was dismissed.

The Court also dismissed the case with respect to the “Association Plaintiffs” who sought to bring claims on behalf of their financial institution members who had allegedly suffered injury as a result of the Data Breach because the Association Plaintiffs did not identify the specific members who have standing.

After addressing standing, the remainder of the Court’s opinion and order applied only to the surviving claims of the Financial Institution Card Issuers. With respect to the negligence claim, the Court concluded Equifax owed the Financial Institution Card Issuers a duty of care to safeguard the information in its custody, namely arising from the allegations that Equifax knew of a foreseeable risk to Equifax’s data security systems but failed to implement reasonable security measures. The Court also dismissed the negligence per se claim to the extent it was predicated upon the Gramm-Leach-Bliley-Act (“GLBA”) alone, which the Court ruled does not provide a specific standard of conduct that is sufficient to give rise to a legal duty under Georgia law. To the extent the negligence per se claim was predicated on the Safeguards Rule of the GLBA, however, which does provide an ascertainable standard of conduct, the Court permitted the claim to continue. The Court also agreed with Plaintiffs that Section 5 of the FTC Act can provide a statutory duty for a negligence per se claim under Georgia law and therefore, Equifax’s Motion to Dismiss with respect to the negligence per se claim was largely denied.

In addressing Equifax’s argument that Plaintiffs failed to sufficiently plead a claim for negligent misrepresentation, the Court, following the Georgia District Court’s precedent, found that Rule 9(b) does not apply to claims of negligent misrepresentation, but that even if Rule 9(b) were to apply, Plaintiffs’ allegations would likely suffice. Indeed, the Court found “Plaintiffs have alleged the specific misrepresentations that the Defendants made, which Defendants made them, how such representations were false, and why the Defendants knew or should have known that those statements were false.” Such allegations, the Court concluded, are sufficient.

Finally, the Court also reviewed the claims brought under the Georgia Fair Business Practices Act, foreign state fraud and consumer protection statutes, claims relating to payment card data, and Plaintiffs’ “ancillary claims.” The Court dismissed the GFBPA claim, finding the Act does not require the safeguarding of personally identifiable information but allowed a majority of the other claims to continue.

The Small Business Cases

A group of ten small businesses sought to bring claims on behalf of a class of small businesses that allegedly relied upon the personal creditworthiness of their owners to obtain and maintain credit (the “Small Business Plaintiffs”). The Small Business Plaintiffs contended their owners’ personal information might have been involved in the Data Breach, and alleged they were harmed by having to take measures to combat the risk of identity theft and by expending time and effort to monitor the credit of their owners.

Equifax moved to dismiss the Small Business Plaintiffs’ claims, arguing: (1) the businesses lacked Article III standing to assert claims for alleged injuries arising out of the alleged breach of their owners’ personal information, and (2) the economic loss doctrine precluded the Small Business Plaintiffs from asserting tort claims. The Court agreed with both of Equifax’s arguments and dismissed the claims.

The Court noted that each of the Small Business Plaintiffs are distinct legal entities from their individual owners. While the owners could seek recovery of their damages in the Consumer Cases, the Small Business Plaintiffs were “not entitled to a second recovery” for the alleged injuries to the owners as small business owners. The Court further held the Small Business Plaintiffs’ alleged injuries were too speculative because Small Business Plaintiffs would have to prove: (a) their owners’ data was compromised and obtained by some criminals; (b) the owners’ credit was directly impacted by the criminals’ misuse of the information; (c) the Small Business Plaintiffs thereafter attempted to rely on the owner’s credit for their own “creditworthiness and continued operations”; and (d) the Small Business Plaintiffs’ “creditworthiness [or] continued operations” were harmed as a direct result of the owner’s damaged credit.

The Small Business Plaintiffs also failed to allege a substantial risk of harm that was sufficient to confer standing. Because of the long, attenuated chain of events that would have to occur before the Small Business Plaintiffs might suffer an injury because of the Data Breach, they did not face an “imminent injury” and their allegations about the alleged costs they incurred were “nothing more than the exercise of ordinary due diligence in monitoring their creditworthiness.”

Finally, the Court held that the economic loss doctrine barred the Small Business Plaintiffs’ tort claims. The doctrine prevents a plaintiff from recovering economic losses associated with injury or damage to another person. Because the Small Business Plaintiffs were distinct legal entities from their owners, the businesses could not recover for alleged injuries to the owners. Equifax did not breach an independent legal duty to the Small Business Plaintiffs, the Court held, because Equifax’s duty to safeguard the information of the individuals was owed to them personally. Accordingly, the Court dismissed the Small Business Cases in their entirety.

The Securities Case

A separate case—In Re Equifax, Inc. Securities Litigation, 17-cv-3463-TWT—is also pending before Chief Judge Thrash, who issued an order on Defendants’ motion to dismiss on the same day as the other orders discussed above. In this case, the lead plaintiff (“Plaintiff”) has brought claims on behalf of a putative class of investors that purchased securities of Equifax from February 25, 2016 through September 15, 2017. Plaintiff asserted claims under sections 10(b) and 20(a) of the Securities Exchange Act of 1934 against Equifax and four individuals who were corporate officers at Equifax during the putative class period. [Disclosure: Troutman Sanders LLP represents one of the individual Defendants in this litigation, former Chief Executive Officer Richard F. Smith.]

Plaintiff alleged Defendants made false or misleading statements and/or omissions about the sensitive information in Equifax’s custody, the vulnerability of Equifax’s internal systems, and Equifax’s compliance with cybersecurity regulations and best practices. As a result, Plaintiff and the other putative class members allegedly suffered a loss in the value of their investments when the Data Breach was revealed.

The Court dismissed the claims against three of the individual Defendants but allowed the claims against Equifax and its former CEO to proceed to discovery. Additionally, the Court limited the scope of allegedly false or misleading statements that could be actionable, holding: (1) “Defendants were under no duty to disclose the existence of the Data Breach before they knew it had occurred”; (2) the mere “occurrence of the Data Breach did not itself make [certain] prior statements false or misleading”; (3) Defendants’ warnings that “Equifax could be vulnerable to a data breach” were not misleading; and (4) Defendants’ representations about certain internal controls in place at Equifax were not false or misleading.

Troutman Sanders will continue to monitor these cases for further developments.

All the presents have been opened.
The New Year’s Eve ball has been dropped.
We have honored Martin Luther King Day.
But our celebrations do not stop.

You see, today isn’t just a Monday.
It’s not just the first day of the week.
Today isn’t only the end to your weekend.
Or a day to sit around and weep.

Today is Data Privacy Day!
One of our favorite days of the year!
It’s dedicated to raising privacy awareness.
So, we’re sending a little privacy cheer!

How you choose to celebrate today,
Is really up to you.
But below are a few examples,
Of things your team can do.

Review your incident response plans.
Conduct a tabletop exercise.
Start thinking about CCPA compliance.
Consider whether your privacy policy needs to be revised.

Remember the goal for today,
Is to raise privacy awareness.
Whether it be with your friends, family, or co-workers,
We encourage you to share this!

Happy Data Privacy Day from Troutman Sanders.

Download our newest publication, Data Privacy: Current Legal Landscape, for insights on cybersecurity and data privacy developments in 2018.

Over the last few years, an increased focus continues on the right to privacy and the debate on how to best implement privacy tools that are balanced with business and technological innovation.  In the United States, the debate to adopt policies like those in the European Union has recently intensified as consumer advocates view data collection as being intrusive and offensive; however, these criticisms fail to appreciate the key factors driving the debate.

Notably, in 2018, California passed the most comprehensive data use legislation in the nation (the California Consumer Privacy Act of 2018), which has been compared by many to the European Union’s General Data Protection Regulation. California also became the first state to enact an Internet of Things (“IoT”) cybersecurity law (SB 18-327), which requires connected devices to be equipped with “reasonable security features,” as defined by the bill. Both laws have been praised by consumer advocates, although many have taken the position that the laws will do little to improve consumer protection, but instead will create substantial burdens for companies. Although both laws are effective as of January 1, 2020, it is important to note that the two laws remain a moving target and further amendments may be on the horizon.

As IoT explodes in popularity and make innovations such as augmented reality (“AR”) and autonomous vehicles possible, the functionality demanded by consumers will require data collected from human user experience.  The companies that fail to properly leverage new technologies and data opportunities may find themselves falling behind their competitors.  Companies developing products on the cutting edge of technology should stay informed of recent enforcement actions, legal cases, and laws to determine how their offerings in the ecosystem may be impacted.

This publication covers the ongoing evolution of the legal landscape for data-centric products, so that organizations can continue to succeed in their development of new technologies and products.

Click here to download the report

Your diet and fitness goals are not the only things scheduled to change come the New Year.  On April 10, 2018, Iowa Governor Kim Reynolds signed Senate File 2177, which modified provisions applicable to consumer security freezes and personal information security breach protection.  The Act, which goes into full effect on January 1, was proposed by the Iowa Attorney General’s office as well as state legislators to address certain changes in technology.

With respect to consumer security freezes, S.F. 2177:

  • eliminates the requirement for consumers to submit requests for security freezes through certified mail, and instead allows for such requests to be submitted by mail, telephone, email, or through a secure online connection;
  • requires consumer reporting agencies (“CRAs”) to commence security freezes within three business days after receiving a request, as opposed to the previous five days;
  • requires CRAs to identify for consumers, under certain circumstances, any other “consumer reporting agency that compiles and maintains files on consumers on a nationwide basis” (as defined by section 1681a(p) of the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq.), and inform them of appropriate contact information that would permit the consumer to place, lift, or remove a security freeze from such other CRA; and
  • prohibits CRAs from charging a fee for placing, removing, temporarily suspending, or reinstating a security freeze.

CRAs will want to ensure their processes and procedures have been updated to account for such changes, and that employees have been trained to comply with them.

As noted above, S.F. 2177 also modified Iowa’s personal information security breach protection statute. Those changes, however, went into effect July 1, 2018, and include the following:

  • The definition of “encryption” was modified to mean only those certain algorithmic processes that meet accepted industry standards.
  • The Act clarified that the law does not apply to businesses that are subject to and comply with the Health Insurance Portability and Accountability Act of 1996, or “HIPAA.”
  • The Act now requires notification of a security breach to the Iowa Attorney General within five business days after giving notice of the breach of security to any consumer.

Companies tracking data breach notification requirements as part of their incident response plans, policies, and procedures should ensure their materials have been updated to account for such changes.


As we previously reported, last year the United States District Court for the Middle District of North Carolina trebled a jury verdict against DISH Network L.L.C. in a Telephone Consumer Protection Act class action, resulting in a $61 million damages award.  After months of post-trial motions (which were denied), the Court now recently ruled on class counsel’s request for attorneys’ fees, awarding $20.4 million.

Class counsel requested attorneys’ fees of 33.33% of the total judgment.  The Court found that a fee of $20,447,600, which is one-third of the approximately $61 million judgment, was reasonable.  According to the order, class counsel spent approximately 8,500 hours prosecuting the case and expended almost $500,000 of their own money.  The Court noted that “it takes skilled counsel to successfully manage an 18,000-plus member class action.  It takes a different set of highly developed skills to successfully achieve a jury verdict.”  The Court further noted that “Class Counsel achieved an excellent result on behalf of the class.”

A copy of the Court’s order can be found here.

We will continue to monitor the case for further developments.

Just about every week, there’s a reminder that cybersecurity remains important. But that doesn’t mean that many are taking it as seriously as they should. In the past month alone, Legaltech News has reported surveys that note how law firms are not adopting proper cyber protocols, companies haven’t mitigated third party risks, and attorneys are  vulnerable to biometric, cloud and phishing attacks. This isn’t just a U.S. problem either.

Meanwhile, the focus on privacy seems to be ever increasing. Sometimes, it’s a renewed focus on privacy regulations following the EU’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act of 2018. Other times, it’s a matter of court cases, like the U.S. Supreme Court’s Carpenter v. U.S. ruling. But in general, maybe it’s just public awareness, as consumers in both the U.S. and abroad become increasingly aware of how their personal data is used.


To read full article go to

The Pennsylvania Supreme Court has ruled that employers have a legal duty to use reasonable care to safeguard the sensitive personal information of employees stored on an Internet-accessible computer system.

In Dittman v. UPMC, former and present employees of the University of Pittsburgh Medical Center filed a putative class action against UPMC arising from a data breach in which the personal and financial information – including names, birth dates, Social Security numbers, addresses, tax forms, and bank account information – of all 62,000 employees and former employees were accessed and stolen from UPMC’s computer systems.

The employees alleged that the stolen data, which consisted of information UPMC required employees to provide as a condition of employment, was used to file fraudulent tax returns on behalf of victimized employees, resulting in actual damages. Based on these allegations, the employees asserted claims for negligence and breach of implied contract against UPMC. The employees further alleged that UPMC undertook a duty of care to ensure the security of their information in light of the special relationship between the university and its employees, whereby UPMC required them to provide the information as a condition of their employment.

The Court reversed the Superior Court’s grant of UPMC’s preliminary objections, holding that UPMC had an existing duty of reasonable care to safeguard the employees’ data from the foreseeable risk of a data breach. The Court found that the personal and financial information was stored without the use of adequate security measures, including proper encryption, adequate firewalls, and an adequate authentication protocol.

While the Court noted that generally there is not a duty to protect someone who is at risk due to circumstances that a defendant did not create, the employees alleged sufficiently that UPMC’s affirmative conduct created the risk of a data breach. Therefore, by collecting and storing the employees’ data on its computer systems, UPMC owed the employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising from those actions.

Significantly, the Court rejected UPMC’s argument that the presence of third-party criminality eliminates the duty it owed to the employees. The Court found that cybercriminal activity was within the scope of the risk created by UPMC and, therefore, did not alleviate UPMC of its duty to protect employees’ personal and financial information from that breach.

The Court also rejected UPMC’s economic loss argument, holding that under Pennsylvania law, recovery for purely pecuniary damages is permissible under a negligence theory provided that the plaintiff can establish that the breach of a legal duty arising under common law is independent of any duty assumed pursuant to contract.

Typically, if a duty owed arises under a contract between the parties, a tort action cannot be brought arising out of a breach of that duty. However, if the duty arises independently of any contractual duties between the parties, then a breach of that duty may support a tort action. The Court in this case held that UPMC’s legal duty to act with reasonable care in collecting and storing its employees’ personal and financial information on its computer systems exists independently from any contractual obligations between the parties. Therefore, the economic loss doctrine did not bar the employees’ claim.

This is a significant ruling by the Pennsylvania Supreme Court as courts generally are reluctant to expand duties of care. But in this interconnected world and given well-known risks of cyber-intrusions, the Court found that an employer has a duty to exercise reasonable care to safeguard employees against the foreseeable risk of a data breach. This ruling may open the floodgates to lawsuits involving data breaches in Pennsylvania, and other plaintiffs will likely test the theory in other jurisdictions. Companies should conduct cybersecurity audits, engage in comprehensive reviews of cybersecurity insurance policies, and exercise vigilance in protecting sensitive data and personal information.