Blog

Dittman v. UPMC and the Duty of Care to Secure Employee Data

The security and privacy legal landscape drastically shifted in the past month, with the Pennsylvania Supreme Court issuing its opinion in Dittman v. UPMC, __ A.3d __, No. 43 WAP 2017, 2018 WL 6072199 (Pa. 2018). The facts in this case that form the basis of the Court’s opinion will resonate with every business: plaintiffs are employees of UPMC and, as part of that employment, were required to provide UPMC with personal information such as name, address, financial information, etc. And, not surprisingly, UPMC employs an electronic data storage system to store all of its employees’ information. In what is becoming an increasingly familiar fact-pattern, UPMC’s electronic document system containing its employees’ personal information experienced a breach resulting in unauthorized access to the employees’ personal and financial information. Ultimately, these employees suffered identity theft and related damage from their information being stolen.

The facts and resulting damage are not surprising and commonplace in the modern world. But, the resulting opinion of the Pennsylvania Supreme Court is breaking new legal precedence. The employees filed a Complaint alleging two separate causes of action: (1) negligence and (2) breach of implied contract. Id., at *1. Under the negligence claim, the employees asserted that UPMC “had a to exercise reasonable care to protect their personal and financial information within its possession or control from being compromised, lost, stolen, misused, and/or disclosed to unauthorized parties” and that “UPMC undertook a duty of care to ensure the security of their information in light of the special relationship between Employees and UPMC, whereby UPMC required Employees to provide the information as a condition of their employment.” Id., at *1 (internal citations omitted). Further, UPMC breached this duty because it failed “to adopt, implement, and maintain adequate security measures to safeguard” the employees’ personal and financial information and this breach ultimately lead to damages for the employee-plaintiffs. Id., at *2.

UPMC filed Preliminary Objections arguing that no cause of action existed due to the economic loss doctrine claiming that, because “no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage.” Id., at *2. The trial court sustained the Preliminary Objections, finding that no exception to the economic loss doctrine existed and under the five-factor test set forth in Althaus ex rel. Althaus v. Cohen, 562 Pa. 547, 756 A.2d 1166 (2000) the factors did not weigh in favor allowing a negligence claim for a security breach of employee data. Id., at *2-3. The Superior Court affirmed the trial court’s ruling and the employees appealed to the Pennsylvania Supreme Court. Id., at *3.

On appeal, the Pennsylvania Supreme Court addressed the following two issues:

a. Does an employer have a legal duty to use reasonable care to safeguard sensitive personal information of its employees when the employer chooses to store such information on an internet accessible computer system?

b. Does the economic loss doctrine permit recovery for purely pecuniary damages which result from the breach of an independent legal duty arising under common law, as opposed to the breach of a contractual duty?

Id., at *5.

The Supreme Court initially found that “this case is one involving application of an existing duty to a novel factual scenario, as opposed to the imposition of a new, affirmative duty requiring analysis of the Althaus factors.” Id., at *7. Ultimately, the Court agreed with the employees “that, in collecting and storing Employees’ data on its computer systems, UPMC owed Employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.” Id., at *8. UPMC’s requirement that the employees provide certain personal information and UPMC ultimate failure to use adequate security measures constituted affirmative conduct that created a duty.

After finding that a duty in fact existed, the Court turned to the economic loss doctrine. Here the Pennsylvania Supreme Court found that the doctrine is not a blanket prohibition of negligence claims seeking purely economic damages. Id., at *13. “[I]f the duty arises independently of any contractual duties between the parties, then a breach of that duty may support a tort action.” Id. The Court concluded that because the employees asserted a viable common law duty for UPMC to act with reasonable care in the collection and storage of employee data outside of any contractual obligations, the employees’ claim could proceed forward and was not barred by the economic loss doctrine. Id., at *15.

Dittman is a wake-up call for companies, who often focus more on the security of customer and client data, and not on their employee data. Ultimately, this decision paves the way for claims to be brought by employees of companies when personal data is subject to a cybersecurity breach. Additionally, it could potentially open the door to lawsuits, contractual or otherwise, where a company requires its customers or end-users to provide personal information in exchange for a service — which is often the case for the use of certain applications or other online products.

Whether UPMC is found to have breached its duty of care remains to be seen. Determining what is “reasonable” in protecting employee data – or any data for that matter – is an unknown. There are mechanisms that are more reasonable than others – hashing passwords, access controls, encryption – to name a few. But, what exactly will be considered “reasonable” is still open for discussion. The best course of action: be prepared and take security seriously!

*****

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.