In a landmark decision with far-reaching implication, the Pennsylvania Supreme Court recently held that employers have an affirmative duty to protect their employees’ personal information from criminal hacking. In particular, on November 21, 2018, the court ruled in Dittman v. UPMC that employers in Pennsylvania owe their employees a duty to protect their personal data against an unreasonable risk of harm in collecting and storing employees’ personal data on Internet-accessible computers.1
The employer in question, University of Pittsburgh Medical Center (“UPMC”), suffered a data breach in 2014 when hackers accessed and stole the personal information of about 62,000 current and former employees from the medical center’s computer systems.2 The hackers used this data, which included names, birthdays, Social Security numbers, addresses, salaries, and bank and tax information, to file fraudulent tax returns and steal tax refunds.3
Certain affected employees brought a class action against UPMC for negligence and breach of implied contract following the data breach’s exposure of their personal information.4 The employees argued that UPMC had a duty to exercise reasonable care to protect their “personal and financial information within its possession or control from being compromised, lost, stolen, misused, and/or disclosed to unauthorized parties.” See id. Additionally, the employees stated that UPMC undertook this duty of care because it required employees to provide their personal information as a condition of their employment. See id. According to the employees, this duty included “designing, maintaining, and testing [UPMC’s] security systems to ensure” that employees’ information was adequately protected and implementing processes that would detect a security breach “in a timely manner.” See id.
Pennsylvania’s Court of Common Pleas (trial court) concluded that the consequences of imposing a new duty on employers to safeguard their workers’ personal data would be too onerous and that adequate incentives already existed, such as statutes and safeguards, to prevent employers from disclosing confidential information.5 Pennsylvania’s Superior Court affirmed on appeal.6
On further appeal to the Pennsylvania Supreme Court, the employees argued that UPMC’s responsibility to protect personal information was an application of common law negligence principles and not a new affirmative duty.7 Moreover, because UPMC took an affirmative act in collecting their employees’ personal information and conditioned employment on this, it was under a duty to exercise reasonable care; this included taking reasonable measures to protect employees from the foreseeable risk that third parties would attempt to access and steal their information.8
The Pennsylvania Supreme Court agreed with the employees and noted that the employees sufficiently alleged that UPMC’s affirmative conduct created the risk of the data breach, particularly because the medical center collected and stored the personal information on its computer system without the use of adequate security measures.9 Such conditions, or lack thereof, created an atmosphere in which a cybercriminal might take advantage of the vulnerabilities and steal the employees’ personal information.10 Therefore, the data breach was “within the scope of the risk created” by UPMC and the criminal acts of third-parties did not alleviate UPMC of its duty of care. See id.
The Pennsylvania Supreme Court also rejected arguments that Pennsylvania’s economic-loss doctrine precludes negligence claims seeking solely economic damages.11 The Supreme Court ruled that tort claims, such as negligence over purely economic loss, were barred when the duty arises under a contractual relationship.12 However, “if a duty arises independently of any contractual duties between parties, then a breach of that duty may support a tort action.”13 Given that the employees asserted that UPMC breached its common law duty to act with reasonable care and that such a duty exists independently from any contractual obligation between themselves and UPMC, the economic loss doctrine does not bar the employees’ claim.14
The Supreme Court reversed and remanded the matter to the trial court for further proceedings consistent with its opinion. See id.
The Pennsylvania Supreme Court’s decision is important in the developing field of cybersecurity tort law and other state courts will likely be influenced by the Dittman court’s reasoning in finding employers owe an affirmative duty to protect personal information.
1See Dittman v. UPMC, No. 43 WAP 2017, 2018 WL6072199, at *1.
2See Rachel Z. Arndt, Judge Rules UPMC Should Have Protected Employee Data, MODERN HEALTHCARE (Nov. 26, 2018).
3See Matt Fair, UPMC Must Protect Workers’ Personal Info, Pa. Justices Rule, LAW 360 (Nov. 21, 2018), https://www.law360.com/articles/1104216/upmc-must-protect-workers-personal-info-pa-justices-rule.
4See Dittman, at *1.
5See Fair, supra note 3; Dittman, at *4.
6See Dittman, at *3.
7See id at *5.
8See id at *6.
9See id at *8-9. The Supreme Court referred to lack of proper encryption, adequate firewalls, and an adequate authentication protocol. See id.
10See id at *9.
11See id at *13.
12See Fair, supra note 2; Dittman, at *13.
13See Dittman, at *13.
14See id at *15.