On January 12, 2017, the Pennsylvania Superior Court affirmed the decision reached in Dittman v. Univ. of Pitts. Med. Ctr. by Judge Wettick of the Court of Common Pleas of Allegheny County. By finding that negligence claims alleging failure to provide reasonable data security for personal health and other information are not actionable, the Superior Court’s affirmation represents a significant step in the development of security and privacy laws.
The case centers on a data breach in 2014 involving the theft of data from the University of Pittsburgh Medical Center (“UPMC”). The stolen data included sensitive personal information for 62,000 employees. Plaintiffs sued for both negligence and breach of implied contract, alleging that UPMC had a common law duty to protect the highly sensitive information, which included salary information, bank account numbers, and social security numbers. Plaintiffs alleged that this duty was violated by UPMC’s failure to design, maintain, and test its computer security systems to reasonably protect and secure the information, and sought damages related to identify theft, including the cost of credit monitoring,
Judge Wettick sustained UPMC’s preliminary objections and dismissed both claims, finding that 1) UPMC did not owe a duty of reasonable care in its collection and storage of the employees’ information and data; and 2) the economic loss doctrine precluded an action for economic losses suffered from a data breach.
In its review, the Superior Court considered the five factors used to determine whether a duty of care exists:
- the relationship between the parties;
- the social utility of the actor’s conduct;
- the nature of the risk imposed and foreseeability of the harm incurred;
- the consequences of imposing a duty upon the actor; and
- the overall public interest in the proposed solution.
The trial court had found that the fourth and fifth factors were controlling and weighed against imposing a duty on UPMC. As the trial court noted, “data breaches are widespread” and “there is not a safe harbor for entities storing confidential information.” The Superior Court agreed, stating “We find it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent breaches altogether.” The Superior Court also agreed that creating a duty here would greatly expend judicial resources, and cited to the Pennsylvania General Assembly’s history on the subject.
The Pennsylvania General Assembly extensively considered data breach issues when enacting the Breach of Personal Information Notification Act (the “Act”), 73 P.S. § 2301, et seq. (effective June 20, 2006). Significantly, the Act did not establish a duty of care or a private cause of action. Rather, the Act created only a notification obligation in the event of a breach. Had the General Assembly wished to impose a new duty, it could have done so.
Lastly, the Superior Court found that “[w]ithout a duty imposed by law or a legally recognized special relationship,” the economic loss doctrine bars the claims for purely economic losses.
This decision should not be interpreted as a free pass for companies who store and control sensitive data, however. Notably, the Superior Court distinguished a recent decision from the United States District Court for the Northern District of Georgia, In re: The Home Depot, Inc. Customer Data Security Breach Litigation. In that case, the court found that Home Depot had an independent duty to customers whose personal information was stolen from Home Depot’s computers because the plaintiffs expressly pled that Home Depot knew about substantial data security risks dating back to 2008. Specifically, Home Depot had received numerous warnings of problems with its computer system, including a hacking of the terminal in one of its Texas stores, an infection with data-stealing malware in one of its Maryland stores, and a finding by an outside security consultant that its network was vulnerable to attack and did not comply with industry standards. None of those allegations were pled in Dittman, but if they had been, the outcome might have been different. Therefore, employers must remain vigilant in protecting sensitive personal information.
If you have any questions about this post, or related issues, please contact me at firstname.lastname@example.org.