The Pennsylvania Supreme Court recently held that employers have “a legal duty to safeguard” the personal data of their employees which is stored on internet-accessible computer systems and that the economic loss doctrine allows plaintiffs to recover purely pecuniary damages on a negligence claim “provided that [they] can establish the defendant’s breach [of that duty].” The court’s decision in Dittman v. UPMC is noteworthy because it removes the economic loss doctrine as a significant limitation on data-breach actions involving employee data — at least where Pennsylvania law applies.
In 2014, Barbara Dittman and other employees of the University of Pittsburgh Medical Center (UPMC) filed a class action complaint asserting negligence and breach of implied contract claims against UPMC for a data breach that compromised the personal information of all 62,000 employees and former employees. The plaintiffs alleged that that UPMC had collected their sensitive personal information — Social Security numbers, birthdates, tax information, addresses, salaries and bank account information — as a condition of employment and, therefore, undertook a duty to ensure the security of this information. According to the plaintiffs, UPMC breached this duty by failing to adopt adequate security measures, such as proper encryption, adequate firewalls and adequate authentication protocols. The plaintiffs sought damages for economic losses associated with the filing of fraudulent tax returns as well as “increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.”
Consistent with other courts’ rejection of negligence claims for data breaches, the trial court dismissed the negligence claim, holding that the economic loss doctrine prohibited a negligence claim that results solely in economic damages unaccompanied by “physical injury or property damage” and that court should not impose “a new affirmative duty of care that would allow data breach actions to recover damages recognized in common law negligence actions.” The Superior Court affirmed the trial court’s order, finding that UPMC owed no duty to its employees under Pennsylvania law and that the economic loss doctrine acted as a bar to the negligence claim.
Pennsylvania Supreme Court Decision
In Dittman v. UPMC, the Pennsylvania Supreme Court unanimously reversed the lower court ruling and remanded the case for further proceedings, concluding that “in collecting and storing Employees’ data on its computer systems, UPMC owed Employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.” The court found that it was not creating a “new affirmative duty” under common law, but instead applying “the existing duty to a novel factual scenario.”
The Pennsylvania Supreme Court held that UPMC’s affirmative collection and storage of its employee’s data without implementing adequate security measures created a foreseeable risk of a data breach. In arriving at this finding, the court rejected UPMC’s contention that the actions of third parties, such as cybercriminals, constituted an intervening event that eliminated any duty that it owed to its employees. The high court concluded that “[t]he alleged conditions surrounding UPMC’s data collection and storage are such that a cybercriminal might take advantage of the vulnerabilities in UPMC’s computer system and steal Employees’ information; thus, the data breach was ‘within the scope of the risk created by’ UPMC.” Therefore, “the criminal acts of third parties in executing the data breach do not alleviate UPMC of its duty to protect Employees’ personal and financial information from that breach.”
Having found the existence of a duty, the Pennsylvania Supreme Court turned to the applicability of the economic loss doctrine. The court adopted a broad interpretation of the doctrine, finding that, in Pennsylvania, “purely economic losses are recoverable in a variety of tort actions,” and that “a plaintiff is not barred from recovering economic losses simply because the action sounds in tort rather than contract law.” Under this interpretation, the court found that “if a duty arises independently of any contractual duty between parties,” the economic loss doctrine does not bar a negligence claim seeking only economic damages based upon a breach of that duty. In the present case, the court held that “UPMC breached its common law duty to act with reasonable case in collecting and storing their personal and financial information on its computer systems” and, “as this legal duty exists independently from any contractual obligations between the parties, the economic loss doctrine does not bar Employees’ claim.”
The Dittman decision is significant because it has made it more difficult (at least in Pennsylvania) for defendants to challenge data breach actions at the pleading stage. First, because Dittman’s imposition of a legal duty to safeguard personal data is based upon the collection and storage of that data, the Pennsylvania Supreme Court may likely extend that duty beyond simply the employment context and, instead, apply it to all entities that collect and store personal information. Second, by finding that the actions of cybercriminals are a foreseeable risk to those parties who collect and store personal information, Dittman has limited the ability of defendants to cite the criminal actions of third parties as an intervening event that would shield them from liability. Third, with its expansive interpretation of the economic loss doctrine, Dittman has severely undermined the viability of the doctrine as a defense against negligence claims in data breach actions. Defendants will not be able to rely on the economic loss doctrine (at least in Pennsylvania) to dismiss negligence claims in data breach cases where the only alleged damages are pecuniary and where a legal duty exists. It remains to be seen how other states will react to Dittman. Only time will tell whether other states adopt or reject the Pennsylvania Supreme Court’s expansive interpretation of legal duty and the economic loss doctrine in the data breach context.