Pennsylvania Court Refuses to Impose New Duty on Employers to Protect PII from Data Breaches
In a recent decision, Dutton v. UPMC, No. GD-14-003285 (May 28, 2015), the Pennsylvania Court of Common Pleas, Allegheny County, refused to place a new affirmative duty of care on employers to protect the personal identification information (PII) of their employees against cybersecurity data breaches. The court reasoned that to create such a duty would place a heavy burden on corporate entities already incentivized to protect PII, and inundate the judiciary with a flood of litigation. The court instead looked to the state legislature to determine whether to impose this obligation, which clearly could result in significant costs for businesses.
In the case, the plaintiffs filed a putative class action of current and former University of Pittsburgh Medical Center (UPMC) employees whose PII had been stolen from UPMC’s computer systems. The lawsuit alleged that UPMC had a duty to protect the PII and had breached that duty under theories of negligence and breach of contract. Dutton v. UPMC, No. GD-14-003285, slip op., at 1-2. These duties included the design, maintenance and testing of a security system, the need to implement processes to detect a breach, and to “implement and maintain adequate security measures to safeguard” plaintiffs’ PII. Id. at 2-3. The lawsuit alleged damages from fraudulently-filed tax returns and an increased risk of identity theft. Id. at 4. Confronted with preliminary objections, the trial court dismissed the action. Id. at 12.
Addressing the negligence claim first, the court concluded that because the alleged damages were only economic, under the economic loss doctrine, no cause of action based on negligence could exist. Id. at 4. Therefore, the claim was dismissed. The court dismissed the breach of contract claim based on the lack of evidence that a contract existed. Id. at 11-12.
In an attempt to save their case, plaintiffs contended that a special duty should be imposed upon UPMC to protect employees’ PII. Id. at 5. To support their argument, plaintiffs relied on the factors outlined in Seebold v. Prison Health Services, 57 A.3d 1232, 1234 (Pa. 2012) for imposing a duty of care, which are: (1) the relationship between the parties; (2) the social utility of the actor’s conduct; (3) the nature of the risk imposed and foreseeability of the harm incurred; (4) the consequences of imposing a duty upon the actor; and (5) the overall public interest in the proposed solution. Id.
The court, however, refused to accept this argument, concluding that to impose such a duty as a means to combat the widespread problem of data breaches could overwhelm the judiciary and ill-serve the public interest. Id. at 6. The court explained:
Plaintiffs’ proposed solution is the creation of a private negligence cause of action to recover actual damages, including damages for increased risks, upon a showing that the plaintiffs confidential information was made available to third persons through a data breach.
The public interest is not furthered by this proposed solution. Data breaches are widespread. They frequently occur because of sophisticated criminal activity of third persons. There is not a safe harbor for entities storing confidential information.
The creation of a private cause of action could result within Pennsylvania alone of the filing each year of possibly hundreds of thousands of lawsuits by persons whose confidential information may be in the hands of third persons. Clearly, the judicial system is not equipped to handle this increased caseload of negligence actions. Courts will not adopt a proposed solution that will overwhelm Pennsylvania's judicial system.
The court also expressed concern over the present lack of consensus standards for defining “adequate” security. Id. at 6. The court observed that the use of “expert” testimony and jury verdicts to develop a standard of reasonable care for data security “is not a viable method for resolving the difficult issue of the minimum requirements of care that should be imposed in data breach litigation, assuming that any minimum requirements should be imposed.” Id. at 6. The court also worried that to create a private cause of action for data breaches could be too heavy of a burden on companies already incentivized to combat the data breach problem:
Under plaintiffs’ proposed solution, in Pennsylvania alone, perhaps hundreds of profit and nonprofit entities would be required to expend substantial resources responding to the resulting lawsuits. These entities are victims of the same criminal activity as the plaintiffs. The courts should not, without guidance from the Legislature, create a body of law that does not allow entities that are victims of criminal activity to get on with their businesses.
Id. at 6-7.
Instead, the court concluded, the issue of whether a new duty should be imposed upon corporate employers should be left to the legislative branch, not a single jurist:
I cannot say with reasonable certainty that the best interests of society would be served through the recognition of new affirmative duties of care imposing liability on health care providers and other entities electronically storing confidential information, the financial impact of which could even put these entities out of business. Entities storing confidential information already have an incentive to protect confidential information because any breach will affect their operations. An “improved” system for storing confidential information will not necessarily prevent a breach of the system. These entities are also victims of criminal activity.
It is appropriate for courts to consider the creation of a new duty where what the court is considering is sufficiently narrow that it is not on the radar screen of the Legislature. . . . However, where the Legislature is already considering what courts are being asked to consider, in the absence of constitutional issues, courts must defer to the Legislature.
Id. at 7-8.
In the case before it, because “[t]he only duty that the General Assembly has chosen to impose as of today is notification of a data breach,” the court determined that it should not create a new legal duty to protect against data breaches. Id. at 10. Quoting from the Illinois Court of appeals in Cooney v. Chicago Pub. Sch., 934 N.E.2d 23, 28-29 (Ill. Ct. App. 2010), the court stated:
While we do not minimize the importance of protecting this information, we do not believe that the creation of a new legal duty beyond legislative requirements already in place is part of our role on appellate review. As noted, the legislature has specifically addressed the issue and only required the [defendant] to provide notice of the disclosure.
Id. at 10 (emphasis in original).
Thus, according to the Pennsylvania Court of Common Pleas, Allegheny County, the ball is in the court of the Pennsylvania General Assembly. Should the Pennsylvania General Assembly enact legislation creating an affirmative duty on employers to protect employees’ PII from data breaches, the duty would be state-specific, much like current data breach notification standards across the country. Importantly, other jurisdictions may address the issue differently. Courts in other states, for instance, may recognize a duty on employers outright in lieu of deferring to the legislative branch, or merely recognize a duty on employers to protect PII as an inherent component in a preexisting statute. Other state legislative bodies also may be confronting the issue in new legislation. White and Williams will continue to monitor this area for the latest developments.
For more information about PII or other cybersecurity issues, please contact please contact Joshua Mooney (215-864-6345; firstname.lastname@example.org) or Jay Shapiro (212.714.3063; email@example.com).