Pennsylvania Supreme Court Holds Employers Have Duty to Protect Employee Data from Cyberattacks
As much of the country’s workforce traveled on Wednesday for the Thanksgiving holiday, the Supreme Court of Pennsylvania issued a landmark decision in cybersecurity: under Pennsylvania law, employers have an independent duty to protect employee data from cyberattacks. Specifically, in Dittman v. UPMC, 2018 Pa. LEXIS 6051 (Pa. Nov. 21, 2018), the Court held that:
- An employer has “a legal duty to exercise reasonable care to safeguard” employee personal data stored on internet-accessible computer systems.
- Under the economic loss doctrine, recovery for purely pecuniary damages is permissible under a negligence theory “provided that the plaintiff can establish the defendant’s breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract.”
Translation: given that the Court now recognizes a common law duty for data protection, employers may be sued for purely economic loss arising from the failure to safeguard employee data.
How Big Is This Case?
Dittman makes the rule of law in Pennsylvania clear: if you collect data, you have to undertake reasonable measures to protect it. It’s significant for multiple reasons. First, it’s important to understand that Dittman extends beyond the employment context. Because the Supreme Court did not base its decision on the existence of an employment relationship, and instead relied upon longstanding principles of tort law, companies should expect courts to apply this duty to other contexts. With Dittman’s limitation of the economic loss doctrine, and its recognition of a common law duty to protect data, claimants now will sue for purely economic loss arising from the failure to safeguard their data. It’s fair to anticipate an uptick in litigation.
Second, the decision reflects the changing times. In Dittman, the lower courts observed that there were no generally accepted standards of care for data protection, and that employers should not have to incur significant costs in security measures when data breaches cannot be prevented. A court would never reach such a conclusion today. Regulations in cybersecurity and perceptions toward cyberattacks have changed. Standards of care have emerged, and there are recognized cybersecurity frameworks around which to build a data security program. Companies now are expected to undertake affirmative, reasonable measures to protect data. Dittman reflects these changes.
Dittman also marks an expansion of risk under business, E&O, ELP, and cybersecurity insurance. The biggest impact for the case likely will involve small and mid-sized companies, who are less likely to have undertaken adequate cybersecurity measures than larger companies. Insurance carriers who insure the SME market also may see this impact, as their policyholders get swept into litigation. Further, with the Court’s determination that the economic loss doctrine was inapplicable, absent a valid standing challenge, Dittman effectively waves goodbye to early dismissals of class action data breach lawsuits.
In Dittman, current and former employees of the University of Pittsburgh Medical Center (UPMC) commenced an operative class action following a data breach in which personal information, including names, birth dates, social security numbers, addresses, tax forms, and bank account information, of 62,000 employees was accessed and stolen from UPMC’s computer systems. The data, which UPMC had collected from employees as a condition of their employment, later was used to file fraudulent tax returns. Id. at *2. Plaintiffs, which asserted claims for negligence and breach of implied contract, alleged that UPMC, as their employer, had a duty of care to protect their personal information. They alleged UPMC breached this duty by:
- Failing to design, maintain, and test its data security program to ensure that plaintiffs’ data was adequately protected;
- Failing to implement “processes that would detect a breach of its security systems in a timely manner”;
- Violating “administrative guidelines”; and
- Failing to “meet current data security industry standards,” such as proper encryption, adequate firewall protection, and authentication protocols.
Plaintiffs alleged that as a result of UPMC’s breach of the duty of care, they incurred damages from fraudulently filed tax returns and are “at an increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.” Id. at *2-4.
The trial court dismissed the lawsuit. Because plaintiffs did not allege any physical injury or property damage, plaintiffs could not recover solely economic damages under Pennsylvania’s economic loss doctrine. The trial court also opined that the courts should not create a new affirmative duty of care that would permit such litigation. Fearing such a duty would create a wave of litigation upon an already over-burdened judiciary, the trial court stated that the decision to impose such a duty upon employers should be left to the legislative branch. Id. at *6-9. The Superior Court affirmed, noting that although the relationship between the parties favored imposing a duty upon UPMC, UPMC nevertheless did not owe plaintiffs a special duty under Pennsylvania law. The Superior Court further agreed that the economic loss doctrine would prohibit recovery. Id. at *10-12. The Pennsylvania Supreme Court reversed.
Dittman plaintiffs argued that by requiring its employees to provide it with personal information, UPMC owed a duty to exercise reasonable care to protect the data. Id. at *15. Plaintiffs contended that such a requirement fell within the general principle of tort law that “anyone who does an affirmative act is under a duty to others to exercise the care of a reasonable man to protect them against an unreasonable risk of harm to them arising out of the act.” Id. at *16. Plaintiffs contended that although this duty was limited by the concept of foreseeability, here, it was foreseeable that “troves of electronic data stored on internet-accessible computers held by large entities are obvious targets for cyber criminals.” Id. at *17. UPMC disagreed, arguing that its actions did not increase the risk of criminal activity, and that a new duty should not be created (or that it should be held liable) “merely because of the general prevalence or conceivable risk of data breaches.” Id. at *19-20. UPMC also argued that the criminal actions of a third party (i.e., the hacker) should be a superseding event that absolved it of liability. Id. at *20.
The Court disagreed with UPMC, concluding as a threshold matter that the case before it did not involve the creation of a “new” duty, but instead the “application of an existing duty to a novel factual scenario.” Id. at *21. Is this semantics? Maybe. Agreeing that tort law required those who undertake affirmative acts “to exercise the care of a reasonable man to protect [others] against an unreasonable risk of harm to them arising out of the act,” the Dittman court concluded that UPMC’s requirement that plaintiffs provide personal information triggered a duty of care:
… UPMC required them [employees] to provide certain personal and financial information, which UPMC collected and stored on its internet-accessible computer system without use of adequate security measures, including proper encryption, adequate firewalls, and an adequate authentication protocol. These factual assertions plainly constitute affirmative conduct on the part of UPMC. . . . Employees [also] have sufficiently alleged that UPMC’s affirmative conduct created the risk of a data breach. Thus, we agree with Employees that, in collecting and storing Employees’ data on its computer systems, UPMC owed Employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.
Id. at *22-24.
The Court rejected the contention that the third-party hacking created a superseding event to absolve UPMC of liability. Generally, under tort law, the wrongful actions of a third party are not deemed foreseeable and may serve as a superseding event to prohibit liability. This limitation, however, does not apply where the defendant “realized or should have realized” the likelihood that his actions could create a situation in which a third party might avail himself of an opportunity to commit a tort or crime. Id. at *24-25. In the case before it, the Dittman court held that UPMC’s data collection and storage created a situation in which UPMC knew or should have known that a third party might try to hack into its network. Thus, according to the Court, “the criminal acts of third parties in executing the data breach do not alleviate UPMC of its duty to protect Employees’ personal and financial information from that breach.” Id. at *25-26.
Finally, addressing the economic loss doctrine, the Supreme Court rejected both lower courts’ readings of the economic loss doctrine to preclude recovery of solely economic damages based on negligence. Id. at *38-39. Instead, the Dittman court determined that Pennsylvania recognizes “that purely economic losses are recoverable in a variety of tort actions,” and that “a plaintiff is not barred from recovering economic losses simply because the action sounds in tort rather than contract law.” Id. at *39. With this expanded reading of the economic loss doctrine, and combined with the duty of care the Court now placed on employers to protect data, the Court held that the doctrine permitted recovery for the underlying data breach:
Here, Employees have asserted that UPMC breached its common law duty to act with reasonable care in collecting and storing their personal and financial information on its computer systems. As this legal duty exists independently from any contractual obligations between the parties, the economic loss doctrine does not bar Employees’ claim.
Id. at *42-43.
What This Case Means
Dittman makes the rule of law in Pennsylvania clear: if you collect data, you have to undertake reasonable measures to protect it. Period. Full stop.
The decision may serve as a flagship for rulings in other states’ highest courts. It also brings Pennsylvania in line with some other jurisdictions. Generally, data breach litigation centers around concepts of “reasonable” cybersecurity measures, while as detailed in the Wyndham Worldwide case, the Federal Trade Commission (FTC) has authority to commence enforcement actions under Section 5 of the FTC Act for companies’ failure to implement “adequate” cybersecurity measures. Ohio’s recently passed Data Protection Act also contemplates reasonable cybersecurity measures, but in a much more detailed approach. The statute provides an affirmative defense against tort liability if a defendant company can prove, that at the time of the data breach, it was compliant with a cybersecurity program which “reasonably conforms” to an industry-recognized cybersecurity standard or framework. The framework and level of compliance depends upon the company’s size and complexity, the nature and scope of the company’s activities; the sensitivity of the data; the cost and availability of security improvements; and the company’s resources. Dittman provides far less detail for a duty of care – much like the FTC’s approach of they will know it when they see it. Yet certainly, a company that complies with the Ohio statute for the affirmative defense likely would meet the reasonable duty of care now required by Dittman. In fact, given increased regulation, whether by governmental agencies or consensus standards, and greater emphasis on risk allocation (i.e., steep indemnity provisions) in business contracts, many companies already have been required to improve their cybersecurity programs to levels that may match the duty of care now imposed by Dittman.
Nevertheless, companies should heed Dittman now and ensure that they comply with the standard of care. They should conduct annual risk assessments and amend/implement cybersecurity programs geared to protect the confidentiality, integrity, and availability of the data they collect. Companies also should hire outside cyber counsel when conducting a risk assessment and implementing a data security program to try to keep any surprises or hiccups within the scope of attorney-client privilege. Preparing now does not have to be expensive, and it will be a lot less expensive than poor cyber practices that 1) lead to a breach, and 2) result in litigation and liability.
If you have questions or would like further information, please contact Joshua Mooney (firstname.lastname@example.org; 215.864.6345).