Pennsylvania Supreme Court Puts Employers on Notice: You Can Be Liable When Hackers Breach Your Systems
The Pennsylvania Supreme Court has recast two key legal principles that have stood as crucial bulwarks against liability for employers and other businesses that find themselves hacked by malicious third parties. The decision, Dittman v. UPMC, No. 43 WAP 2017, 2018 Pa. LEXIS 6051 (Nov. 21, 2018), has the potential to usher in a new era of data breach litigation in Pennsylvania. It stands as a strong warning to Pennsylvania employers that they should act now to review and assess the adequacy of their data security.
The Law as Read and Shaped by the Courts Below
Dittman involves a class action for negligence brought by employees of the University of Pittsburgh Medical Center (UPMC) against their employer after the names, birth dates, social security numbers, tax information, addresses, salaries, and bank information of approximately 62,000 employees were stolen by hackers who breached UPMC’s computer systems. The stolen information was subsequently used to file fraudulent tax returns and collect tax refunds in the names of some of the employees. The employees alleged that UPMC’s data security practices and infrastructure were inadequate, and therefore UPMC should be liable for their harm.
UPMC sought to dismiss the case, arguing that it had breached no cognizable legal duty, that it could not be held liable for the criminal acts of malicious third parties, and that Pennsylvania’s heretofore robust “economic loss doctrine” precluded the employees’ claims. This line of argument won the day in the trial court: that court explained that data breaches are widespread and frequent and that imposing such a legal duty on employers could subject them to “hundreds of thousands of lawsuits.” The court also held that under the economic loss doctrine, “no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage”; for this reason too, the employees’ negligence claim was barred. The trial court granted UPMC’s preliminary objections and dismissed the employees’ claims. Dittman v. Univ. of Pittsburgh Med. Ctr., No. GD-14-003285, 2015 Pa. Dist. & Cnty. Dec. LEXIS 15097 (C.P. Allegheny May 28, 2015).
The Superior Court sustained the dismissal and endorsed the trial court’s reasoning. As previously reported here, the Superior Court held in a split opinion both that (a) UPMC did not owe a duty to the employees and (b) the economic loss doctrine barred the negligence claim. The court found it dispositive that “a third party committing a crime is a superseding cause” against which “a defendant does not have a duty to guard…unless he realized, or should have realized, the likelihood of such a situation.” It also agreed with the lower court that employers have an independent incentive to prevent cyberattacks, making it “unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether.” Finally, the Superior Court also found that the economic loss doctrine barred the employees’ tort claim premised on purely monetary losses. Dittman v. UPMC, 2017 PA Super 8, 154 A.3d 318, 2017 Pa. Super. LEXIS 13 (Pa. Super. Ct., Jan. 12, 2017).
As we have noted, the principles endorsed by the Superior Court provided employers with a measure of comfort that they would not likely be held liable to their employees for failing to prevent a determined hacker from breaching their defenses and accessing their systems.
The Supreme Court Decision
The employees appealed, and the Supreme Court agreed to take up two questions:
- Do employers have a legal duty to safeguard personal employee information stored on internet accessible computers?
- Does the economic loss doctrine bar recovery for purely monetary damages resulting from a breach of an independent legal duty under common law?
Duty of Care
The Supreme Court reversed the lower courts, holding that employers that store and collect their employees’ personal data have a common law duty to protect that information. The Supreme Court started with the premise that “in scenarios involving an actor’s affirmative conduct, [the actor] is generally ‘under a duty to others to exercise the care of a reasonable man to protect them against an unreasonable risk of harm to them arising out of the act.” Rejecting UPMC’s argument that its mere possession of employee information did not constitute an affirmative act giving rise to a common law legal duty, the Court found it sufficient that UPMC required certain personal and financial information as a condition of employment, which it collected and stored on internet accessible computers.
The Supreme Court explained that while one is generally not liable for the wrongful actions of third parties, “liability could be found if the actor ‘realized or should have realized the likelihood that such a situation might be created and that a third person might avail himself of the opportunity to commit such a tort or a crime.’” The Court found that UPMC’s failure to utilize adequate security measures, including “encrypting data properly, establishing adequate firewalls, and implementing adequate authentication protocol[s],” created conditions that allowed cybercriminals to take advantage of the vulnerabilities in UPMC’s computer systems. As a result, a data breach was “within the scope of the risk created by UPMC.” And because of that, UPMC could be held liable for failing to prevent the criminal acts of third parties hackers. Notably, the Court framed this conclusion as a mere application of an “existing duty to a novel factual scenario,” rather than the creation of a “new affirmative duty of care.”
Economic Loss Doctrine
Turning to the economic loss doctrine, the Supreme Court again reversed the courts below, noting that “Pennsylvania has long recognized that purely economic losses are recoverable in a variety of tort actions” (emphasis added).
The Supreme Court explained instead that the application of the economic loss doctrine turns on the source of duty owed by the defendant: “if the duty arises under a contract between the parties, a tort action will not lie…if the duty arises independent of any contractual duties between the parties, then a breach of that duty may support a tort action.” In this case, the Court found that the common law duty to act with reasonable care existed independently from any contractual obligations between the parties; therefore, the economic loss doctrine did not bar the employees’ claim.
What This Means for Businesses
The Supreme Court’s holding will profoundly affect data breach litigation in Pennsylvania and has the potential to spur a major wave of lawsuits. This decision will make it very difficult for employers to achieve early (pre-discovery) dismissal of data breach claims, which, given the nature of data breaches, may well be brought (as the Dittman case was) as class actions. Moreover, not only do employees now have a cause of action against employers for data breaches, but it is conceivable that plaintiffs’ attorneys will try to expand the holding beyond the employee-employer context, applying it for example to consumers whose personal information are compromised during cyberattacks, a context in which class actions have been particularly difficult to successfully mount.
Companies which collect and store sensitive employee, and possibly consumer, data are now on notice that they must take reasonable care to ensure that their systems have sufficient security measures to guard against data breaches or face time-consuming and costly litigation and potential liability to their constituents when vulnerable systems are breached. What constitutes sufficient “reasonable care” is, and will remain, a moving target – there is no one-size-fits-all checklist – and it will likely vary according to a company’s size and individual risk. But every company should begin with a careful and deliberate assessment of its risk. Based on that assessment, companies should identify and implement appropriate security measures. And crucially, those measures must be continually updated as new risks develop. Well-documented, careful measures undertaken in advance will go a long way toward fending off liability in the event of a breach.