MenuClose

Pennsylvania Supreme Court Holds PA Employers Have an Affirmative Duty to Protect Employee Data

November 28, 2018

By Michael B. Hayes and Kelly K. Huff

As the calendar year begins to wind down, employers across the Commonwealth need to perk up.  On November 21, 2018, the Pennsylvania Supreme Court issued a landmark decision that greatly increases employers’ risk of exposure to being sued by their employees if the company experiences a data breach that compromises employees’ personal information – an unfortunately all too common event in today’s technology-reliant economy.

In  Dittman v. UPMC,  No. 43 WAP 2017, 2018 WL 6072199 (Pa. 2018), Pennsylvania’s highest court recognized, for the first time, that employers have an affirmative, common law duty to “exercise reasonable care to safeguard [their] employees’ sensitive personal information by the employer on an internet accessible system.” The Supreme Court also clarified that the “economic loss doctrine” does not preclude recovery of monetary damages, under a negligence theory, “provided that the plaintiff can establish the [employer’s] breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract.”[i]

In other words, the Pennsylvania Supreme Court held that employees can sue their employers for negligence when the employer suffers data breaches that result in the loss of employees’ stored “sensitive personal information.”

Employers across the country easily can relate to the underlying facts in the Dittman class action.  Plaintiffs are current and former employees of the University of Pittsburgh Medical Center (UPMC) who allege that UPMC required them to provide personal information, including names, birth dates, social security numbers, addresses, tax forms, and bank account information, as a standard condition of their employment.  Plaintiffs further alleged that the personal information of approximately 62,000 UPMC employees was accessed and stolen from UPMC’s computer systems during the course of a data breach, and that as a result, fraudulent tax returns were filed on behalf of many employees, causing actual damages.[ii]  Plaintiffs filed a negligence claim against UPMC, alleging that UPMC undertook a duty of care to ensure the security of their personal information and breached that duty by failing to adopt, implement, and maintain adequate security measures in its computer systems, including proper firewalls, data encryption, and authentication protocols.

Plaintiffs’ claims were dismissed by lower courts on the basis that the employers had no common law duty under these circumstances.  Plaintiffs asked the Pennsylvania Supreme Court to hear the case, and the Court agreed to do so.[iii]

What Employers Need to Know

The Pennsylvania Supreme Court held that employers have an affirmative duty to secure employees’ personal information that they collect.  The Court indicated that the holding was not creating a brand new common law duty under Pennsylvania law, but rather this was a case of applying the well-established duty of care to a novel set of facts relating to corporate data security.[iv]  Under Pennsylvania tort law, “[i]n scenarios involving an actor’s affirmative conduct, he is generally ‘under a duty to others to exercise the care of a reasonable man to protect them against an unreasonable risk of harm to them arising out of the act.’”[v]

Critically, the Supreme Court found that it was UPMC’s requirement that the employees provide their personal information as part of their employment that trigged UPMC’s employer’s affirmative “duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.” The Supreme Court also rejected UPMC’s argument that the cybercriminal conduct eliminated that duty or that a cyber-attack was unforeseeable.[vi] The Court did not comment on what types of security measures may be deemed reasonable or unreasonable.  This will be an area of law that will continue to be monitored as future case law develops out of this decision.

The Supreme Court also held that because these facts created a common law duty of care between UPMC and Plaintiffs, the “economic loss doctrine” did not bar Plaintiffs’ negligence claim.  The economic loss doctrine generally bars negligence claims that seek to recover purely economic damages, absent any injury to person or property.  It is an important defense that employers often raise to preclude their employees from bringing negligence claims against them, given that the employee-employer relationship is typically contractual in nature and contractual remedies will displace tort remedies.  The Supreme Court reviewed several keystone cases[vii] addressing the economic loss doctrine, and ultimately clarified that “those cases do not stand for the proposition that the economic loss doctrine, as applied in Pennsylvania, precludes all negligence claims seeking solely economic damages.”[viii]  The opinion further specified that “if the duty arises under a contract between the parties, a tort action will not lie from a breach of that duty. However, if the duty arises independently of any contractual duties between the parties, then a breach of that duty may support a tort action.”[ix]

The latter part of this holding is notable because if an employee can establish that its employer had a duty outside of the employment contract – whether it be the duty of care to protect electronically stored information or another duty – employees will be able to rely on Dittman to pursue tort claims seeking purely economic damages against their employer.

What Employers Need to Do

Dittman should prompt employers to immediately take stock not only of their existing cybersecurity systems and protections (including insurance), but also of what employee and other personal information they have collected and are maintaining on company systems. Of course, employers already have very strong, inherent interests in maintaining the security of personal information that belongs to their employees and customers; the Pennsylvania Supreme Court’s decision in Dittman raises the stakes of data breaches to include the potential for costly negligence claims from any number of current and former employees.

The Pennsylvania Supreme Court’s decision in Dittman undoubtedly will entice plaintiffs’ lawyers to hone in on Pennsylvania data breaches as a new source of lucrative tort litigation claims. While implementing robust data security measures might seem expensive in the short-run, employers must evaluate these costs against the company’s potential future exposure to significant litigation risks, such as this class action brought against UPMC.  In any case, if a company experiences a data breach that compromises client or employee data, the company should consult with outside counsel promptly about the litigation risks and mitigation.

For more information, please contact Michael B. Hayes or Kelly K. Huff.

[i] Dittman v. UPMC, 2018 WL 6072199, at *1.

[ii] Id. at *2.

[iii] Id., at* 2-3; 8.  Plaintiffs also filed a breach of implied contract claim, the dismissal of which was not appealed.  Id. at n.3.

[iv] Id. at *7.

[v] Id. at *7 (quoting Comment (a) to Restatement (Second) of Torts, § 302)).

[vi] Id. at *9.

[vii] The Court reviewed its prior analysis of the economic loss doctrine in Bilt-Rite Contractors, Inc. v. The Architectural Studio, 866 A.2d 270 (Pa. 2005) and Excavation Technologies, Inc. v. Columbia Gas Co. of Pa., 985 A.2d 840 (Pa. 2009) and affirmed the holdings of both.

[viii] Id. at *13.

[ix] Id.