Monthly Archives: February 2017

Pennsylvania Superior Court Rules Employer Owes No Duty to Protect Employee Data

 Kelly WilliamsKelly A. Williams, a Senior Attorney at the Pittsburgh law firm of  Houston Harbaugh, P.C.     412-288-4005

In an apparent case of first impression, a divided three-judge panel of the Pennsylvania Superior Court recently held that an employer does not owe a legal duty to its employees to protect the employees’ electronically stored personal and financial information.  In Dittman v. UPMC, decided on January 12, 2017 (docket no. 971 WDA 2015), the Superior Court affirmed an opinion of the Court of Common Pleas of Allegheny County, PA (opinion by the Honorable R. Stanton Wettick, Jr.), sustaining defendant University of Pittsburgh Medical Center’s (“UPMC”) preliminary objections to an employee class action suit.  The suit arose from a data breach of the employees’ personal information, which was provided to UPMC as a condition of employment.

The employees sued UPMC for negligence and breach of contract after their names, birth dates, social security numbers, tax information, addresses, salaries and bank information were stolen due to the data breach. Specifically, they alleged that UPMC failed to properly encrypt data, establish adequate firewalls and implement adequate authentication protocols to protect the information in its computer network.  All of UPMC’s 62,000 employees and former employees were affected by the breach.  Appellants consisted of two separate but overlapping classes.  One class alleged that the stolen information had already been used to file fraudulent tax returns and steal the tax refunds of certain employees.  The other class consisted of those who had not suffered this harm but alleged that they were at increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.

security-breach-image-2To determine whether a duty of care exists, the Pennsylvania courts look to five factors, none of which are determinative alone. Seebold v. Prison Health Servs., Inc., 57 A.3d 1232, 1243 (Pa. 2012); Althaus ex. rel. Althaus v. Cohen, 756 A.2d 1166, 1169 (Pa. 2000).  The five factors are:

  1. the relationship between the parties;
  2. the social utility of the actor’s conduct;
  3. the nature of the risk imposed and foreseeability of the harm incurred;
  4. the consequences of imposing a duty upon the actor; and
  5. the overall public interest in the proposed solution.

In Dittman, the court found that the first factor weighed in favor of finding a duty because the employer-employee relationship gives rise to duties on the employer.  The court next weighed the second factor against the third:  the need of employers to collect and store personal information about their employees against the risk of storing information electronically and the foreseeability of data breaches.  The court concluded:

While a data breach (and its ensuing harm) is generally foreseeable, we do not believe that this possibility outweighs the social utility of electronically storing employee information. In the modern era, more and more information is stored electronically and the days of keeping documents in file cabinets are long gone. Without doubt, employees and consumers alike derive substantial benefits from efficiencies resulting from the transfer and storage of electronic data. Although breaches of electronically stored data are a potential risk, this generalized risk does not outweigh the social utility of maintaining electronically stored information. We note here that Appellants do not allege that UPMC encountered a specific threat of intrusion into its computer systems.

Analysis of the fourth factor looks to the consequences of imposing a duty.  In this situation, the court considered that data breaches are widespread and that there is no safe harbor for entities storing confidential information.  It was also the court’s opinion that no judicially created duty of care is needed to incentivize companies to protect confidential employee information because other statutes and safeguards are in place to prevent employers from disclosing confidential information.  Thus, the court concluded that “it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether. Employers strive to run their businesses efficiently and they have an incentive to protect employee information and prevent these types of occurrences.”

Finally, the fifth factor looks to whether there is a public interest in imposing a duty.  The Superior Court found persuasive the reasoning of the trial court that imposing a duty here would greatly expend judicial resources and would result in judicial activism.  The Superior Court agreed with the trial court that the Pennsylvania legislature has considered the same issues and chose only to impose a duty of notification of a data breach.  “It is not for the courts to alter the direction of the General Assembly because public policy is a matter for the legislature.”

Weighing all five factors, the court held that the factors weighed against imposing a duty.  Judge Stabile filed a concurring opinion, which Judge Olson, the writer for the majority opinion, joined.  Judge Stabile agreed with the ruling but emphasized that the law in this area is quickly changing and that the ruling was based on the facts pled in that particular case.  One of the key facts for Judge Stabile was the fact that the employees had not alleged that UPMC was on notice of any specific security threat.  In a dissenting opinion, Judge Musmanno concluded that  allegations that UPMC failed to properly encrypt data, establish adequate fire walls and implement appropriate authentication protocols was sufficient to allege that UPMC knew or should have known that there was a likelihood data would be stolen.  Judge Musmanno also disagreed with the majority’s assumption that employers are sufficiently incentivized to protect employee data without a duty imposed upon them to do so.

The employees filed a motion for reconsideration and reargument on January 26, 2017.  Thus, the Superior Court’s January 2017 opinion may not be the final word on the issue.

security-breach-imageDittman is interesting in the world of data breach lawsuits because it does not address standing.  Many data breach defendants have relied upon the theory that plaintiffs lack standing to bring claims for data breaches where plaintiffs cannot prove actual harm from the breach.  Proof of actual harm can be challenging because evidence regarding the use of the stolen information may be difficult to find.  Here, standing was not discussed by the Superior Court.  In the trial court below, UPMC had argued that the claims against it should be dismissed on the grounds that the employees lacked standing to assert claims on behalf of employees who had not yet been injured.  UPMC also asserted that the employees’ negligence and breach of implied contract claims failed as a matter of law.  After oral argument on these issues, the trial court ordered both parties to file supplemental briefs on the issue of whether UPMC owed a duty to its employees with respect to the handling of their personal and financial data.  This ultimately proved to be the issue that the trial court and the Superior Court found to be determinative.

The Dittman v. UPMC opinion may be found at:  http://scholar.google.com/scholar_case?case=17833965968674892500&q=dittman+v.+upmc&hl=en&as_sdt=6,39&as_vis=1.

Advertisements

Fed Circuit Reverses Finding of Indefiniteness of “Visually Negligible” Term

by: Robert Wagner, intellectual property attorney at the Pittsburgh law firm of Picadio Sneath Miller & Norton, P.C. ()

Inventors often use generalized language in patent claims when they are dealing with concepts that are not easy to quantify. This generalized language can create issues in litigation, when a defendant argues that the claims are so imprecise as to be indefinite. The Federal Circuit recently addressed such an issue in Sonic Technologies Co., Ltd. v. Publications International, Ltd. (Case No. 2016-1449). In that decision, the Court, in a unanimous opinion written by Judge Lourie, held that the trial court erred when it concluded that the term “visually negligible” rendered the claim indefinite.

Background

Sonic Technologies owned a patent that described a system and method for using a “graphical indicator” to encode information on the surface of an object that could be read by an “optical device.” Sonic recognized that such a general concept was not new–for example bar code readers have been in existence for decades–but the novel twist was that the “graphical indicator” was essentially imperceptible to the naked eye. The claims required that the “graphical indicator” be “visually negligible.”

16-1449-opinion-1-3-2017-1

Defendants argued that the term “visually negligible” was too subjective and did not provide reasonable guidance on its meaning. Sonix argued that the term was sufficiently definite in light of the specification, which discussed how the “graphical indicator” did not interfere with an observer’s view of item, in contrast with a bar code, which obscures the content below it.

The trial court agreed with defendants and found that the term “visually negligible” was indefinite and the claims were invalid. Sonic appealed to the Federal Circuit, which reversed, finding that the term was sufficiently definite.

indefiniteness standard

Under 35 U.S.C. § 112, ¶ 2, the claims of a patent must particularly point out and distinctly claim the subject matter of the invention. Supreme Court precedent requires that “a patent’s claims, viewed in light of the specification and prosecution history, inform those skilled in the art about the scope of the invention with reasonable certainty.” (citing Nautilus v. Biosig Instruments, Inc., 134 S.Ct. 2120 (2014)) Because, absolute precision is not required to meet this standard, courts frequently have allowed more generalized language, especially where the specification provides guidance in interpreting the language.

The Federal Circuit looked at the prior cases and concluded that “visually negligible” was not so uncertain as to render the claims indefinite. It contrasted other cases that dealt with terms that were purely subjective, such as “aesthetically pleasing,” with this one. The specification indicated that an indicator was “visually negligible” when it could not readily be seen by the naked eye and provided examples of such indicators. This specificity was sufficient in the Federal Circuit eyes. Moreover, the Court looked to the extension prosecution history (with multiple reexaminations), which indicated that the Patent Office was able to determine the meaning and scope of the term without issue.

The Court ultimately concluded:

Our holding in this case does not mean that the existence of examples in the written description will always render a claim definite, or that listing requirements always provide sufficient certainty. Neither does the fact that an expert has applied a contested claim term without difficulty render a claim immune from an indefiniteness challenge. As always, whether a claim is indefinite must be judged “in light of the specification and prosecution history” of the patent in which it appears. . . . We simply hold that “visually negligible” is not a purely subjective term and that, on this record, the written description and prosecution history provide sufficient support to inform with reasonable certainty those skilled in the art of the scope of the invention. The examiner’s knowing allowance of claims based on the term that is now questioned, plus the acceptance of the term by both parties’ experts, force us to the conclusion that the term “visually negligible” is not indefinite. Accordingly, we reverse the district court’s conclusion that the asserted claims are invalid as indefinite.