In an apparent case of first impression, a divided three-judge panel of the Pennsylvania Superior Court recently held that an employer does not owe a legal duty to its employees to protect the employees’ electronically stored personal and financial information. In Dittman v. UPMC, decided on January 12, 2017 (docket no. 971 WDA 2015), the Superior Court affirmed an opinion of the Court of Common Pleas of Allegheny County, PA (opinion by the Honorable R. Stanton Wettick, Jr.), sustaining defendant University of Pittsburgh Medical Center’s (“UPMC”) preliminary objections to an employee class action suit. The suit arose from a data breach of the employees’ personal information, which was provided to UPMC as a condition of employment.
The employees sued UPMC for negligence and breach of contract after their names, birth dates, social security numbers, tax information, addresses, salaries and bank information were stolen due to the data breach. Specifically, they alleged that UPMC failed to properly encrypt data, establish adequate firewalls and implement adequate authentication protocols to protect the information in its computer network. All of UPMC’s 62,000 employees and former employees were affected by the breach. Appellants consisted of two separate but overlapping classes. One class alleged that the stolen information had already been used to file fraudulent tax returns and steal the tax refunds of certain employees. The other class consisted of those who had not suffered this harm but alleged that they were at increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.
To determine whether a duty of care exists, the Pennsylvania courts look to five factors, none of which are determinative alone. Seebold v. Prison Health Servs., Inc., 57 A.3d 1232, 1243 (Pa. 2012); Althaus ex. rel. Althaus v. Cohen, 756 A.2d 1166, 1169 (Pa. 2000). The five factors are:
- the relationship between the parties;
- the social utility of the actor’s conduct;
- the nature of the risk imposed and foreseeability of the harm incurred;
- the consequences of imposing a duty upon the actor; and
- the overall public interest in the proposed solution.
In Dittman, the court found that the first factor weighed in favor of finding a duty because the employer-employee relationship gives rise to duties on the employer. The court next weighed the second factor against the third: the need of employers to collect and store personal information about their employees against the risk of storing information electronically and the foreseeability of data breaches. The court concluded:
While a data breach (and its ensuing harm) is generally foreseeable, we do not believe that this possibility outweighs the social utility of electronically storing employee information. In the modern era, more and more information is stored electronically and the days of keeping documents in file cabinets are long gone. Without doubt, employees and consumers alike derive substantial benefits from efficiencies resulting from the transfer and storage of electronic data. Although breaches of electronically stored data are a potential risk, this generalized risk does not outweigh the social utility of maintaining electronically stored information. We note here that Appellants do not allege that UPMC encountered a specific threat of intrusion into its computer systems.
Analysis of the fourth factor looks to the consequences of imposing a duty. In this situation, the court considered that data breaches are widespread and that there is no safe harbor for entities storing confidential information. It was also the court’s opinion that no judicially created duty of care is needed to incentivize companies to protect confidential employee information because other statutes and safeguards are in place to prevent employers from disclosing confidential information. Thus, the court concluded that “it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether. Employers strive to run their businesses efficiently and they have an incentive to protect employee information and prevent these types of occurrences.”
Finally, the fifth factor looks to whether there is a public interest in imposing a duty. The Superior Court found persuasive the reasoning of the trial court that imposing a duty here would greatly expend judicial resources and would result in judicial activism. The Superior Court agreed with the trial court that the Pennsylvania legislature has considered the same issues and chose only to impose a duty of notification of a data breach. “It is not for the courts to alter the direction of the General Assembly because public policy is a matter for the legislature.”
Weighing all five factors, the court held that the factors weighed against imposing a duty. Judge Stabile filed a concurring opinion, which Judge Olson, the writer for the majority opinion, joined. Judge Stabile agreed with the ruling but emphasized that the law in this area is quickly changing and that the ruling was based on the facts pled in that particular case. One of the key facts for Judge Stabile was the fact that the employees had not alleged that UPMC was on notice of any specific security threat. In a dissenting opinion, Judge Musmanno concluded that allegations that UPMC failed to properly encrypt data, establish adequate fire walls and implement appropriate authentication protocols was sufficient to allege that UPMC knew or should have known that there was a likelihood data would be stolen. Judge Musmanno also disagreed with the majority’s assumption that employers are sufficiently incentivized to protect employee data without a duty imposed upon them to do so.
The employees filed a motion for reconsideration and reargument on January 26, 2017. Thus, the Superior Court’s January 2017 opinion may not be the final word on the issue.
Dittman is interesting in the world of data breach lawsuits because it does not address standing. Many data breach defendants have relied upon the theory that plaintiffs lack standing to bring claims for data breaches where plaintiffs cannot prove actual harm from the breach. Proof of actual harm can be challenging because evidence regarding the use of the stolen information may be difficult to find. Here, standing was not discussed by the Superior Court. In the trial court below, UPMC had argued that the claims against it should be dismissed on the grounds that the employees lacked standing to assert claims on behalf of employees who had not yet been injured. UPMC also asserted that the employees’ negligence and breach of implied contract claims failed as a matter of law. After oral argument on these issues, the trial court ordered both parties to file supplemental briefs on the issue of whether UPMC owed a duty to its employees with respect to the handling of their personal and financial data. This ultimately proved to be the issue that the trial court and the Superior Court found to be determinative.
The Dittman v. UPMC opinion may be found at: http://scholar.google.com/scholar_case?case=17833965968674892500&q=dittman+v.+upmc&hl=en&as_sdt=6,39&as_vis=1.