On November 21, 2018, the Supreme Court of Pennsylvania issued a landmark ruling in the case of Dittman v. UPMC in favor of employees at the University of Pittsburgh Medical Center (UPMC) represented by Lynch Carpenter. In its decision, the Supreme Court of Pennsylvania held that UPMC had a duty to reasonably protect its workers’ personal data from cyber theft. This decision will very likely have a profound impact on future data breach litigation, specifically regarding the degree to which recipients of sensitive, personally identifying information are required to act reasonably in electronically storing and safeguarding such data. Gary Lynch argued the case on behalf of the employees, with Lynch Carpenter attorney Jamisen Etzel spearheading the briefing.
How the Case Arose
In February 2014, UPMC first informed the public about its data breach. Initially, UPMC claimed the data leak involved the names, addresses, bank information, birth dates, salaries, and social security numbers of only 22 workers. Two months later, however, in April 2014, UPMC updated this information and stated that 27,000 workers had information stolen. In May 2014, UPMC finally confirmed that all of its current as well as former workers were affected by the breach.
While the extent of the breach was still being investigated, in June 2014, Lynch Carpenter filed a class action lawsuit against UPMC in the Court of Common Pleas of Allegheny County, on behalf of all UPMC employees (consisting of approximately 62,000 current workers and an undetermined number of former employees). The lawsuit alleged that UPMC:
- Failed to adopt, design, and maintain adequate security measures for worker data privacy rights.
- Failed to implement processes that would detect security breaches in a timely manner
- Failed to meet current data security industry standards regarding authentication protocols, encryption, and firewalls
- Breached its duty of reasonable care to secure personal information, and
- Violated administrative guidelines
The lawsuit sought recovery of economic losses resulting from the filing of fraudulent tax returns in the names of workers whose information was stolen, as well as the increased risk that workers faced in the future of becoming the victims of identity theft, fraud, and abuse.
The Procedural History of the Case
The case took several years before it was heard by the Pennsylvania Supreme Court. The Court of Common Pleas initially dismissed all counts in the complaint, holding that UPMC owed no duty to reasonably protect employee data from cyber theft and, in any event, such a negligence claim based solely on economic damages would be barred by Pennsylvania’s economic loss doctrine. The Superior Court later affirmed the Court of Common Pleas’ dismissal. The Supreme Court of Pennsylvania, however, ultimately reversed this decision.
The Supreme Court of Pennsylvania’s Ruling
There are two notable components to the Supreme Court of Pennsylvania’s ruling:
- Duty to protect sensitive data from cyber theft. As part of its decision, the Supreme Court of Pennsylvania rejected the concept that it was creating a “new affirmative duty” for the holders of sensitive information. Instead, the Court found it was merely applying a long-established duty to a novel scenario. As a result, the Court held that where an employer’s collection of personal data belonging to workers creates a foreseeable risk of data breach, an employer has a duty of reasonable care to secure this data. This led the Court to conclude that UPMC should have realized a cybercriminal might take advantage of vulnerabilities in the company’s computer system and steal data belonging to current and past workers.
- Negligence claims involving “purely” economic loss. In its decision, the Supreme Court of Pennsylvania further held that Pennsylvania’s economic loss doctrine does not prohibit negligence claims seeking “purely” economic damages, so long as the duty sought to be enforced arises independently of any contractual duty. In reaching this holding, the Court clarified its prior decisions enunciating and applying the economic loss doctrine and rejected any and all previous pronouncements of the doctrine by lower Pennsylvania courts which had suggested an oversimplified interpretation of the doctrine which disallowed any tort claim in which only economic damages are sought. This significant holding by the Court makes it clear that if the duty which forms the basis for a tort claim arises independently of any contractual obligation between parties, such claim is viable even if purely economic damages are sought. As a result, the Court found that UPMC had a duty to reasonably secure personal data under general principles of negligence law, and the economic loss doctrine does not prohibit the workers’ claims.
Protecting the Privacy Rights of Workers
Data breaches are occurring in our society at an alarming rate. If you are a victim of a data breach, it is important to remember that the holder of your data is obligated to act reasonably to store and protect it from cyber theft. If you believe the holder of your data has failed to uphold this duty, please contact Gary Lynch at Lynch Carpenter today by calling 1-(800)-467-5241 or contact us here.