Article by Taylor Wantz and Lyle Washowich, Esq.
On November 21, 2018, the Pennsylvania Supreme Court issued a landmark decision, holding that employers have a duty to protect their employees’ data from cyberattack. Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018), establishes negligence as a valid cause of action when an employer breaches that duty, even when the damages suffered are purely economic in nature.
Pennsylvania Law Prior to Dittman and the Economic Loss Doctrine
Prior to Dittman, negligence claims on an alleged cyber breach rarely succeeded in Pennsylvania courts. Generally, in those cases involving alleged negligence, plaintiffs were required to plead and prove: (1) the existence of a duty to exercise due care; (2) breach of that duty; (3) causation; and (4) damages. The last element in particular, damages, had proven to be a difficult hurdle for plaintiffs to overcome in this type of litigation. In order to have adequately pled and proven damages, plaintiffs must have suffered more than purely economic loss. That bar on economic damages has been known as the “economic loss doctrine.”
The economic loss doctrine generally provided that a plaintiff could recover in tort only those economic losses resulting directly from injury to his person or damage to his property. For plaintiffs, the economic loss doctrine was particularly problematic in cyber breach cases because the damages allegedly suffered were typically only economic damages – monetary losses associated with the misuse of the personal information stolen in the breach. Thus, without any physical injury or property damage, plaintiffs had encountered significant challenges in pleading a negligence cause of action for a cyber breach, limiting their only significant remedy to breach of contract.
Dittman
In Dittman, employees of the University of Pittsburgh Medical Center (“UPMC”) brought a class action lawsuit against their employer after a data breach resulted in the loss of personal and financial information, including names, birth dates, social security numbers, addresses, tax forms, and bank account information for over 62,000 UPMC current and former employees.[1] This stolen information, in certain instances, was used to file fraudulent tax returns on behalf of the employees.
The employees asserted claims for negligence and breach of implied contract, which alleged that UPMC owed them a duty to protect their personal information. The employees argued that this duty arises out of the general principal that “anyone who does an affirmative act is under a duty to others to exercise the care of a reasonable man to protect them against an unreasonable risk of harm . . . arising out of the act.”[2] As presented by the employees, this duty would require employers to exercise reasonable care to safeguard their sensitive and personal data.
The Allegheny County Court of Common Pleas dismissed the employees’ claims, holding that while Pennsylvania law required employers to provide notice of cyber breach to victims, it stopped short of imposing a duty to protect their employees’ data.[3] The Trial Court also recognized that the economic loss doctrine barred the employees’ negligence claim, because they failed to allege any injury beyond purely economic damages.[4] On appeal, the Pennsylvania Superior Court affirmed.[5]
However, in a unanimous decision, the Pennsylvania Supreme Court reversed the lower court’s holding. To do so, the Pennsylvania Supreme Court held that it was not creating a “new affirmative duty” but, instead, was applying an “existing duty to a novel factual scenario.”[6] Additionally, the Pennsylvania Supreme Court rejected UPMC’s argument that Pennsylvania’s economic-loss doctrine precludes all negligence claims for solely economic damages. Rather, recovery for purely economic loss is permissible if the employer’s breach of duty is independent from any duty assumed pursuant to a contract. In Dittman, the employees’ asserted that UPMC breached its duty to act with reasonable care in protecting their personal information, which is a duty that purportedly exists separately from any contractual agreement between UPMC and its employees. Thus, the employees argued, they were not barred from bringing a negligence claim against their employer. The Pennsylvania Supreme Court agreed and reversed and remanded for further proceedings.
Other Theories of Liability
Beyond this direct impact on employers to safeguard their employees’ information, the Pennsylvania Supreme Court’s holding could lead to other avenues of litigation. The most frequently asserted theory in cyber breach litigation is a claim for breach of contract. In order to bring a breach of contract claim, a plaintiff must establish, among other things, that his employer agreed to safeguard his or her personal information, usually by the existence of a contract or agreement. Frequently, plaintiffs have difficulty pointing to an express agreement that an employer made or a promise to protect their employees’ personal data. Some courts, however, have recognized the existence of an “implied” contract, where an employer manifests an intent to safeguard data through its conduct, rather than words. Dittman may bolster such claims.
Additionally, Dittman may expose businesses to liability beyond the scope of the employer/employee relationship. If a company’s marketing, advertising, or related policies indicate that it will take reasonable measures to safeguard employee or customer information, the policy may be used as a basis to assert a negligent misrepresentation claim. For example, plaintiffs have alleged that a company’s privacy policy statement regarding “reasonable security and industry-standard encryption” amounted to a negligent misrepresentation, after the company suffered a data breach.[7] Similarly, plaintiffs have asserted that by accepting and processing credit card payments, a business impliedly represented that it complied with Mastercard and Visa’s data security regulations, resulting in a negligent misrepresentation.[8] While the success of these negligent misrepresentation claims varies from state to state, it is important for businesses to be aware of their potential liability, as Dittman will do nothing to discourage such claims. To the contrary, it will more than likely be used by counsel to attempt to further assert them. In addition to claims for negligent misrepresentation, courts have likewise recognized claims for breach of fiduciary duty, invasion of privacy, and unjust enrichment when a business fails to protect consumers’ personal information.
Data Security Laws
As security risks continue to increase, thirty-six states have enacted laws that require businesses that own, license, or maintain personal information to implement and maintain “reasonable security procedures and practices” to protect personal information from unauthorized access.[9] The number of states with security breach legislation has doubled since 2016, indicating the growing concern about data breach security. At this time, Pennsylvania has not enacted any legislation that addresses data security, but the Pennsylvania Supreme Court’s recent decision in Dittman could push the state legislature to consider enacting such laws.
What does this mean for Pennsylvania employers?
In the event of a cyberattack, employers can now be sued for economic damages that may arise from a failure to safeguard sensitive data. Most importantly, this duty imposed on employers applies to every employer: a fortune 500 company to a small family-owned business to a nonprofit. Businesses in every industry and of every size can become a target for cyberattacks and, in fact, small and medium sized businesses are increasingly becoming targets for hackers. While small employers might not have the resources or expertise to adequately prepare for an attack, the law in Pennsylvania still binds them to the standard.
Employers must implement policies and practices to avoid the risk of a cyber-attack. This might include, among other things, performing a cybersecurity risk assessment, developing company policies with regard to cyber security, and creating an action plan for responding to security attacks. Employers should consider obtaining cybersecurity insurance, if not done already, which can help pay for expenses related to data breaches, including legal expenses such as counsel, settlements, and judgments.
Dittman v. UPMC will have a significant impact on cybersecurity litigation in Pennsylvania (and across the country). Pennsylvania is likely to see an uptick in cyber breach litigation and, while some states (such as California) have already recognized an employer’s duty to protect their employees’ personal information, more jurisdictions are likely to follow this trend. All employers, no matter their size, must establish safeguards against cyber threats, not only to protect their employees’ personal information but also to protect themselves from the possibility of subsequent litigation. Moreover, this area of the law is likely only to grow in coming years.
[1] Dittman, 196 A.3d at 1038-39.
[2] Id. at 1045.
[3] Dittman v. UPMC, No. GD-14-003285, 2015 WL 13779479, *5 (Pa. Com. Pl. May 28, 2015).
[4] Id. at *3.
[5] Dittman v. UPMC, 154 A.3d 318, 329 (Pa. Super. Court. 2017).
[6] Dittman v. UPMC, 196 A.3d 1036, 1040, 1046 (Pa. 2018).
[7] In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 975 (S.D. Cal. 2014).
[8] In re TJX Companies Retail Sec. Breach Litig., 564 F.3d 489, 494 (1st Cir. 2009).
[9] Data Security Laws-Private Sector, Nat’l Conf. St. Legislatures (Jan. 4, 2019), http://www.ncsl.org/research/telecommunications-and-information-technology/data-security-laws.aspx.