The Supreme Court of Pennsylvania (‘the Supreme Court’) issued, on 21 November 2018, its decision in Dittman, B., Aplt. v. UPMC in which it vacated the judgement of an appellate court, holding that an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored on an internet accessible computer system. The case involved a class action complaint against UPMC brought by seven of its employees who alleged that fraudulent tax returns were filed on their behalf, resulting in actual damages, following a breach in which the sensitive personal information of 62,000 UPMC employees and former employees was accessed and stolen from UPMC computer systems. In particular, the claimants asserted a negligence claim and sought damages.
Joshua Mooney, Partner at White and Williams LLP, told DataGuidance, “Dittman is a reflection of the changing times. The lower courts observed that there were no generally accepted standards of care for data protection, and that employers should not have to incur significant costs in security measures when data breaches cannot be prevented. A court would never reach such a conclusion today. Regulations in cybersecurity and perceptions toward cyberattacks have changed. Standards of care have emerged, and there are recognised cybersecurity frameworks around which to build a data security programme. Companies now are expected to undertake affirmative, reasonable measures to protect data. Dittman reflects these changes.”
An ounce of prevention from employers can often avoid this kind of liability
In reaching its decision, the Supreme Court in Dittman referenced Seebold v. Prison Health Services Inc., where it had observed that in situations involving an actor’s affirmative conduct, he is generally under a duty to protect others against an unreasonable risk of harm to them arising out of the act. The Supreme Court found that UPMC’s actions plainly constituted affirmative conduct, since UPMC had required employees to provide the relevant information, which it then collected and stored on its internet accessible computer system without use of adequate security measures, including proper encryption, adequate firewalls, and an adequate authentication protocol.
Mooney continued, “The dots are starting to connect in terms of what is required of companies that collect data. Data breach litigation centres around concepts of ‘reasonable’ cybersecurity measures, while as detailed in the Wyndham Worldwide case, the Federal Trade Commission has authority to commence enforcement actions […] for companies’ failure to implement ‘adequate’ cybersecurity measures. Ohio’s recently passed Senate Bill 220 also contemplates reasonable cybersecurity measures, but in a much more detailed approach. The statute provides an affirmative defence against tort liability if a defendant company can prove that, at the time of the data breach, it was compliant with a cybersecurity program which ‘reasonably conforms’ to an industry recognised cybersecurity standard or framework. Ditmman provides far less detail for a duty of care […] yet certainly, a company that complies with the Ohio statute for the affirmative defence likely would meet the reasonable duty of care now required by Dittman.”
The Supreme Court in Dittman also examined whether or not the claimants could recover for purely pecuniary damages under a negligence claim in light of Pennsylvania’s economic loss doctrine. It highlighted that the claimants had asserted that UPMC breached its common law duty to act with reasonable care in collecting and storing their personal and financial information on its computer systems. The Supreme Court held that as this legal duty exists independently from any contractual obligations between the parties, the economic loss doctrine does not bar the claim.
Julian Neiser, Member at Spilman Thomas & Battle, PLLC, concluded, “The Supreme Court’s decision will cause the case to go back to the trial court at the very early stages, so we really don’t know what will happen on the merits once discovery is done. The only thing we do know from the decision is that claimants who bring common law claims for data breach losses against employers have a path to do so. Whether they can win on those claims is a whole other story […] My suggestion to employers is to consult with their IT professionals and avoid liability on data breaches through good practices. They also need to have effective policies in place and ensure that their practices are reasonable. Remember, negligence claims can only win if there was lack of due care. An ounce of prevention from employers can often avoid this kind of liability.”
RUMER RAMSEY Junior Privacy Analyst