Data Protection Report - Norton Rose Fulbright

The Superior Court of Pennsylvania last month dismissed a class action lawsuit, Dittman v. UPMC, brought by employees of the University of Pittsburgh Medical Center (“UPMC”) for a 2014 data breach.  The breach impacted nearly 62,000 UPMC employees and resulted in at least 788 fraudulent tax filings. The court held that UPMC had no duty to safeguard the electronically-stored personal and financial information of its employees. This decision presents a practical analysis of the challenges facing large employers who need to store employee information electronically while also guarding against the ever-present risk of a data breach.

The Incident

Personal and financial information of almost 62,000 employees, including names, dates of birth, social security numbers, tax information, addresses, and salary and bank information was compromised in the breach. Plaintiffs alleged that the information was accessed and stolen from UPMC’s computer systems and used to file fraudulent tax returns and steal tax refunds. UPMC confirmed that at least 788 employees had been victims of tax fraud. The hacked data was personal information that UPMC required employees to provide as a condition of employment.

The Dismissal

Plaintiffs brought claims for negligence and breach of implied contract against UPMC. The class consisted of two separate but overlapping subclasses: employees who had already suffered identity theft, and employees whose information had been stolen and were allegedly at an increased risk of identity theft but who had not yet suffered identity theft. The court ruled that under state law, UPMC did not owe a duty of reasonable care to its employees in the collection and storage of employee data. In coming to this conclusion, the court acknowledged the practical realities facing large employers, highlighting the utility of electronic storage of employee data.  The court also considered the social and financial costs of holding employers responsible for third-party criminal acts, especially “when there is no true way to prevent data breaches altogether.” However, the court noted that this duty analysis would likely change if UPMC was aware of a specific threat to employee data, as opposed to a generalized one. The court further held that UPMC did not agree to enter into an implied contract to protect its employees’ personal and financial information, at least without any allegations of intent to enter into such a contract or consideration paid.

Our Take

This case, while decided under Pennsylvania law, has applicability more generally to both negligence and breach of implied contract claims brought as a result of a data breach. The duty analysis is especially helpful for employers because it acknowledges the ever-present risk of data breaches and the impossibility of completely guarding against such an intrusion. Other employers faced with similar claims in the future can point in particular to the court’s holding that a generalized risk of a data breach does not render a plaintiff’s harm foreseeable enough to create a duty, even where actual injury (e.g., fraudulent tax filings) has been alleged. However, companies should take note that a specific threat to the confidentiality of employee data will likely change this result and impose a duty where one may not otherwise exist.