Data Protection Report - Norton Rose Fulbright

On November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. Dittman v. UPMC, 2018 Pa. LEXIS 6072199 (Pa. Nov. 21, 2018).

Dittman v. UPMC was filed by a group of employees of the University of Pittsburg Medical Center (“UPMC”), alleging a failure in data security resulted in a data breach and the theft of the personal and financial information of UPMC’s 62,000 employees. Id. at *1. The complaint further alleged that the stolen information, including names, birth dates, social security numbers, addresses, tax forms, and bank accounts was then used to file fraudulent tax returns. Id.

The lower courts had initially dismissed the complaint holding that no new duty should be imposed on employers to protect employee information, as the burden and financial consequences of imposing such duties could put entities out of business. Id. at *3. The lower courts further found that entities already have an incentive to protect against breaches, any improved system would not necessarily protect against a breach, and found that UPMC was a victim of crime itself. Id.

The Supreme Court disagreed. First, the Court found that the duty to use reasonable care to safeguard information should not be analyzed as new duty. Rather, the duty arises under the common law rule that when an actor takes an affirmative action, that actor must exercise reasonable care to protect others from an unreasonable risk of harm from such act. Id. at *5-7.  UPMC’s act of requiring its employees to provide personal and financial information as a condition of employment, and storing that information on an internet-accessible computer system without proper or adequate security measures, was in fact an affirmative action by UPMC. Id. at *8. That action created the risk of a data breach, and thus the Court found the duty to exercise reasonable care in establishing safeguards existed. Id.

Additionally, the Court was not persuaded by the argument that UPMC was itself a victim of a cybercrime, and that a criminal act of a third party is a superseding cause that eliminates the duty owed to its employees. Id. While criminal activity does act as a superseding cause that alleviates duties in many negligence cases, in the Dittman case the Court noted that when an actor “realizes or should have realized” at the time of his negligent act that a third person would avail themselves of the opportunity to commit a crime from that negligent act, third party crime does not eliminate the original duty. Id. The Court found that storing personal and private information without adequate security measures would be a foreseeable condition giving rise to criminal attacks from third parties, and as such the duty to use reasonable care to safeguard remained intact. See id. at *8-9.

Once the Court found a duty to safeguard employee information existed, the Court then examined Pennsylvania’s economic loss doctrine, which bars recovery for certain negligence actions seeking only economic damages. Because the Plaintiffs alleged economic harm as opposed to physical injury, the negligence action could only proceed if it was not barred by the doctrine. The Court found that the economic loss doctrine does not bar negligence-based tort claims involving purely financial harm, so long as the plaintiff established the defendant owed a common law duty arising independently from any contract between the parties. Id. at *13. In the context of Dittman, the Court found that because a common law duty existed solely by the act of collecting and storing personal information, this was an independent duty from any other contractual obligations of the parties. Id. at *14. Therefore, the economic loss doctrine did not bar the plaintiffs’ claim, and the case was remanded to the trial court. Id. at *15.

Our take

The importance of data protection cannot be overstated in the age of ever-expanding technologies and digital advances. Employers who store employees sensitive personal information electronically, in any Human Resource or other employment capacity, should be aware that they may have to take reasonable precautions to ensure the safety and protection of that information.

It should be noted that the Dittman case does not expect employers to protect employee information from any breach or criminal activity. The duty is one to exercise reasonable care, which may be different depending on the size and resources of a particular company. A company with 62,000 employees in the medical field, may have more an expectation of advanced security measures than a smaller-scale employer.

Dittman also brings the question whether this duty to safeguard information will be expanded beyond the context of an employer-employee relationship. As this duty was based under the common law rule for an affirmative act, it seems that the duty may also be found in other situations where companies will require personal or private information in order to acquire services. For example, the requirement to provide a social security number in order to apply for a loan may trigger the duty for the lender to safeguard the information provided in the application process. Additionally, since providing a social security number is generally separate from the contractual obligations of the lender and borrower, then arguably the economic loss doctrine would not bar a claim in negligence, as was the case in Dittman.

The bottom line- when dealing with personal, private, or confidential information, companies should take reasonable steps to assess their data security measures and ensure that they are reasonable given industry standards, the sensitivity of the data, and the resources available. Such measures would not only be more helpful in terms of ensuring protection of sensitive information, but can also help in limiting liability in lawsuits arising from any breach.