Not long ago, data collectors could feel secure in the fact that plaintiffs had a significant hurdle to establish standing to bring a lawsuit related to a data breach. However, on November 21, 2018, the Pennsylvania Supreme Court issued its decision in Dittman v. The Univ. of Pittsburgh Medical Center, 2018 WL 6072199 (2018), holding an employer can be liable under a negligence claim for breaching employees’ personal information if it does not have adequate security measures in place protecting that data. The reasoning in this decision may make it easier for employees to sustain a lawsuit against their employers after data breaches.

The Class Action Complaint filed in Dittman asserts that the Medical Center breached the personal information of its 62,000 employees. Furthermore, the Complaint alleged the Medical Center required Medical Center Employees provide this information as a condition of their employment. Ultimately, the Medical Center Employees claimed this information was used to file fraudulent tax returns after the breach.

The Medical Center Employees claimed the Medical Center was negligent when it breached “a duty to exercise reasonable care to protect their ‘personal and financial information within its possession or control from being compromised, lost, stolen, misused and/or disclosed to unauthorized parties.’” In particular, the Medical Center Employees argued the Medical Center failed to implement basic security measures protecting their information.

The Pennsylvania Supreme Court held first, the Medical Center owed employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm from breaching personal information and, second, the economic loss doctrine did not bar the Medical Center employee’s claim.

  • An Employer Has A Duty To Use Reasonable Care And Safeguard Employee Personal Information.

The Medical Center Employees claimed the Medical Center had a duty to protect their data once it began collecting and storing the data.  The Medical Center countered it should not be liable for the breach since third-party criminals were responsible for the breach. That is, the Medical Center was merely employer and did not create the risk of harm. Therefore, the Medical Center claimed it had no duty.

The Pennsylvania Supreme Court rejected the Medical Center’s position and found it potentially could be at fault when it “collected and stored [personal information] on its internet-accessible computer system without use of adequate security measures, including proper encryption, adequate firewalls, and an adequate authentication protocol.”  In light of these allegations, the Supreme Court held the Medical Center “owed Employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of the act.”

  • Recovery For Pecuniary Damages Is Permissible Under Pennsylvania’s Economic Loss Doctrine.

Next, the Medical Center argued that even if it had a duty, the Medical Center Employees’ claims could still be barred by the economic loss doctrine.  Under Pennsylvania law (as with most other states) the economic loss doctrine bars negligence claims against a party that are based solely on economic damages. The Pennsylvania Supreme Court found the economic loss doctrine did not bar the Employees’ claims because “this legal duty exists independently from any contractual obligations between the parties…”  In other words, the Dittman Court rejected the Medical Center’s position that the economic loss doctrine was applicable because the duty to secure employee personal information arises out of negligence law rather than contractual obligations.

There is a significant body of law addressing whether plaintiffs have “standing” to bring lawsuits against data collectors. However, the Pennsylvania Supreme Court did not directly address whether there was a causal link between the breach at the Medical Center and the Employees’ allegations that fraudulent tax returns were filed in their names with the breached information.  Consequently, under the reasoning in the Dittman decision, the best strategy for employers to limit liability in Pennsylvania is to make sure they have “adequate” security measures in place if a breach occurs involving employee data.  And, this case should make it clear to employers outside of Pennsylvania that plaintiffs are beginning to clear the hurdles to establishing liability for data breach incidents.

Please contact Todd M. Rowe at Tressler LLP for a copy of the Dittman decision.