In late 2018, The Supreme Court of Pennsylvania issued an important decision of which all employers and employees must carefully take note. In Dittman v. UPMC, 2018 Pa. LEXIS 6051 (Pa. Nov. 21, 2018), the court held that:
- An employer has “a legal duty to exercise reasonable care to safeguard” employee personal data stored on internet-accessible computer systems.
- Under the economic loss doctrine, recovery for purely pecuniary damages is permissible under a negligence theory “provided that the plaintiff can establish the defendant’s breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract.”
The Dittman decision marks an expansion of risk for companies that collect data. Companies are now expected to protect this data or suffer serious legal consequences. The decision reflects our society in 2019 – as identity and data theft have become more prevalent and problematic, global regulation has occurred on a major scale in recent years. The European Union’s passage of the General Protection Data Regulation (GPDR) is one example. While The Consumer Data Security and Notification Act (requiring disclosure of security breaches by financial institutions) in the United States is another.
In Dittman, current and former employees of the Pittsburgh Medical Center (UPMC) brought a class action after personal information collected as a condition of their employment was stolen. This data consisted of names, birth dates, social security numbers, addresses, tax forms, and bank account information.
In total, 62,000 employees had their personal data stolen from UPMC’s computer systems. The plaintiffs alleged economic loss after this stolen data was used by the cybercriminals to file fraudulent tax returns. The trial court dismissed the lawsuit since the plaintiffs did not allege any physical injury or property damage.
In Pennsylvania, plaintiffs may not recover solely economic damages under the economic loss doctrine. While the Superior Court noted that UPMC owed plaintiffs a special duty under Pennsylvania law, it affirmed since it also agreed that the economic loss doctrine would prohibit recovery.
The Pennsylvania Supreme Court reversed the decision of the Superior Court, reasoning that the economic loss doctrine does not bar the plaintiffs’ claim since they asserted that UPMC breached its common law duty to act with reasonable care in collecting and storing their personal and financial information on its computer systems. Because this legal duty exists independently from any contractual obligations between the parties, the economic loss doctrine does not bar recovery.
Thus, the holding in Dittman allows employees, whether current or former, to sue their employers for a cybersecurity data breach involving their personal information. While this may increase an employer’s risk and cost of doing business, it should lead to better overall cybersecurity among Pennsylvania companies. Hopefully, most will achieve this by proactive measures rather than as a response to litigation, as in the case of UPMC.