publications full of ideas

Pennsylvania Supreme Court Permits Negligence Claim To Proceed In Data Breach Class Action

Will Other States Follow?

12.10.2018

In finding a common law duty to protect employees’ personal data, the Pennsylvania Supreme Court has unexpectedly, and dramatically, altered the contours of the data breach litigation landscape.

In Dittman v. UPMC, hackers penetrated the University of Pittsburgh Medical Center (UPMC) computer systems. They obtained the personal information of 62,000 current and former employees. The data included names, birthdays, Social Security numbers, addresses, salaries, bank, and tax information. The hackers used this data to file fraudulent tax returns and steal tax refunds.

The affected employees sued, arguing that UPMC had a duty of care to secure their personal data. It had allegedly breached that duty by not protecting its computer systems. They insisted UPMC should have implemented measures such as proper firewalls, data encryption, and authentication protocols. They also pointed out that UPMC required their personal data as a condition of employment.

The employee arguments did not gain traction in the lower courts. The lower courts found no statutory or policy rationale for a duty to protect data. Nor was there a common law duty in such a scenario. The Pennsylvania Supreme Court agreed to consider the matter, and reversed. Three points stand out from the decision.

First, the court found that the duty to protect data stemmed from common law negligence doctrine. UPMC had “a legal duty to exercise reasonable care to safeguard” personal data stored on accessible systems.

While it did not discuss the technical measures that would establish the standard of care, the court did cite the allegation that UPMC did not provide “proper encryption, adequate firewalls, and an adequate authentication protocol.” Those actions affirmatively increased exposure to a data breach.

Dittman opens the doors to more suits stemming from a common law duty to protect data. Since the court’s analysis hinged on classic tort law rather than the employment relationship, plaintiffs will rely on this reasoning in future cases. While it is too early to state that the floodgates have opened, hacked corporate defendants can expect a surge in litigation.

Second, Dittman reflects evolving expectations. The lower courts had stressed the lack of generally accepted standards of care for cybersecurity in finding no duty. But the Pennsylvania Supreme Court turned this around, pointing to a reasonable and prevailing expectation of affirmative measures to protect personal data.

Finally, the holding will command the attention of smaller entities and their insurers. Smaller corporations, with limited information technology resources, tend to be more vulnerable to hackers. The removal of the economic loss doctrine also makes it harder to obtain threshold dismissals of class action complaints.

Taken together, these factors encourage the prudent company to undertake affirmative measures proactively on both the technical and legal fronts to safeguard corporate interests. At a minimum, companies should consult with counsel to ensure that their defenses track the applicable standard of care.

After all, UPMC may be the first hospital or large entity to face a negligence class action stemming from a breach but it will most assuredly not be the last.

Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or sgul@poynerspruill.com. Mike may be reached at 919.783.2851 or mslipsky@poynerspruill.com.

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.

related information

what's new at the firm

Employee Benefits Day Webinar: Executive Compensation

3/12/2019

Attracting and retaining executives and key employees is critical to an organization's success. As a result, offers of employment often come with special perks and promises. These additional benefits are essential in attracting the executive, but can create unintended liabilities. This session will identify common issues associated with executive compensation arrangements, discuss the potential liability, and provide practical tips to allow you to spot potential issues before they become liabilities.

Poyner Spruill’s First Ever NCAA Tournament Party

3/12/2019

This year we will be hosting our first annual NCAA Party!

Mayo named Client Choice Award winner in North Carolina

2/19/2019

RALEIGH, N.C. — Poyner Spruill partner Kelsey Mayo has been named the 2019 Client Choice Award winner in the Employment & Benefits category for North Carolina.

Terminating Employment: Best Practices to Navigate the Termination Minefield

2/13/2019

How an employer manages an employment termination is often the determinative factor in whether an employee sues for wrongful termination. This webinar discussion focuses upon best practices that should be used to minimize frequency of post-termination lawsuits, severance and release considerations, and essential planning and documentation for termination of an employee.

WEBINAR: The Regulators’ Update

2/7/2019

Leadership of the N.C. Adult Care Licensure Section, along with members of the p.s. Health Law Team, will present an update on adult care home survey and regulatory issues, including new developments in regulatory interpretation and application during surveys by the Adult Care Licensure Section.