Pennsylvania Data Breach Litigation: An Important New Resource...and a Case to Watch
On Monday, January 8, 2018, Bloomberg Law’s Privacy & Data Security publication released its “Domestic Privacy Profile” for Pennsylvania, for which I served as Bloomberg’s subject matter expert practitioner. The publication is extremely comprehensive in scope, but I’d like to take the opportunity to highlight one Pennsylvania case that it discusses, which is currently before the state Supreme Court and could have a significant impact on privacy and data security litigation in Pennsylvania.
The case is Dittman v. UPMC, 154 A.3d 318 (Pa. Super. 2017). In Dittman, a putative class of employees of the University of Pittsburgh Medical Center sued their employer after a data breach in which names, birth dates, social security numbers, tax information, addresses, salaries, and bank information of approximately 62,000 UPMC employees and former employees were accessed and stolen from UPMC’s computer systems. The stolen information was used to file fraudulent tax returns, and fraudulently claim tax refunds, in the name of a number of UPMC employees. The employees brought actions for negligence and breach of contract against UPMC. The trial court granted preliminary objections, dismissing both claims.
Economic Loss Doctrine
In a standard-setting January 2017 opinion, the Superior Court affirmed. In one of a handful of significant holdings, the court held that Pennsylvania’s robust economic loss doctrine, which states that “no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage,” id. at 325, barred the plaintiffs’ negligence claims, because they claimed only economic damage.
This holding is consistent with federal courts’ applications of Pennsylvania law to data breach cases, see, e.g., Longenecker-Wells v. Benecard Servs., 658 F. App’x 659, 661 (3d Cir. 2016); Enslin v. Coca-Cola Co., 136 F. Supp. 3d 654, 673 (E.D. Pa. 2015), and provides a significant bulwark against negligence causes of action arising out of data breaches in this state. Corporate data breaches rarely give rise to “physical injury or property damage” affecting the individuals whose data is breached, and the only damage to which plaintiffs’ attorneys usually can point tends to be pecuniary. The Dittman case’s application of the doctrine in the data breach context should prevent most negligence claims in data breach cases.
Employer’s Duty of Care
The Superior Court also held in Dittman that the employer had no common-law duty of care to protect its employees’ information. The court applied a five-factor test to determine whether such a duty existed. Key among the factors it considered was “the nature of the risk imposed and foreseeability of the harm incurred.” The fact that the data breach had been caused by a third party was dispositive, because “[i]t is well established that a defendant does not have a duty to guard against the criminal acts of superseding third-parties unless he realized, or should have realized, the likelihood of such a situation.” 154 A.3d 318, 323. Given that there was no reason to believe a data breach was likely, the court held that no duty of care applied.
Like the economic loss holding in Dittman, this holding should give potential defendants in Pennsylvania data breach litigation a measure of comfort. Importantly, however, the court’s reasoning in Dittman will not necessarily apply in every data breach case, because that reasoning turns in large part on the fact that there was no particular reason to expect the breach at issue. In many cases, arguably, the defendant should have been on notice of a serious risk of breach (as, for example, where a well-known vulnerability goes unpatched), making Dittman’s no duty holding potentially inapposite. In such a case, Dittman’s economic loss holding becomes doubly important to a negligence defendant.
Supreme Court Appeal: One to Watch
On September 12, 2017, the Pennsylvania Supreme Court agreed to take up the case, and address both the Superior Court’s economic loss holding and its holding with respect to an employer’s duty of care.
How the Supreme Court decides in the Dittman appeal has the potential to profoundly affect the shape of data breach litigation in Pennsylvania. If the court holds that the economic loss doctrine is no bar to tort causes of action in which the damages are purely economic, it may open the door to a wave of lawsuits that would otherwise have been unsuccessful. Similarly, if the court rejects the argument that employers have no legal duty to use reasonable care to safeguard the sensitive personal information of their employees, employers and other holders of sensitive information could find themselves more vulnerable to lawsuits arising out of data breaches.
Read the Bloomberg Law Domestic Privacy Profile for Pennsylvania for more details on the Dittman case, along with many other data breach and privacy topics specific to Pennsylvania.