Pennsylvania Intermediate Appellate Court Finds No Duty to Protect Employee Information from a Data Breach
In Dittman v. UPMC, 2017 PA Super 8 (Jan. 12, 2017), the Pennsylvania Superior Court affirmed the dismissal of claims against an employer resulting from a breach of electronically-stored personal and private information. The University of Pittsburgh Medical Center (UPMC) suffered a data breach exposing information about its 62,000 present and former employees. At least 788 of those employees were subsequently victims of tax fraud. The employees asserted that UPMC breached a legal duty to protect their information, specifically by failing to properly encrypt data, establish adequate firewalls, and implement adequate authentication procedures. In a 2-1 decision, the court held that no such legal duty existed.
The court applied the Pennsylvania test to determine whether a duty exists, which requires consideration of five factors. The first factor is the relationship between the parties. Although the employer-employee relationship has traditionally given rise to duties by employers, and thus weighed in favor of imposing a duty, the court did not view this as controlling. The test goes on weigh two further factors, namely the “social utility of the actor’s conduct” and “the nature of the risk imposed and foreseeability of harm incurred.” The court concluded that while a data breach is generally foreseeable, that possibility does not outweigh the social utility and efficiency of storing information electronically. This balancing weighed against imposing a duty on UPMC. (The court strongly implied that if there had been allegations of specific threats and problems with UPMC’s computer system before the breach occurred, the balancing might have come out differently.) The fourth factor is the consequences of imposing a duty. The court stated there was no need to incentivize companies to protect confidential information, and recognized that companies would be required to incur potentially significant costs to increase security measures even though it is not possible to prevent data breaches altogether. It concluded that this factor weighs in a factor of not imposing a duty. The final factor is the public interest in imposing a duty. Here the court accepted the trial court’s view that because the legislature has specifically addressed data breaches, and has required only that notice be provided, the public interest would not be served by “judicial action that disrupts that [legislative] deliberation process.” It also stated that creating a duty would “greatly expand judicial resources.” Thus it found this factor weighs against creating a duty.
In addition, the court held that the economic loss doctrine prevented recovery in tort for solely economic damages unaccompanied by physical injury or property damage. Finally, the court held that there was no implied contract to protect the information because there were no objective manifestations of intent to enter into such a contract, nor was any consideration paid.