On May 28, 2015, in the first known ruling of its kind, a trial court in Allegheny County held that Pennsylvania law does not recognize a civil cause of action against companies for failing to secure its employees’ confidential information.
In Dittman v. UPMC, a class of plaintiffs brought negligence and implied contract claims against the defendant hospital for failing to implement and monitor an adequate security system, and for failing to properly detect a data security breach. The purported class was composed of 62,000 University of Pittsburgh Medical Center current and former employees who had their personal information (Social Security numbers and confidential tax information), stolen from the company’s computer systems. The Plaintiffs alleged that some even suffered actual losses when fraudulent tax returns were filed with the stolen information.
Ultimately, the Court found that the current and former employees had no cognizable negligence claim against the employer based upon the economic loss doctrine, which precludes negligence claims that only cause economic damages and do not result in personal injury or property damage. The Court also found that the plaintiffs did not meet the test required to establish that an affirmative duty exists for a negligence claim because, if such a duty were imposed as a matter of law, it could harm the public interest and result in a flood of new negligence claims against businesses for data breaches.
In reaching its ruling, the Court also considered the Breach of Personal Information Notification Act (passed by the Pennsylvania legislature in 2006). There is no civil liability imposed on an employer for a data breach itself. Rather, an employer may only be civilly liable under the Act for a failure to notify of a data breach, and only the Attorney General can assert the claim. At the time of writing forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information. Only Alabama, New Mexico, and South Dakota have no security breach laws.
The Dittman case should prove valuable to companies and employers in Pennsylvania who suffer data breaches. We will have to wait and see whether the case is appealed, or whether the General Assembly will create or modify legislation to address this issue. One thing is certain: there will be more to come regarding this emerging area of the law, so stay tuned!