The Pennsylvania Supreme Court ruled that when an employer's stored data is breached exposing employee's personal information, it is a failure in their common law duty to exercise reasonable care. The decision changes the way litigation regarding cybersecurity will be handled. The University of Pittsburgh Medical Center (UPMC) failed to protect sensitive employee information that was accessed by hackers. The employees had brought a class-action case following the breach. The court also found that the economic loss doctrine allows for "purely pecuniary damages" in claims of negligence.
Dittman v. UPMC
Hackers accessed this confidential data on the UPMC network that included social security numbers, bank information and salary details. The claim specified that the employer was negligent and breached a contract. This was based on a duty under common law to demonstrate reasonable care. Some of the plaintiffs incurred significant losses when tax returns were filed in their name and other identity-related fraudulent activity.
Lower Court Ruling
An Alleghany County Court dismissed an earlier claim. They found that Pennsylvania law did not extend to cover such internet-related breaches. They stated that such as ruling could lead to many suits related to data safety. They ruled that the economic loss doctrine did not allow for recovery in these cases when no injuries or property damage was incurred. The claim asserted that UPMC had a duty to “design, maintain and sustain” security to protect such sensitive data.
Pennsylvania Supreme Court
The allegations stated that UPMC should have employed modern security techniques such as authentication and firewalls. The court determined that the employer's act of collecting such personal data created a duty to secure it. They found that criminal actions conducted by others did not release the employer from their duty to prevent a breach.
Negligence Claims With Purely Economic Damages
The court ruled that negligence claims could move forward seeking “purely economic damages”. The duty to secure critical employee data was applicable in negligence actions. They found the economic loss doctrine would not bar such claims. It is not known for sure if this duty will apply in situations that do not involve employers.
The majority of personal injury cases center on negligence as follows:
- A failure by a party to demonstrate reasonable care
- It must be shown that the defendant did have this duty to care
- It must be shown this duty was breached
- The plaintiff did incur injuries
- This breach caused the alleged injuries
Economic Loss Doctrine
The economic loss doctrine allows for parties to a contract to pursue damages that are the result of injuries or property losses that are not associated (“other property”) with the contract. Because a plaintiff may pursue damages to “other property”, the doctrine allows for bringing a suit for only economic losses. In addition, a plaintiff may pursue damages when other property damages caused physical injury. The doctrine prohibits recovery when there is no injury or damage from “other property”. In terms of product liability, a plaintiff may not recover for harm caused by the “product itself”.
Data breaches have continued to occur from illegal access to personal information, financial data, etc. Reports show that it takes an average of 191 days for a breach to be detected. In 2017, there were over 1,500 data breaches that were publicly revealed. Roughly 75% of such breaches the were the result of external unauthorized access.