In Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center, 2017 PA Super. 8 (Jan. 12, 2017), the Superior Court of Pennsylvania held that an employer does not owe employees a duty to protect and safeguard personal and financial information from disclosure in a data breach resulting from an intrusion in its computer network. While Dittman represents an important decision in emerging case law that declines to impose upon employers a common-law duty to protect employee information, the decision has important limitations. Those limitations may be exploited in future employment litigation and further illustrates the need for companies to adequately review their cybersecurity protocols with the assistance of cyber counsel.
The facts of Dittman are straightforward. In 2014, University of Pittsburgh Medical Center (UPMC) suffered a data breach that compromised the personal and financial information of approximately 62,000 current and former employees. Dittman, slip op. at 1-2. The stolen information included employees’ names, birth dates, social security numbers, tax information, addresses, salaries, and bank information. The information later was used to file fraudulent tax returns to steal the tax refunds. Id. at 2. Soon after UPMC announced the breach, two separate class action lawsuits were filed against the company. One lawsuit was comprised of current and former UPMC employees who had been victimized by identity theft; the other lawsuit involved current and former UPMC employees who had not been victims of identity theft, and instead alleged that they were at an increased risk of identity theft as a result of the data breach. Id. at 3.
Both lawsuits claimed that UPMC improperly failed to keep plaintiffs’ information safe and prevent vulnerabilities in its computer system, including the failure to properly encrypt data, establish adequate firewalls, and implement adequate authentication protocols to protect the information on its network. Id. at 2-3. They asserted two causes of action, one based on negligence and a common-law duty to protect the information; the second in breach of contract. Id. The trial court dismissed both lawsuits on the grounds that no contract or implied contract existed between UPMC and its employees to support a breach of contract claim, and that no common-law duty existed under tort law to impose upon UPMC (or other employers) a duty to safeguard data of its employees. Id. at 4-5. In so holding, the court explicitly declined to create such a duty, deferring to the state legislature instead of what it saw as a request of the judiciary to overreach by creating a duty. Id. On appeal, the Superior Court of Pennsylvania affirmed. This article focuses upon the court’s declination to create a common-law duty.
Under Pennsylvania law, whether a duty of care exists between parties to support a claim in tort depends upon an evaluation of five factors, sometimes known as the Althaus test. Those factors are:
(1) the relationship between the parties;
(2) the social utility of the actor’s conduct;
(3) the nature of the risk imposed and foreseeability of the harm incurred;
(4) the consequences of imposing a duty upon the actor; and
(5) the overall public interest in the proposed solution.
Id. at 6 (citing Althaus ex. rel. Althaus v. Cohen, 756 A.2d 1166, 1169 (Pa. 2000)).
Courts impose a common law duty upon a party “where the balance of these factors weighs in favor of placing such a burden on a defendant.” Id. (quoting Phillips v. Cricket Lighters, 841 A.2d 1000, 1008 (Pa. 2003)). In Dittman, the court held that these factors did not support the imposition of a common-law duty upon UPMC.
The first factor, the relationship of the parties, weighed in favor of imposing a duty. An employer-employee relationship existed between the parties, and the court recognized that the law imposed other duties of the parties based on the existence of the relationship. Id. at 7. This was the only factor that the court found weighed in favor of a common-law duty.
Under the Althaus test, the second factor, the social utility of the actor’s conduct, is weighed against the third factor, the nature of the risk imposed and foreseeability of the harm incurred. Here, weighing both factors together, the court found that they did not support imposition of a common-law duty. Id. at 7. On the one hand, the court recognized the “obvious need [of employers] to collect and store personal information about their employees,” as well as the foreseeability of harm from data breaches, which are becoming more commonplace. Id. However, the fact that the data breach had been caused by a third-party hacker was dispositive of how these factors weighed. Under Pennsylvania law, the criminal acts of a third-party actor are a superseding cause. Id. (citing Ford v. Jeffries, 379 A.2d 111, 115 (Pa. 1977)). “It is well established that a defendant does not have a duty to guard against the criminal acts of superseding third-parties unless he realized, or should have realized, the likelihood of such a situation.” Id. at 7-8 (citation omitted); see also In re: The Home Depot, Inc. Customer Data Security Breach Litig., 2016 WL 2897520 (N.D. Ga. May 18, 2016) (independent duty to protect customer information where company knew of substantial security risks data back several years). Here, because the data breach was caused by a third-party, and because there was no indication that UPMC knew about a specific threat or security flaw in its computer network, the foreseeability of a data breach did not support imposition of a duty upon UPMC:
While a data breach (and its ensuing harm) is generally foreseeable, we do not believe that this possibility outweighs the social utility of electronically storing employee information . . . . Although breaches of electronically stored data are a potential risk, this generalized risk does not outweigh the social utility of maintaining electronically stored information. We note here that Appellants do not allege that UPMC encountered a specific threat of intrusion into its computer systems.
Id. at 8.
The court held that the fourth factor, which examines the consequences of imposing a common-law duty upon the defendant, also weighed against imposing a duty. The court reasoned that given that data breaches are “widespread,” and that no “safe harbor” existed for the storage of confidential information, “[n]o judicially created duty of care is needed to incentivize companies to protect their confidential information.” Id. at 9. In other words, given the costs of responding to a data breach, the potential liability that already existed from regulatory law enforcement actions and lawsuits, as well as harm in the marketplace caused by data breaches, there was no need to motivate employers to protect their employers’ information. The court explained:
We find it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether. Employers strive to run their businesses efficiently and they have an incentive to protect employee information and prevent these types of occurrences. As the trial court correctly found, the fourth factor weighs in favor of not imposing a duty.
Id. at 9-10.
The Dittman court held that the fifth factor, which examines “the overall public interest” in imposing a duty, also weighed against creating one. Agreeing with the trial court, the appellate court stated that imposing a common-law duty on employers to safeguard employee information would greatly expend and strain limited judicial resources. Id. at 10. The court found that creating a unilateral, judicially imposed duty in lieu of the legislative branch also would overstep its authority. Id. Quoting the trial court, the court stated:
The General Assembly has considered and continues to consider the same issues that [Appellants] are requesting [the] court to consider under the Seebold/Althaus line of cases. The only duty that the General Assembly has chosen to impose as of today is notification of a data breach. It is not for the courts to alter the direction of the General Assembly because public policy is a matter for the Legislature.
Finally, the Dittman court held that plaintiffs’ negligence claim was barred by the economic loss doctrine; although, admittedly, the court’s decision rested upon its analysis of the Althaus test. Under the economic loss doctrine, “no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage.” Id. at 11. Under Bilt-Rite Contractors, Inc. v. The Architectural Studio, 866 A.2d 270, 274 (Pa. 2005), an exception to the economic loss doctrine exists where the economic harm was caused by a breach of a duty imposed by law. “Without a duty imposed by law or a legally recognized special relationship,” the economic loss doctrine bars recovery for purely economic losses. Id. at 10-11. Here, because the Althaus test weighed against imposing a duty upon UPMC to protect and safeguard its employees’ personal and financial information, and the court expressly declined to create such a duty, no exception to the economic loss doctrine existed to permit recovery. Id. at 12.
Despite the appellate court’s unwillingness to impose a common-law duty on employers to safeguard employee information, the citation in the majority opinion to the Home Depot data breach litigation may signal an important limit to that reluctance. See id. at 8 n.4 (citing In re Home Depot, Inc. Customer Data Security Breach Litig., 2016 U.S. Dist. LEXIS 65111 (N.D. Ga. May 18, 2016)).
In Home Depot, the Georgia federal court refused to dismiss a putative class action lawsuit of financial institutions where Home Depot allegedly had been warned repeatedly of its cybersecurity vulnerabilities and took no action to remedy them prior to the data breach at issue. Home Depot, 2016 U.S. Dist. LEXIS 65111 at *22-24. Those warnings included reports from IT of security concerns, third-party vendors warning about the company’s failure to encrypt customer data, an understaffed IT group, and events of prior data security incidents on its network. Id. at *22. The federal court held that, given the prior warnings Home Depot had received, a duty of care did exist to protect consumer information, thereby barring application of the economic loss doctrine. Id. at *29 (“A retailer’s actions and inactions, such as disabling security features and ignoring warning signs of a data breach, are sufficient to show that the retailer caused foreseeable harm to a plaintiff and therefore owed a duty in tort.”). The court reasoned that to hold otherwise would incentivize companies to “turn a blind eye” toward cyber risks and the protection of data:
The Court declines the Defendant’s invitation to hold that it had no legal duty to safeguard information even though it had warnings that its data security was inadequate and failed to heed them. To hold that no such duty existed would allow retailers to use outdated security measures and turn a blind eye to the ever-increasing risk of cyber attacks, leaving consumers with no recourse to recover damages even though the retailer was in a superior position to safeguard the public from such a risk.
Id. at *29-30.
In Dittman, the Pennsylvania appellate court specifically noted that there were no allegations of prior warning that might have shifted the level of UPMC’s duty of care. Dittman, slip op. at 8-9. Had UPMC received prior warning of vulnerabilities in its network that later were exploited, or if evidence suggested that UPMC had disregarded cyber risks and had ignored the issue, the Dittman court could have very well found an exception to the economic loss doctrine to permit the lawsuits to proceed. In fact, Justice Stabile in his concurring opinion made this sentiment clear, stating “[h]ad UPMC been on notice of factual or potential security breaches of its systems, or reasonably should have anticipated that the negligent handling of confidential information would have left it vulnerable to criminal activity, a different conclusion may have been reached under the factors of the Althaus test.” (Stabile, J., concurring, slip op. at 2.)
With this one observation by the appellate court, Pennsylvania companies can expect future lawsuits to plead accordingly. In addition, some of the alleged lax cybersecurity protocols against UPMC are steps required by NIST’s voluntary Cybersecurity Framework. The expectation of companies to follow this framework as evidence of a reasonable standard of care is increasing. Thus, the full effect of the Dittman decision may be more limited than first thought. The best way to mitigate loss from a cybersecurity event is to prepare for one. Such precautions also may be the best defense for an employer seeking refuge under Dittman in claims brought by its employees.