A common allegation in cyber security data breach litigation is that the data breach victim breached its duty of care in failing to adequately protect plaintiffs’ personal identification information (“PII”) from a data breach. Very recently, the Pennsylvania Court of Common Pleas of Allegheny County in Dutton v. UPMC, No. GD-14-003285 (May 28, 2015), dismissed such a claim, refusing requests to create a new duty of care on an employer who suffered a data breach resulting in the compromise of its employees’ PII. In so holding, the court reasoned that to create such a duty would place too heavy of a burden on corporate entities already incentivized to protect PII. It also would inundate the judiciary with a flood of litigation. The court instead looked to the state legislature to determine whether to impose this obligation.
In the case, the plaintiffs filed a putative class action of current and former The University of Pittsburgh Medical Center (“UPMC” )employees whose PII had been stolen from UPMC’s computer systems. Plaintiffs’ alleged that UPMC owed a duty to protect their PII and had breached that duty under theories of negligence and breach of contract. Dutton v. UPMC, No. GD-14-003285, slip op., at 1-2. Duties allegedly owed by UPMC included:
- The duty to design, maintain, and test its security systems to protect against data breaches;
- The duty to implement processes to detect security breaches “in a timely manner”;
- The duty “to adopt, implement, and maintain adequate security measures”; and
- The duty to satisfy “widespread industry standards relating to data security.”
Id. at 2-3.
Addressing the negligence claim first, the court concluded that because the alleged damages were economic only, under the economic loss doctrine, no cause of action based on negligence could exist. Id. at 4. Therefore, the claim was dismissed. (The court also dismissed the breach of contract claim based on the lack of evidence that a contract existed, id. at 11-12, but the court’s discussion of the negligence claim is where the real interesting read is found.)
To save their case, Plaintiffs contended that a special duty should be imposed upon UPMC to protect employees’ PII. Id. at 5. The court refused to do so, concluding that to impose such a duty as means to combat the widespread problem of data breaches could overwhelm the judiciary and ill-serve public interest:
Plaintiffs’ proposed solution is the creation of a private negligence cause of action to recover actual damages, including damages for increased risks, upon a showing that the plaintiffs confidential information was made available to third persons through a data breach.
The public interest is not furthered by this proposed solution. Data breaches are widespread. They frequently occur because of sophisticated criminal activity of third persons. There is not a safe harbor for entities storing confidential information. The creation of a private cause of action could result within Pennsylvania alone of the filing each year of possibly hundreds of thousands of lawsuits by persons whose confidential information may be in the hands of third persons. Clearly, the judicial system is not equipped to handle this increased caseload of negligence actions. Courts will not adopt a proposed solution that will overwhelm Pennsylvania’s judicial system.
Id. at 6.
The court also expressed concern over the lack of consensus standards for defining “adequate” security. Id. Litigation and “expert” testimony, the court observed, “is not a viable method for resolving the difficult issue of the minimum requirements of care that should be imposed in data breach litigation, assuming that any minimum requirements should be imposed.” Id. The court also worried that to create a new duty could place too heavy of a burden on companies already incentivized to combat data breaches:
Under plaintiffs’ proposed solution, in Pennsylvania alone, perhaps hundreds of profit and nonprofit entities would be required to expend substantial resources responding to the resulting lawsuits. These entities are victims of the same criminal activity as the plaintiffs. The courts should not, without guidance from the Legislature, create a body of law that does not allow entities that are victims of criminal activity to get on with their businesses.
Id. at 6-7.
Finally, the court concluded that the issue was best left to the legislative branch, not a single jurist:
I cannot say with reasonable certainty that the best interests of society would be served through the recognition of new affirmative duties of care imposing liability on health care providers and other entities electronically storing confidential information, the financial impact of which could even put these entities out of business. Entities storing confidential information already have an incentive to protect confidential information because any breach will affect their operations. An “improved” system for storing confidential information will not necessarily prevent a breach of the system. These entities are also victims of criminal activity.
It is appropriate for courts to consider the creation of a new duty where what the court is considering is sufficiently narrow that it is not on the radar screen of the Legislature. . . . However, where the Legislature is already considering what courts are being asked to consider, in the absence of constitutional issues, courts must defer to the Legislature.
Id. at 7-8.
Because “[t]he only duty that the General Assembly has chosen to impose as of today is notification of a data breach,” the court concluded that it should not create a new, additional duty on employers. Id. at 10. Quoting from the Illinois Court of appeals in Cooney v. Chicago Pub. Sch., 934 N.E.2d 23, 28-29 (Ill. Ct. App. 2010), the court stated:
While we do not minimize the importance of protecting this information, we do not believe that the creation of a new legal duty beyond legislative requirements already in place is part of our role on appellate review. As noted, the legislature has specifically addressed the issue and only required the [defendant] to provide notice of the disclosure.
Id. at 10 (emphasis in original).
Thus, according to the Pennsylvania Court of Common Pleas, Allegheny County, the ball is in the court of the Pennsylvania General Assembly to determine whether the duty to protect employees’ PII form data breaches should be placed on employers.
What this case means. Where should the responsibility (burden?) of protecting personal identification information from data breaches lay, and what are the standards by which to measure compliance with that responsibility? These are straightforward questions that Judge Wettick asked and had no definitive answers for to convince him to recognize a legal duty assigning the responsibility of protecting employee PII to employers.
Should the Pennsylvania General Assembly enact legislation creating an affirmative duty on employers to protect employees’ PII from data breaches, the duty would be state-specific, much like current data breach notification standards across the country. Other jurisdictions may address the issue differently. Courts in other states, for instance, may recognize a duty on employers outright in lieu of deferring to the legislative branch, or merely recognize a duty on employers to protect PII as an inherent component in a preexisting statute. This area of law continues to develop rapidly.
I’d like to thank Laura Schmidt, an associate at White and Williams, for her invaluable assistance with this piece.