A common allegation in cyber security data breach litigation is that the data breach victim breached its duty of care in failing to adequately protect plaintiffs’ personal identification information (“PII”) from a data breach. Very recently, the Pennsylvania Court of Common Pleas of Allegheny County in Dutton v. UPMC, No. GD-14-003285 (May 28, 2015), dismissed such a claim, refusing requests to create a new duty of care on an employer who suffered a data breach resulting in the compromise of its employees’ PII. In so holding, the court reasoned that to create such a duty would place too heavy of a burden on corporate entities already incentivized to protect PII. It also would inundate the judiciary with a flood of litigation. The court instead looked to the state legislature to determine whether to impose this obligation.
In the case, the plaintiffs filed a putative class action of current and former The University of Pittsburgh Medical Center (“UPMC” )employees whose PII had been stolen from UPMC’s computer systems. Plaintiffs’ alleged that UPMC owed a duty to protect their PII and had breached that duty under theories of negligence and breach of contract. Dutton v. UPMC, No. GD-14-003285, slip op., at 1-2. Duties allegedly owed by UPMC included: