Labor & Employment Law Daily Employer has duty to safeguard sensitive employee info stored on Internet-accessible system
Thursday, November 29, 2018

Employer has duty to safeguard sensitive employee info stored on Internet-accessible system

By Lorene D. Park, J.D.

A medical center owed a legal duty to protect employees’ electronically stored confidential information from potential data breaches, ruled the Pennsylvania Supreme Court, vacating dismissal of a class action claiming breach of that duty. UPMC engaged in affirmative conduct by requiring that employees provide personal and financial information, which it stored on its Internet-accessible computer system without adequate security measures. The presence of third-party criminality did not eliminate the duty of care because liability could be found if UPMC’s negligence afforded the opportunity to commit the crime, and it should have known of the likelihood that the third person “might avail himself of the opportunity” to commit the theft of data. The state high court further held that Pennsylvania’s economic loss doctrine did not bar the employees’ negligence claim because the alleged legal duty to act with reasonable care in storing personal information on its systems exists independently from any contractual obligations between the parties (Dittman v. UPMC dba The University of Pittsburgh Medical Center, November 21, 2018, Baer, M.).

Data breach. UPMC employees filed this class action alleging negligence and breach of contract based on a data breach in which personal and financial information, including names, birthdays, Social Security numbers, tax forms, and bank account information of 62,000 UPMC employees and former employees was accessed and stolen from UPMC’s computer systems. After the digitally stored data—which UPMC required employees to provide as a condition of employment—was stolen, the employer first announced that only 22 employees were affected; then said 27,000 employees were impacted; finally, it acknowledged that the personal data of its entire workforce was compromised.

Class action. UPMC owed a legal duty to safeguard their information and it failed to do so, the employees claimed. Specifically, it failed to properly encrypt the data, build adequate firewalls, and take other measures to protect the sensitive information in its computer network, and the lapse was a direct and proximate cause of harm: The stolen data was used to file fraudulent tax returns, and some employees had tax refunds stolen. Allegations brought on behalf of a separate but overlapping class also claimed UPMC’s failure to protect their information put them at imminent risk of falling prey to identify theft; consequently, they suffered damages in the form of costs incurred in taking steps to safeguard their private information.

Proceedings below. A state trial court dismissed the suit, finding that UPMC did not owe a duty of reasonable care in collecting and storing employees’ information, and that Pennsylvania’s economic loss doctrine barred their claim. Affirming in a split decision, a state appeals court applied Althaus v. Cohen to determine if a duty existed, weighing: (1) the parties’ relationship; (2) the social utility of the actor’s conduct; (3) the nature of the risk imposed and foreseeability of the harm; (4) the consequences of imposing a duty; and (5) the overall public interest in the proposed solution. It found that the parties’ relationship weighed in favor of imposing a duty on UPMC.

However, there was “obvious social utility” in electronically storing information, which outweighed the nature of the risk and foreseeability of the harm given this modern era. The appeals court also observed that “a third party committing a crime is a superseding cause” against which “a defendant does not have a duty to guard … unless he realized, or should have realized, the likelihood of such a situation.” It added that no judicially created duty was needed to incentivize companies to protect confidential information because there were already statutes in place. The court held that UPMC owed no duty under state law. Further, the economic loss doctrine would bar a negligence claim resulting only in economic damages.

Supreme court proceedings. Before the state high court, the employees argued that the Althaus test was misplaced because it considers whether to impose a new affirmative duty, but here, the negligence claim applied a long-established duty to a novel set of facts. They noted the general rule that one who does an affirmative act has a duty to exercise reasonable care to protect others from an unreasonable risk of harm. They argued that troves of data on Internet-accessible computers held by large entities are obvious targets for cybercriminals and a reasonable entity in UPMC’s position should foresee that failing to use basic security measures could lead to data breach and serious financial consequences. In response, UPMC argued that merely possessing data was not an affirmative misfeasance and the employees proposed a “radical reconstruction of duty” in seeking to impose liability for criminal acts by unknown third parties.

Duty to safeguard employee data. Vacating the decision below, the state high court agreed with the employees that this case involved applying an existing duty of reasonable care to a novel factual scenario and it was unnecessary to apply the Althaus factors or to do a full-blown public policy assessment. Here, UPMC engaged in affirmative conduct by requiring that employees provide certain personal and financial information, which it collected and stored on its Internet-accessible computer system, without use of adequate security measures, including proper encryption, adequate firewalls, and an adequate authentication protocol. While UPMC was correct that, generally, there is no duty to protect from risk that a defendant had no role in creating, the employee’s sufficiently alleged that UPMC’s affirmative conduct created the risk of a data breach. Thus, it owed employees a duty to exercise reasonable care to protect against an unreasonable risk of harm arising out of that act.

Third-party criminality no excuse. The presence of third-party criminality did not eliminate the duty owed to employees, explained the court, because liability can be found if the actor whose negligence afforded the opportunity for the third person to commit the crime (here, UPMC) “realized or should have realized the likelihood that such a situation might be created and that a third person might avail himself of the opportunity to commit such a tort or crime.” Here, the alleged conditions surrounding UPMC’s data collection and storage are such that a cybercriminal might take advantage of the vulnerabilities in its computer system and steal employees’ information; thus, the data breach was “within the scope of the risk created by” UPMC, and criminal acts in executing the breach did not relieve UPMC of its duty.

Economic loss doctrine no bar. The court next considered UPMC’s argument that the economic loss doctrine barred negligence claims resulting “solely in economic damages unaccompanied by physical injury or property damage,” subject to a narrow exception that doesn’t apply here. After reviewing its rulings in Bilt-Rite and Excavation Technologies, upon which the parties relied, the state high court held that those cases do not stand for the proposition that the economic loss doctrine, as applied in Pennsylvania, precludes all negligence claims seeking solely economic damages.

To the contrary, application of the economic loss doctrine turns on the source of the duty that a plaintiff claims a defendant owed. If the duty arises from contract, a tort action will not lie, but “if the duty arises independently of any contractual duties between the parties, then a breach of that duty may support a tort action,” explained the court.

Here, the employees claimed UPMC breached its common law duty to act with reasonable care in collecting and storing their personal and financial information on its computer systems. As this legal duty exists independently from any contractual obligations between the parties, the economic loss doctrine did not bar their claim, held the court.

Interested in submitting an article?

Submit your information to us today!

Learn More
Employment Law Daily

Labor & Employment Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on labor and employment legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.

Free Trial Learn More