A pro-plaintiff Pennsylvania Supreme Court decision earlier this month that says employees can pursue a negligence claim against two University of Pennsylvania medical centers in connection with a data breach is likely to be frequently cited in other states’ litigation, say observers.
University of Pittsburgh Medical Center and the University of Pennsylvania Medical Center McKeesport filed employees filed suit in 2014 in a putative class action, charging negligence and breach of an implied contract claim in connection with a data breach, according to the Nov. 21 ruling in Barbara A. Dittman et al. v. UPC D/B/A the University of Pittsburgh Medical Center and UPMC McKeesport.
The employees said personal and financial information on all 62,000 University of Pennsylvania Medical Center employees and former employees was accessed and the stolen information then used to file fraudulent tax returns on behalf of the victimized employees, resulting in actual damages, according to the lawsuit.
Two lower courts dismissed the case, but the state supreme court reinstated it after its six judges unanimously ruled the medical center owed a duty to its employees.
“Employees have sufficiently alleged that UPMC’s affirmative conduct created the risk of a data breach,” the ruling said. “Thus, we agree with employees that, in collecting and storing employees’ data on its computer systems, UPC owed employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.
“Further, to the extent that UPMC argues that the presence of third-party criminality in this case eliminates the duty it owes to employees, we do not agree,” said the ruling.
The ruling also held that the economic doctrine, which bars certain types of claims seeking only economic damages that are unaccompanied by physical injury or property damage, does not preclude “any negligence claims seeking sole economic damages.”
Kevin McKeon, a partner with Hawke McKeon & Sniscak LLP in Harrisburg, Pennsylvania, said “because the employer required the data to be provided, but it was also the employer’s decision to put it on an internet-accessible platform,” the ruling held that under traditional tort law analysis the employer had a duty to protect the data.
The case “reflects the changing times,” said Joshua A. Mooney, a partner with White & Williams LLP in Philadelphia. The lower courts would not have dismissed the case had they considered it today, he said.
“Standards of care have emerged, and there are recognized cyber security frameworks” companies can build. “Looking across the country, the dots are starting to connect as to how different jurisdictions regulate security, and companies are now expected to take affirmative, reasonable measures to protect the data they collect. Dittman is just consistent with this overall national sense,” he said.
“The opinion is just a natural reflection of where the current perspectives are towards cyber security and data privacy,” Mr. Mooney said.
Some observers say they anticipate the ruling may be influential elsewhere.
“Pennsylvania is now sort of in front of other states” on this issue, said Abraham J. Rein, co-chair, information, privacy and security practice, with Post & Schell PC in Philadelphia.
Mr. McKeon said, “It’ll add to the discussion, and I think other courts who have this issue will be citing it. It’s a broadly researched and well-reasoned decision, so it should have some weight.”
It “could very well be” influential in other states, Mr. Rein said. Attorneys in other states may cite this decision “to expand potential liability for businesses that suffer cyber security breaches,” he said.
“This is a new and emerging and ever-changing area of technology and for that reason, the law is always changing, and so the courts are somewhat scrambling to keep up.”
Ryan T. Becker, a partner with Fox Rothschild LLP in Philadelphia, said also, “I would not be surprised to see it cited elsewhere.”
Stephen J. Newman, an attorney with Stroock Stroock & Lavan LLP in Los Angeles, said, “The Pennsylvania Supreme Court ruling is unusual because it is one of the few supreme courts that’s weighed in definitively in the absence of a statute to find there is a duty” for entities that hold data if there is a breach, even in the absence of prior incidents.
He said he anticipates it will be influential in other state courts “because this is very much in the news, and there have been a lot of events, and now that a major supreme court has a ruling, I think it’s the kind of precedent that I would not be surprised to see other supreme courts look to for guidance.”