Pennsylvania’s Supreme Court (“Court”) cleared a path for employees seeking to hold employers responsible for data breaches affecting their information. The Court found that employers are legally obligated to implement and maintain reasonable security measures to protect employees’ personal data in their possession. The Court’s logic, however, may extend beyond the employment context and could impact all businesses that collect sensitive personal information about Pennsylvania residents. Moreover, the Court’s holding will likely lead to an increase in data breach lawsuits against all businesses, and it may have an outsized impact on small and mid-sized companies that may not have sufficient resources to implement appropriate cybersecurity measures. We examine the decision in more detail below.
In 2014, a proposed class of 62,000 University of Pittsburgh Medical Center (“UPMC”), then-current and former employees (“Employees”), filed a lawsuit against UPMC. The Employees argued that UPMC’s negligence resulted in a data breach involving the unauthorized access and theft of their personal and financial information, including names, birth dates, Social Security numbers, addresses, tax forms, and bank account information. According to the Employees, the criminal actors used the stolen data — which consisted of information UPMC required Employees to provide as a condition of their employment — to file fraudulent tax returns that resulted in their suffering economic losses (for example, delayed tax refunds) and an increased risk of identity theft.
On the negligence claim, the Employees alleged that UPMC had a common law duty — a duty not statutorily required — to exercise reasonable care to protect their sensitive personal information within its possession or control from being “compromised, lost, stolen, misused, and/or disclosed to unauthorized parties.” The Employees claimed that UPMC failed to satisfy this duty by designing, maintaining, and testing an information security system to ensure adequate protection for the Employees’ sensitive information. The trial court rejected this claim, and held that the UPMC owed no duty to protect against cybersecurity breaches of the employees, and dismissed the case. On appeal, however, the Pennsylvania Supreme Court disagreed.
The Pennsylvania Supreme Court’s Ruling
In unanimously rejecting the lower court’s decision and ruling in the Employees’ favor, the Court noted “this case is one involving application of an existing duty to a novel factual scenario, as opposed to the imposition of a new, affirmative duty….” (Emphasis added.) Historically, had an employer left sensitive personal information in an unlocked file cabinet that a thief then stole and used to harm an employee, the employee could seek to hold the employer responsible. Simply, the Court modernized the factual scenario. Here, the Court noted, as alleged, that (i) UPMC required Employees to provide the sensitive personal information; and (ii) UPMC stored the sensitive personal information on its internet-accessible computer system without use of adequate security measures. Thus, the Employees sufficiently alleged that UPMC’s conduct created the risk of a data breach, and UPMC had a duty to exercise reasonable care to protect the Employees against this risk.
The Court also rejected UPMC’s fallback argument. UPMC argued that a third-party criminal action, specifically, the theft of the data, broke the chain of its duty to the Employees. In finding in the Employees’ favor, the Court reasoned that, as alleged, UPMC knew or should have known that its lapse in information security practices (for example, its failing to encrypt data, establish firewalls, or implement an authentication protocol) created the opportunity for a third-party criminal actor to harm the Employees.
Implications for Businesses
The Court attempts to downplay its ruling’s significance with its seemingly innocent characterization of it as only applying settled law to new, limited facts. Interpreted narrowly, the Court applies a duty of reasonable care to an employer that affirmatively collects its employees’ sensitive personal information. The Court’s underlying logic, however, is quite simple and not tied to the existence of the employment relationship at issue in Dittman. Employers are not the only entities that actively request, collect, and store sensitive personal information. From behemoth online retailers to your local flower store, businesses actively seek personal (and sometimes sensitive) information. Like any employer, a business’s affirmative actions in seeking and receiving sensitive personal information create a data breach risk. Therefore, some plaintiff’s lawyers may seek to extend the Court’s reasoning to non-employer contexts.
Assuming a broad and general duty does exist, the Court leaves open many important questions: What constitutes reasonable information security practices? Does a business’s required information security practice vary depending upon the business’s resource level or the personal information types at issue? Can a business avoid potential liability by outsourcing its information security practices to a third-party service provider? If a business outsources its information security, what reasonable measures should be implemented to ensure that third-parties act appropriately?
Unfortunately, these questions are not likely to be answered without complex and expensive litigation. The trial court warned that by creating a “new” private negligence cause of action to recover actual damages resulting from data breaches, “hundreds of thousands of lawsuits could result, which would overwhelm the judicial system and require entities to expend substantial resources in defending against those actions.” Time will tell if these predictions will come true.