In 2014, the University of Pittsburgh Medical Center’s computer system was hacked, resulting in the disclosure of sensitive personal information of current and former employees, including names, addresses, birthdates, social security numbers and banking account numbers. Allegedly, the stolen information was used to file fraudulent tax returns for as many as 800 employees. A class action was filed on behalf of current and former employees against the hospital and its payroll company.
On May 28, 2015, the Allegheny County Court of Common Pleas applied the economic loss doctrine to dismiss the class action. The Court in Dittman v. UPMC refused to adopt a duty of care that would require employers to protect the confidential information of its current and former employees. And it refused to find that there was an implied contract between the hospital and its employees that would require the hospital to protect its employees’ confidential information from data breaches.
The Court’s holding in UPMC decided one key point: Pennsylvania companies whose computer systems are hacked will not be liable to the persons whose confidential information was compromised.
Plaintiffs claimed that “UPMC had a duty protect the private, highly sensitive, confidential and personal financial information [of is current and former employees].” The plaintiffs also alleged that, as a result of the breach, they incurred damages relating to fraudulently filed tax returns and “are at an increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.”
The hospital argued that the plaintiffs’ negligence claim was barred by the economic loss rule. Noting that the only losses that the UPMC employees sustained were economic, the trial court applied the economic loss doctrine and dismissed the plaintiffs’ negligence count. The Court wrote: “The Economic Loss Doctrine provides that no cause of action exists for negligence that results solely in economic damages unaccompanied by physical or property damage.”
No doubt realizing the futility of their negligence claim in light of the economic loss rule, the plaintiffs also urged the Court to impose a duty of care upon UPMC to protect the confidential information of its employees. Specifically, the plaintiffs proposed that the court create “a private negligence cause of action to recover actual damages, including damages for increased risks, upon a showing that the plaintiff’s confidential information was made available to third persons through a data breach.”
The Court refused, finding that “the public interest is not furthered by this proposed solution.” The Court then cited a laundry list of reasons to justify its refusal to adopt the new duty of care, including the lack of a safe harbor for entities storing confidential information, the inability of the state judicial system to handle the volume of potential lawsuits, the difficulty in establishing a minimum standard of care required, and the substantial resources that for-profit and non-profit entities would be required to spend in defending these lawsuits.
Another reason for the Court’s refusal to adopt a new duty of care was the Pennsylvania General Assembly’s recent consideration of the issue in connection with Pennsylvania’s Breach of Personal Information Notification Act. The legislative history shows that the General Assembly considered adopting an expansive civil liability provision as part of the Act, but the final bill contained only a notification requirement. In refusing to adopt the new duty urged by the UPMC employees, the Court observed, “It is not for the courts to alter the direction of the General Assembly because public policy is a matter for the Legislature.”
As definitive as the ruling in UPMC appears to be, there are two caveats. If the hacked company is “in the business of supplying information for economic gain,” then it may be liable to the people whose information is compromised. See Sovereign Bank v. BJ’s Wholesale Club, Inc., No. 06-3405 (filed July 16, 2008 by U.S. Third Circuit Court of Appeals). And there are many different iterations of the economic loss rule; a victim of a security breach could possibly sue a company whose system was compromised if the breach occurred in a state that has a more expansive rule. Other than that, however, Pennsylvania is one state that will shield companies from liability in data breach events resulting in economic loss.