A trial judge in Pennsylvania recently dismissed a class-action suit by more than 60,000 health system employees against their employer for theft of confidential information, holding that Pennsylvania does not recognize a negligence action for a data breach. See Dittman, et. al. v. UMPC d/b/a The University of Pittsburgh Medical Center, et. al., Civ. No. GD-14-003285 (The Court of Common Pleas of Allegheny County, Pennsylvania, May 28, 2015).
Judge R. Stanton Wettick, Jr., held that the economic loss doctrine precluded a negligence cause of action in which economic losses were unaccompanied by physical injury or property damage. Judge Wettick noted when analyzing the class action plaintiffs’ cause of action under the duty of care standard, he did not find that courts should impose a novel duty and allow data breach plaintiffs to recover damages under common law negligence. In February 2014, plaintiffs sued UPMC, the largest employer in the Pittsburgh region, for failing to protect sensitive personal information such as addresses, Social Security numbers, and bank information. More than 800 employees became victims of tax fraud as a result, according to news reports. The class action plaintiffs alleged that UPMC had a duty to protect the class’ information by maintaining adequate security measures and that UPMC breached that duty. UPMC moved to dismiss plaintiffs’ complaints through preliminary objections.
Judge Wettick found the two controlling factors in his decision were: 1) The consequences of imposing a duty on the employer and the overall public interest in the plaintiffs’ proposed solution, or 2) Creating a new cause of action. He held that the public interest would not be furthered by the plaintiffs’ proposed solution as there was no safe harbor for entities storing confidential information. Such a solution would increase litigation to the tune of hundreds of thousands of suits each year in Pennsylvania alone, and the judicial system was not equipped to handle such an increased caseload. Further, there were no generally accepted reasonable care standards, and expert testimony and jury findings were inadequate to develop such a standard.
Judge Wettick further suggested that the state legislature had considered these issues in authorizing a notification requirement of a breach by the employer to the employee and declining to create a private cause of action. According to Judge Wettick, it was not proper for the Courts to alter the direction of the legislature, especially when it involved public policy.
Though made at the trial court level, the decision is an important one for data breach litigation as Judge Wettick is a respected jurist known for his well-reasoned opinions in Pennsylvania. We suspect that the opinion may have a national reach or at least be referenced by other jurisdictions that have a similar rule regarding negligence and economic damages. As data breach litigation is ever-expanding and cyber attacks are on the rise, it may be that states seek to control these issues through new legislation as Judge Wettick suggests. We will keep these data breach issues on our radar.