Penn. High Court Rules Employer Has Duty to Safeguard Employees’ Personal Info
The Pennsylvania Supreme Court has ruled that an employer has a legal duty to use reasonable care in safeguarding its employees’ sensitive personal information stored on an internet-accessible computer. This vacates an earlier trial court and Superior Court decision in the matter.
The case came about after employees of the University of Pittsburgh Medical Center and UPMC McKeesport (UPMC) filed a class action complaint against UPMC in the wake of a data breach in which personal and financial information – including names, birth dates, social security numbers, addresses, tax forms and bank account information – of all 62,000 UPMC employees and former employees was accessed and stolen from the computer systems.
Employees alleged that the stolen data, which consisted of information UPMC required employees to provide as a condition of employment, was used to file fraudulent tax returns on behalf of the victimized employees, resulting in actual damages.
As a result, employees asserted a negligence claim and breach of implied contract claim against UPMC, seeking monetary damages, among other forms of relief.
On July 16, 2014, UPMC filed preliminary objections to the employees’ complaint, arguing that no cause of action exists for negligence because the employees did not allege any physical injury or property damage and, under the Economic Loss Doctrine, “no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage.”
Trial Court Ruling
On Oct. 22, 2014, the parties appeared before the trial court for oral argument on UPMC’s preliminary objections.
On May 28, 2015, the court sustained UPMC’s preliminary objections and dismissed the employees’ negligence claim. Relying on the general description of the Economic Loss Doctrine, the trial court observed that although the employees claimed UPMC owed them a duty of care, the only losses sustained were economic in nature.
The trial court also explained that “hundreds of thousands of lawsuits” could result from the employees’ proposed solution of creating a private negligence cause of action to recover actual damages, which would overwhelm the judicial system and require entities to expend substantial resources in defending against those actions.
Additionally, the trial court explained that entities storing confidential information already have an incentive to protect that information because any breach will affect their operations, an improved system would not necessarily prevent a breach, and the entities were also victims of the criminal activity involved.
The employees then appealed to the Superior Court.
Superior Court Findings
In a split opinion, a three-judge panel of the Superior Court affirmed the order of the trial court sustaining UPMC’s preliminary objections and dismissing the employees’ claims.
The court also reasoned that the benefit of electronically storing employees’ personal information “to promote efficiency” outweighed the nature of the risk imposed.
The Superior Court added to the trial court’s reasoning that no judicially created duty of care is needed to incentivize companies to protect their employees’ confidential information because there are already safeguards in place to prevent employers from disclosing confidential information.
In addition, the Superior Court found it “unnecessary to require employers to incur potentially significant costs to increase security measures when there was no true way to prevent data breaches altogether.”
Supreme Court Decision
The Pennsylvania Supreme Court then allowed an appeal to address whether an employer has a legal duty to use reasonable care to safeguard employees’ sensitive personal information when stored on an internet accessible computer system, and whether the Economic Loss Doctrine permits recovery for purely economic damages which result from a breach.
In their argument, the employees contended that since UPMC collected employees’ sensitive personal data and stored it on its internet-accessible computer systems, it was under a duty to exercise reasonable care to protect them from the foreseeable risk that third parties would attempt to access and pilfer that information.
The employees claimed they are alleging misfeasance on behalf of UPMC in collecting and storing their sensitive personal data.
The employees also argued that troves of electronic data stored on internet-accessible computers held by large entities are obvious targets for cyber criminals and that a reasonable entity in UPMC’s position should foresee that a failure to use basic security measures can lead to exposure of the data and serious financial consequences for the victims.
Because of this, the employees claimed it is appropriate to require employers to use reasonable care when handling and storing employee data in order to protect it from compromise, and there is no justification for exempting employers from a duty to act with reasonable care when they collect and store employees’ sensitive personal information.
Finally, the employees contended that although the ultimate harm in this case resulted from criminal activity, it does not eliminate the duty UPMC owed to its employees to handle its collection and storage of employee data with reasonable care.
In response, UPMC challenged the employees’ assertion that it assumed a legal duty to protect against a criminal data breach through commission of an affirmative act.
UPMC contended it merely possessed employee information incident to a general employment relationship, which cannot constitute an affirmative act that entails legal liability for third-party criminal conduct.
UPMC also noted that it is not in the business of providing data security, according to the opinion document.
According to UPMC, the employees are not claiming any affirmative misfeasance on UPMC’s part but instead nonfeasance in that UPMC failed to prevent the harm incurred or speculative future harm.
In that regard, UPMC noted there is a “no-duty rule in rescue/protection scenarios where the defendant did not create the risk resulting in harm to the plaintiff.”
UPMC also added that “[i]t is nonsensical to suggest that [it] created the risk of harm from a criminal data breach simply by possessing employee data” and its business neither increased the risk of criminal activity nor posed a special danger to the public regarding unshielded data.
With this in mind, UPMC argued that the employees “are proposing a radical reconstruction of duty” where they are seeking to impose liability on UPMC for the criminal acts of unknown third parties.
In its opinion, the Pennsylvania Supreme Court stated it is true that, as a condition of employment, UPMC required employees to provide certain personal and financial information, which UPMC collected and stored on its internet-accessible computer system without use of adequate security measures, including proper encryption, adequate firewalls and an adequate authentication protocol.
“These factual assertions plainly constitute affirmative conduct on the part of UPMC,” the opinion document stated. “Employees have sufficiently alleged that UPMC’s affirmative conduct created the risk of a data breach. Thus, we agree with employees that, in collecting and storing employees’ data on its computer systems, UPMC owed employees a duty to exercise reasonable care in collecting and storing their personal and financial information on its computer systems.”
Based on this, The Pennsylvania Supreme Court concluded that the trial and Superior Courts erred in determining UPMC did not owe a duty to its employees to use reasonable care to safeguard their sensitive personal data in collecting and storing it on an internet-accessible computer system.
It further held that the lower courts erred in concluding that Pennsylvania’s economic loss doctrine bars the employees’ negligence claim.
As a result, it vacated the judgment of the Superior Court, reversed the order of the trial court, and remanded the matter to the trial court for further proceedings consistent with its opinion.