On Nov. 21, the Pennsylvania Supreme Court ruled in a class action lawsuit filed against the University of Pittsburgh Medical Center by some of its employees following a data breach that exposed their personal and financial records. The court found that an employer has a legal duty to protect the confidentiality of information it has collected.
Incredible as it may sound, the question of whether entities have a legal obligation to protect the confidentiality of information has been—and, in most jurisdictions, remains—an unsettled question of law. That makes the Keystone State case all the more significant.
Under general negligence law, a breach of a duty (generally a duty of due care) that results in an injury to a person to whom the duty is owed results in liability. Driving an Uber? If you negligently cause a car accident, you may be financially liable to both other drivers and your passenger. Got it? Great. Now you can skip first year Torts class in law school.
When UPMC experienced a data breach involving the personal and financial information of its employees, the employees filed a class action lawsuit, alleging, among other things, that UPMC owed a duty of due care to protect their confidential data and that the fact that it was vulnerable to hackers meant it had breached that duty. The employees also alleged that the breach (data breach) was the result of a breach (duty breach) of the duty of due care—in other words, that UPMC was negligent.
Seems pretty simple. The lower courts didn’t think so. UMPC first argued that its employees suffered no compensable “harm” even if there was a negligent data breach because, under a doctrine called the economic loss doctrine, “no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage.” OK, maybe you do have to go back to Torts class. If you see your child slip and fall in a grocery store and you are traumatized as a result, you can sue for your emotional distress because it was resulting from physical injury—albeit not to you. But data breaches (unlike other kinds of cybercrimes) don’t typically result in a physical injury. So, the lower Pennsylvania courts found no duty to prevent pure economic loss.
UPMC also argued (in both the lower and Supreme Court) that it had no affirmative duty to protect employee data because “it merely possessed employee information incident to a general employment relationship, which cannot constitute an affirmative act that entails legal liability for third-party criminal conduct. UPMC notes that it is not in the business of providing data security, was not retained to provide data security, was not otherwise tasked with providing data security, and never pursued such an undertaking.” It was just holding data—it never promised to protect it. Besides, argued UPMC, we didn’t do anything wrong, we just failed to prevent someone else (the hacker) from doing something wrong. That’s not our responsibility!
But the lower courts went further, ruling that the courts should not impose “a new affirmative duty of care that would allow data breach actions to recover damages recognized in common law negligence actions.” Why not? Because it would be way too costly to do so. The court observed paradoxically that data breaches are widespread and frequent, and it would be too costly to society to impose a duty to prevent them, but at the same time, because they result from the actions of a third party (the hacker) the data holder has no duty to guard against this action “unless he realized, or should have realized, the likelihood of such a situation.”
The trial court further explained that creating a duty of due care by data holders could result in “hundreds of thousands of lawsuits,” which would overwhelm the judicial system and require entities to expend substantial resources in defending against those actions, and the cost of defending these suits could put entities out of business. Companies already have a financial incentive to prevent breaches and it would be “unnecessary to require employers to incur potentially significant costs to increase security measures when there was no true way to prevent data breaches altogether.” Security is futile.
Besides, the court opined, there are “no generally accepted reasonable care standards for evaluating one’s conduct in protecting data, and that use of expert testimony and jury findings is not a viable method to develop those standards in data breach litigation.” I mean, how can you have negligence if nobody knows what they are supposed to do? Amirite?
Finally, UPMC argued that the fact that Pennsylvania (and other jurisdictions) have passed data breach disclosure laws shows that data breaches are common, and that the remedy expected for a breach is not payment of damages but simply telling people about it. If the legislature wanted to create a duty to prevent these breaches, it would have done so. It didn’t.
Is There a Duty?
The Pennsylvania Supreme Court rejected these arguments and overturned the legal holdings of the lower courts. This is not some “new” or “novel” legal theory, opined the court. A common law duty to prevent harm arises out of the role of the company. If you, like UPMC, require people to provide you with personal information, and its disclosure to the public would cause foreseeable damage to these employees, you have a duty to use reasonable care to prevent that from happening. The fact that the “harm” happens as a result of the actions of hackers that are beyond your control is of no moment—that’s why you have the duty to protect the data. If there were no hackers, there might be no need to protect the data, right?
The court also found that the “economic loss” doctrine applied principally to tort actions that arise out of a contract, and did not apply to this particular lawsuit, although the dissenting opinion disagreed with this finding.
So, Where Does This Leave Us?
First, the opinion is technically limited to the duty of due care an employer owes to an employee after it mandates that the employee provide personal and financial information which the employer then has a tort duty to protect. A clever lawyer can take care of this “problem” by inserting language in an HR document or employment agreement that states affirmatively that the employee waives any right to privacy (to the extent permitted by law) to any data they provide, or that they agree not to sue (or sue in class action) for any breach of any duty imposed by law to require the employer to protect that data. This is common for employers to do—to impose a duty on employees to arbitrate (not in a class action) all disputes that arise out of the employer/employee relationship. It’ debatable whether a data breach is something that “arises out of” the employer/employee relationship, but a clever lawyer (yea, we need more clever lawyers) could insert language in the arbitration agreement specifying that such breaches are “deemed” to arise out of the relationship.
Second, the opinion is limited to the Keystone State—for now. Surprisingly, there’s not a lot of cases that expressly provide that there is a legal duty under negligence law to prevent these kind of data breaches. The court did not explain the scope of the duty, or what constitutes “reasonable” acts to prevent breaches—but that’s what juries are for.
Third, there’s still the problem of assessing “damages.” While the court primarily addressed “duty” of due care and the “economic loss” doctrine, other courts have consistently (but not universally) found that mere breaches of privacy that cause anxiety or fear of harm are not really “damages” and are not compensable. So there’s still the problem (for plaintiffs) of proving compensable harm resulting from a data breach. There’s also a question about “foreseeability.” To whom does the duty of due care extend? Employees? Their dependents? Customers? Vendors? Suppliers? Litigation is not the most efficient way to find this out.
At the end of the day, even with this decision, the law requires companies that hold personal information to have reasonable measures to protect it. What are those “reasonable” measures? Stay tuned.