Prudent Security Admin: Has a New Data Breach Precedent Been Created?
A recent ruling by the Pennsylvania Supreme Court has the potential to usher in a new era of data breach litigation and set a new legal precedent for cybersecurity negligence and liability.
In Dittman v. UPMC, a group of current and former employees sued the hospital after their data was exfiltrated in a breach. In an unprecedented ruling, the court found that the hospital violated a common law duty to protect employees’ personal data. By ruling that an organization carries a fundamental duty to protect confidential data, the courts have set a precedent similar to the financial industry’s Prudent Person Rule.
The Prudent Person Rule is an investor protection standard that financial advisers and asset trustees must meet, and which is meant to protect investors from irresponsible investments made on their behalf. The UPMC precedent is synonymous in the applicability of tort law framework, rather than employment law protections.
How Does the Prudent Person Rule Work?
In the financial industry, this standard states that “… a person need not possess exceptional investment skill but must exercise discretion and average intelligence while investing that would be considered as proper or sound.” In practice, this means that a financial adviser to a retired senior citizen with a fixed income should not invest their savings in, say, cryptocurrencies versus government bonds. Doing so would not be prudent, and an adviser who did so could be found liable for losses.
By evoking similar language, the court has signaled that a similar duty exists for the protection of personal data by an organization and its IT security staff. The plaintiff’s argument held that UPMC should have implemented common measures such as firewalls, data encryption and authentication protocols.
By ruling for the plaintiff, the court has also signaled that it is capable of determining if that duty has been met within the facts and circumstances of a given case. This is truly a paradigm shift in data breach liability and may have a large wave of intended and unintended consequences.
How Dittman vs. UPMC sets a new Data Breach Precedent
The specifics of the Dittman v. UPMC case involve a data breach were hackers penetrated the University of Pittsburgh Medical Center (UPMC) computer systems, obtained personal information of 62,000 current and former employees and used this data to file fraudulent tax returns.
The plaintiffs sued, arguing that the hospital had a duty of care to secure their personal data and breached that duty by not protecting its computer systems in a reasonable and customary manner. Two lower courts failed to find statutory, policy or common law duty for such an argument and dismissed the case.
The Pennsylvania Supreme Court took the case on appeal and reversed the lower court’s decisions. According to the court, the hospital had “a legal duty to exercise reasonable care to safeguard” personal data that stemmed from common law negligence doctrine. The court even went so far as to name specific technical measures such as “proper encryption, adequate firewalls, and an adequate authentication protocol” that should have been implemented.
While these suggestions don’t establish a rigid standard of care, it comes pretty close to a new precedent. The court pointed to a reasonable and prevailing expectation of affirmative measures to protect data. UPMC’s inaction was found to be negligent and was cause for liability.
Will This Data Breach Precedent Change Behavior?
While this precedent is sure to get tried, tested and honed in future cases, this blockbuster ruling opens the doors to more lawsuits stemming from a common law duty to protect data.
Prudent companies will be forced to take proactive measures on both the technical and legal fronts to safeguard corporate interests. In short, security and legal budgets are going to have to increase as breaches become more and more common and the availability of damages becomes easier for victims to attain.
Some states are working to enact laws that provide a “legal safe harbor” from tort claims related to a data breach to entities that have implemented and comply with certain cybersecurity frameworks. North Carolina recently brought forth proposed legislation that would require companies to “… maintain reasonable security procedures and practices – appropriate to the nature of personal information – to protect the personal information from a security breach.”
It is unclear how compliance with these safe harbors will stand up in court, given this is a new paradigm that lacks prior case law. One thing is for certain: The volume of data breaches and ransomware attacks will give ample opportunity for these new precedents to be tested in court.
What is not up for debate is the continued threat that data breaches and ransomware present. Downtime costs are typically 10x to 100x, and the costs to recover and remediate are often not covered by insurance. These costs amount to a consistent drag on global productivity, that some estimate to cost up to 7.5 percent of global GDP per year.
