June 2015. Feel free to direct questions or comments to Patrick Healey.
Judge R. Stanton Wettick, Jr. of the Allegheny County Court of Common Pleas recently ruled that Pennsylvania does not recognize negligence claims in data breach lawsuits. Dittman v. UPMC, No. GD-14-003285 (Pa. Ct. Com. Pl., Allegheny Cnty., May 28, 2015). The case involves a data breach in 2014 involving the University of Pittsburgh Medical Center (UPMC). The named plaintiffs and the members of the class consist of all 62,000 UPMC employees as well as an untold number of former employees, whose names, birthdates, social security numbers, confidential tax information, addresses, salaries, and bank account information were stolen from UPMC’s computer systems. The plaintiffs alleged that UPMC had a duty to protect the private, highly sensitive, confidential and personal financial information, and the tax documents of plaintiffs and the members of the proposed class (Second Amended Complaint ¶28). The class argued UPMC had a duty to protect the highly sensitive personal and financial information by designing, maintaining and testing its security systems. The class also pointed to the fact that providing this private information to UPMC had been a requirement for being employed there. They claimed damages related to fraudulently filed tax returns and being at an “increased and imminent risk” of becoming victims of identity theft crimes, fraud and abuse.
The plaintiffs brought claims against UPMC for negligence and breach of an implied contract. They alleged that UPMC “had a duty to exercise reasonable care to protect and secure [the class members’] personal and financial information within its possession or control from being compromised, lost, stolen, misused, and/or disclosed to unauthorized parties.” Second Amended Complaint ¶53. They also alleged that the relationship between plaintiffs and UPMC is governed by an implied contract because they are, or were, employees of UPMC and UPMC agreed “to safeguard and protect” their “personal and financial information.” Id. ¶66.
In granting UPMC’s Preliminary Objections and dismissing the claims, Judge Wettick stated that the plaintiffs could not state a claim for negligence based solely on economic losses. He stated that “[u]nder the economic loss doctrine, no cause of action exists for negligence that results solely in economic losses unaccompanied by physical injury or property damage.” Order at p. 4.
The Court did not feel that “best interests of society would be served” if a private right of action was established. It noted that recognition of this duty could result in hundreds of thousands of new lawsuits being filed in Pennsylvania, and that the judicial system “is not equipped to handle this increased caseload of negligence actions” and that the Court “will not adopt a proposed solution that will overwhelm Pennsylvania’s judicial system.” Id. at p. 6. It further noted that if this duty was applied, hundreds of companies would be required to expend substantial resources due to lawsuits and that these companies “are victims of the same criminal activity as the plaintiffs.” Id. at p. 7. The Court noted that the financial impact of recognizing this private right of action “could even put these entities out of business” and that “[e]ntities storing confidential information already have an incentive to protect confidential information because any breach will affect their operations.” Id. at pp. 7-8.
The Court also did not feel that “courts should impose a new affirmative duty of care that would allow data breach actions to recover damages in negligence actions.” Id. at p. 10. It stated that judicial restraint cautions against judges imposing new affirmative duties on companies because the legislature is in a better position to make public policy judgments. “The [Pennsylvania} General Assembly has considered and continues to consider the same issues that plaintiffs are requesting this court to consider. . . . The only duty that the General Assembly has chosen to impose as of today is notification of a data breach. It is not for the courts to alter the direction of the General Assembly because public policy is a matter for the Legislature” Id. at p. 10.
With regard to the breach of implied contract claim, the Court noted that for it found no “meeting of the minds” between the parties, which is required under Restatement (Second) of Contracts, §4, and that it could find no reason “why UPMC would enter into an agreement with its employees to allow its employees to sue [it] in the event of a data breach” and that and common sense requires a finding that it would not agree to allow others to bring private actions against [it].” Id. at p. 12. The Court concluded that “there are no circumstances that would establish a common understanding that UPMC was agreeing to allow its employees to sue [it] for damages sustained from a data breach.” Id.
The vast majority of data breach actions had been filed in Federal Court, where a plaintiff is subject to the standing requirements found in Article III of the U.S. Constitution. Federal Courts have held that to have standing, a plaintiff must have an “injury in fact,” which is an injury that is “concrete in both a qualitative and temporal sense,” as opposed to merely “abstract.” Whitmore v. Arkansas, 495 U.S. 149, 155 (1990). As the Supreme Court has stated, “[A]n injury must be present or certainly impending, that an attenuated chain of possibilities does not confer standing, and that plaintiffs cannot create standing by taking steps to avoid an otherwise speculative harm.” Clapper v. Amnesty International USA, 133 S. Ct. 1138, 1151 (2013). Federal Courts have held that unless a plaintiff can show that the data was misused or that such misuse is certainly impending, the claims will be dismissed. See, e.g. Storm & Holt v. Paytime, Inc., 1:14-CV01138-JEJ (M.D. Pa. Mar. 13, 2015).
The application of the Article III standing criteria has led many plaintiffs to file their data breach claims in state courts, where standing requirements are thought to be less stringent. This decision reiterates the trend in state courts that there is no duty to provide adequate and reasonable data security. Also, Judge Wettick goes further than other state courts in examining the public policy implications and the potential of crippling expenses on businesses if a duty to protect sensitive personal information is judicially imposed.
While Judge Wettick’s unwillingness to find a duty of care or carve out any type of exception to the economic loss doctrine may offer some comfort for potential defendants, the viability of future negligence claims stemming a data breach remains somewhat unresolved. Judge Wettick did not address the viability of consumer fraud or breach of contract claims. Also, since the records disclosed did not involve “protected health information” under HIPAA, Judge Wettick did not determine if HIPAA provides the standard of care for a negligence claim, which some jurisdictions have allowed. (See, e.g., Byrne v. Avery Center for Obstetrics and Gynecology, 2014 WK 5507439, Conn. Nov. 11, 2014 – Plaintiff allowed to use HIPAA to establish a standard of care in breach of privacy action).
In addition, given the fact that we are subject to almost daily stories about data breaches and that a well-regarded Pennsylvania judge believes that the issue of a remedy for data breaches is one left up to the legislature, it is reasonable to think that the legislature may entertain this issue sooner rather than later. This only reiterates the obvious need for persons collecting and maintaining sensitive personal and financial information to protect this information from attack.