Privacy & Cybersecurity Law Blog

On November 21, 2018, the Supreme Court of Pennsylvania ruled that a putative class action filed against UPMC (d/b/a The University of Pittsburg Medical Center) should not have been dismissed.

The case arose from a data breach in which criminals accessed UPMC’s computer systems and stole the personal and financial information of 62,000 current and former UPMC employees. This information included names, birth dates, Social Security numbers, addresses, tax forms and bank account data, all of which the employees were required to provide as a condition of employment. The plaintiffs alleged that UPMC was negligent in the collection and storage of this information, and breached an implied contract in connection with the event. The trial court dismissed the case, which the intermediate appellate court affirmed.

Pennsylvania’s highest court, however, disagreed. The court held that: (1) an employer has a duty under Pennsylvania common law to use reasonable care to safeguard its employees’ sensitive personal information that it stores on Internet-accessible computer systems; and (2) Pennsylvania’s economic loss doctrine did not bar the plaintiffs’ negligence claim.

The court explained that it was not creating a new, affirmative duty. Rather, “the case is one involving application of an existing duty to a novel factual scenario.” In other words, the duty was presumed due to UPMC’s alleged risk-causing conduct. Indeed, the court stressed that due to the early procedural posture of the case, it was required to accept as true the plaintiffs’ allegations that UPMC’s conduct created the risk of the data breach. The presence of a third party’s criminal conduct also was not a superseding cause that cut off UPMC’s liability because UPMC’s alleged conduct created a situation where UPMC knew, or should have known, that a third party might try to compromise its network.

The court next found that the economic loss doctrine, as applied in Pennsylvania, did not preclude all negligence claims seeking purely “economic damages” (i.e., monetary damages that do not involve personal injury or property damage). After discussing prior Pennsylvania economic loss doctrine cases, the court concluded that the common law duty it had recognized existed independently from any contractual obligation between the parties, thus precluding application of the economic loss doctrine. As the court noted, this approach to the economic loss doctrine is not taken by all states.