Attorney Gary Lynch, arguing before the Pennsylvania Supreme Court on behalf of the plaintiffs in a closely watched case over UPMC’s employee data breach, urged the justices to set aside the technical complexities associated with the field of cybersecurity and instead focus on “one of the most fundamental tenets of our common law.”
“And that tenet is simply that one who does an affirmative act is under a duty to exercise reasonable care so as to protect against foreseeable harm,” he said.
When asked by Justice Debra Todd why it shouldn’t be left to the state legislature to establish a duty of care for those who handle electronic data, Lynch replied, “We’re not talking about establishing a new affirmative duty under the law, we’re talking about application of general negligence principles.”
“So what you’re arguing is that even though technology may have brought us facts that are new and factual scenarios that haven’t occurred before, the fundamental legal issue and policy issue is the same,” Todd said.
“Absolutely, Justice Todd,” Lynch said.
Minutes later, however, Lynch’s opponent in the case, John Conti, representing UPMC, painted the case as uncharted legal territory.
“There is nothing like cybersecurity,” he said. “Never in the history of humankind has there been a circumstance where a single criminal act can be perpetrated [by] someone around the globe—a nation state, a lone hacker, an organized criminal—that can instantaneously impact and compromise the data of thousands or millions or even billions of individuals.”
The arguments in Dittman v. UPMC, held April 10 in Pittsburgh, follow the state Superior Court’s controversial January 2017 decision in which it held that UPMC could not be held liable in a suit brought by several employees who were victims of identity theft after their electronically stored employment information—including dates of birth, addresses and Social Security numbers—was stolen from the health care provider’s servers. The ruling affirmed a decision from the Allegheny County Court of Common Pleas, which had tossed the proposed class action suit that had alleged negligence and breach of implied contract.
Judge Judith Ference Olson, who wrote the Superior Court’s majority opinion, weighed the social utility of UPMC’s use of electronic storage against the risk and foreseeability of being hacked, and determined that the court should not impose a duty on the health care company.
“In the modern era, more and more information is stored electronically and the days of keeping documents in file cabinets are long gone. Without a doubt, employees and consumers alike derive substantial benefits from efficiencies resulting from the transfer and storage of electronic data,” Olson said. “Although breaches of electronically stored data are a potential risk, this generalized risk does not outweigh the social utility of maintaining electronically stored information.”
The ruling surprised a number of cybersecurity lawyers, who said it appeared to create a nearly insurmountable hurdle for plaintiffs in Pennsylvania state court and was out of step with several other courts that have tackled similar issues.
At the Supreme Court oral argument session, the justices zeroed in on the issue of foreseeability as it relates to data breaches, comparing and contrasting the protection of electronic data with the protection of sensitive physical documents.
“Counsel, could we take IT out of it for just a moment?” Todd asked Lynch, before laying out a hypothetical scenario in which UPMC stored hard copies of employee records in a high-crime area and left the doors unlocked with no security, ultimately leading to the theft of those records.
“Is there a duty there and how would it differ from the duty you’re suggesting in the IT context?” Todd asked.
Lynch replied, “In your hypothetical you made mention that it was known to be a bad neighborhood. … If there’s a distinction at all between your hypothetical and this scenario we’re dealing with here it’s that the foreseeability of the criminal activity is absolute.”
“Every IT system that’s internet-accessible lives in an environment of constant attack,” he continued, “so it’s not even like the hypothetical that you presented where we’re talking about a neighborhood [where] a criminal may or may not come along and try to break into the building that night. We already know that the IT system is under constant attack multiple times per minute, every moment of the day. So this is more of an environment of risk than it is worrying about an ad hoc criminal attempt.”
But Lynch said the duty to protect the data is the same in both scenarios. In the context of electronic data theft, it should be up to cybersecurity experts to then testify as to the standard of care and, ultimately, a jury to determine whether that standard was breached.
But Conti, arguing that the claims in Dittman were barred by the economic loss doctrine, said “foreseeability does not exist in this case.”
“When we talk about foreseeability we’re talking about much more than the statistical likelihood that something could occur,” Conti said, adding, “In a very general sense, one can say, ‘Of course, these systems are under constant attack so that is foreseeable,’ but that is far different from what the notion of foreseeability is in these circumstances.”
But Justice David Wecht asked why companies hire staff and institute protocols specifically to protect against data breaches if those breaches are not foreseeable.
“We are not talking about a unique threat, we are talking about threats that can emanate from any number of sources … if you multiply those possibilities together you get a thousand different iterations of risk,” Conti replied.
“So it’s not that it’s not foreseeable, your argument is—and I think Judge Olson had this view basically—’We just can’t control this so we’re not going to allow a remedy.’ That’s your argument isn’t it?” Wecht replied.
Conti said it was his argument but stressed that the concept of “foreseeability” under the law is different from the common-sense understanding of the word.
Chief Justice Thomas Saylor asked what harm, from a public policy standpoint, it would do for the court to decide that “there’s a duty to use all reasonable means to protect employees’ private personal data.”
Conti responded that because there is no well-established standard of care in the context of cybersecurity, unsophisticated businesses that don’t have the resources or expertise, such as small mom-and-pop shops and nonprofits, could potentially be held to an impossible standard.
Conti added that companies potentially face “ruinous liability” because cyberattacks are not completely preventable.
“The consequences befall every purported tortfeasor, just in different ways,” Conti said. ”The cost would be, to certain extents, passed along to customers who ultimately would bear the burden. And smaller entities and nonprofits would bear the burden, perhaps in a different way, by going out of business. So the burden of litigation exists and, frankly, the businesses would be hurt and the only one that would do well I think is the trial bar.”
Wecht suggested to Conti that imposing no duty on employers to protect employees’ private data would disincentivize those employers to take any measures to protect that data.
But Conti called that notion “a little cynical and flat-out wrong” given, for example, the remediation costs companies incur following data breaches.