Imagine aspirin being replaced by a drug that can rid the body of pain, as aspirin can, but by solving the problems that give rise to that pain. Imagine further that the new drug, in solving those problems, can address, and halt or change, bodily functions that it should not address, halt or change. Imagine, for example, the new drug addressing the pain caused when a finger is partially crushed by someone who misses his target (a nail) with his hammer and, instead, smashes his finger. Further imagine that the same drug that successfully restores the finger (as opposed to simply lessening the pain caused by the smash) “cures” the problem by causing the body to release chemicals that lead to an infection or an even worse consequence. The issue would then arise as to whether the benefits of the new drug can be kept while at the same time the problems caused by it are removed.
An analogous issue troubles the usage of computers and information technology in commerce today. IT solves one or more problems but gives rise to others. Perhaps the most obvious and prevalent example of this phenomenon is how, as IT allows for global connections between users, or between users and data (i.e., cloud storage), it also makes itself increasingly accessible to those who wish to access such connections or data through hacking.
Technical solutions to specific problems may present themselves, but such solutions will always be needed, since new problems will always accompany new technology, which will always continue to grow. Thus, we will always need legal solutions and templates to be in place, or to be easily adaptable, to address these technical problems.
A good example of legal solutions lagging behind technical issues is the differing standards for data protection found in the European Union’s General Data Protection Regulation (GDPR) (EU) 2016/679 and those found in federal and state laws throughout the United States. The EU and the United States routinely send data to, receive it from the other, as well as store such data. The security laws pertaining to such data, however, differ between the two locales, such that EU data in cloud storage in the United States could well be in violation of the GDPR but in compliance with all U.S. federal and state laws. Such differences in the laws strip those laws of the power to guide users in designing and promulgating systems that conform to all security requirements.
In Dittman v. The University of Pittsburgh Medical Center, No. 43 WAP 2017 (PA Supreme Ct. 2018), the Pennsylvania Supreme Court wrestled with this dilemma when determining that “an employer has a legal duty to use reasonable care to safeguard its employees’ sensitive personal information that the employer stores on an internet-accessible computer system.” Plaintiffs in Dittman, employees of defendants, had sued defendants after a third party had hacked into the defendants’ computer system and accessed personal information (names, dates of birth, Social Security numbers, banking information, tax information, etc.) which defendants had required plaintiffs provide to them to gain employment. The Superior Court had held that because the defendants’ requirement was contractual, under Pennsylvania’s economic loss doctrine, recovery for purely pecuniary damages was not permissible. The Supreme Court, however, found that the requirement fell under common law “that is independent of any duty assumed pursuant to contract,” and so Pennsylvania’s economic loss doctrine “permits recovery in negligence for purely pecuniary damages.” As we will discuss, the Supreme Court’s reasoning is what is necessary to establish and uniformly interpret laws that will allow for the inevitable growth of IT in our digital world.
Facts and Lower Court Arguments
As has been discussed, the plaintiffs in Dittman were employees of defendants who were required to supply to defendants personal information. After a third party had, without permission, gained access to that information (stored on defendants’ computers), the plaintiffs sued the defendants for the economic loss the plaintiffs suffered because of that hacking. Pennsylvania contract law prohibited the award of damages for economic loss for breach of contract, save for what loss is set forth in the contract (here, there was no such contract or amount of loss); economic loss could be awarded only if a tortious breach of duty was found. The Superior Court dismissed the complaint because it held that any loss in the matter would have arisen under a theory of contracts, while the Supreme Court reversed and reinstated the complaint because it held “that an employer had a legal duty,” independent of any contract, “to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an internet-accessible computer system,” and that “under Pennsylvania’s economic loss doctrine, recovery for purely pecuniary damages was permissible under a negligence theory provided that the plaintiff” could, as it could here, “establish the defendant’s breach of a legal duty arising under common law that was independent of any duty assumed pursuant to contract.
In their complaint, the employees alleged that a data breach had occurred through which the aforementioned personal information “of all 62,000 UPMC employees and former employees was accessed and stolen from UPMC’s computer systems, and that the “stolen data, which” UPMC required the employees “to provide as a condition of their employment, was used to file fraudulent tax returns on behalf of the victimized” employees, “resulting in actual damages.” Plaintiffs “asserted a negligence claim and breach of implied contract claim against UPMC. With respect to their negligence claim,” they “alleged that UPMC had a duty to exercise reasonable care to protect their “personal and financial information within its possession or control from being compromised, lost, stolen, misused, and/or disclosed to unauthorized parties,” as well as “a duty of care to ensure the security of their information in light of the special relationship between” plaintiffs and UPMC, whereby UPMC required plaintiffs “to provide the information as a condition of their employment.” UPMC’s duty included, inter alia, “designing, maintaining, and testing its security systems to ensure” that plaintiffs’ information was adequately protected, and implementing “processes that would detect a breach of its security systems in a timely manner.” By failing to “adopt, implement, and maintain adequate security measures to safeguard” the information, to monitor the security of its network adequately, “to recognize in a timely manner that” the “information had been compromised,” Employees further averred that UPMC “violated administrative guidelines,” to meet “current data security industry standards,” specifically by failing to encrypt data properly, to “establish adequate firewalls to handle a server intrusion contingency,” and to “implement adequate authentication protocol to protect the confidential information contained in its computer network,” UPMC breached its common law duties to the employees. Such breach “was the direct and proximate cause of the harm” to the employees, causing them to incur “damages relating to fraudulently filed tax returns” and to put them “at an increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.”
UPMC filed preliminary objections to the complaint, arguing that, inter alia, the negligence claim failed as a matter of law. UPMC argued that “no cause of action existed for negligence” because plaintiffs “did not allege any physical injury or property damage and, under the economic loss doctrine, ‘no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage.’” After additional responses and oral argument, the court sustained UPMC’s preliminary objections and dismissed plaintiffs’ negligence claim. The plaintiffs did not appeal.
The trial court found no statutory duty which UPMC and refused to recognize a “new” common law duty because “it could not say with reasonable certainty that the best interests of society would be served through the recognition of a new affirmative duty under these circumstances, noting that the financial impact of doing so could put entities out of business.” The trial court further reasoned that “entities storing confidential information already had an incentive to protect that information because any breach would affect their operations, that an improved system would not necessarily prevent a breach, and that” defendants “were also victims of the criminal activity involved.” Finally, the trial court noted that the Legislature had considered the issues that plaintiffs “sought the court to consider herein as evidenced by the Breach of Personal Information Notification Act (Data Breach Act), 73 P.S. Sections 2301-2329” and had “imposed a duty on entities to provide notice of a data breach only, 73 P.S. Section 2303, and given the Office of Attorney General the exclusive authority to bring an action for violation of the notification requirement,” The trial court reasoned that, the Legislature having rejected the plaintiffs’ arguments, it was not within the trial court’s power to provide a tort action which the Legislature chose not to provide.
The plaintiffs appealed to the Superior Court, arguing that the trial court erred in finding that UPMC did not owe a duty of reasonable care in its collection and storage of the plaintiffs’ information, and that the economic loss doctrine barred their claim. In a split opinion, a three-judge panel of the Superior Court affirmed the order of the trial court sustaining UPMC’s preliminary objections and dismissing plaintiffs’ claims. The Superior Court applied the five-factor test set forth by the Pennsylvania Supreme Court in Althaus v. Cohen, 756 A.2d 1166, 1169 (Pa. 2000):
:The determination of whether a duty exists in a particular case involves the weighing of several discrete factors which include: the relationship between the parties; the social utility of the actor’s conduct; the nature of the risk imposed and foreseeability of the harm incurred; the consequences of imposing a duty upon the actor; and the overall public interest in the proposed solution.”
The Superior Court concluded first “that the relationship between the parties weighed in favor of imposing a duty on UPMC because the employer-employee relationship “’traditionally has given rise to duties on the employer.’” It further noted that there was “an obvious social utility” in electronically storing employees’ personal information “to promote efficiency,” which outweighed the nature of the risk imposed and foreseeability of the harm incurred in so doing. The court also noted that the “general risk of storing information electronically increased as data breaches became more common and that data breaches and the ensuing harm were generally foreseeable,” “more and more information is stored electronically” in the modern era and “employees and consumers alike derive[d] substantial benefits from” the resulting efficiencies. Because, however, “a third party committing a crime is a superseding cause” against which “a defendant does not have a duty to guard … unless he realized, or should have realized, the likelihood of such a situation,” the court found that the first factor weighed against the plaintiffs.
The Superior Court “further agreed with the trial court’s analysis of the fourth and fifth Althaus factors.” As to the fourth factor, it added to the trial court’s reasoning that “no judicially created duty of care is needed to incentivize companies to protect their employees’ confidential information because there are ‘statutes and safeguards in place to prevent employers from disclosing confidential information.’” Finally, the court also found it “‘unnecessary to require employers to incur potentially significant costs to increase security measures when there was no true way to prevent data breaches altogether,’” reasoning that “‘employers strive to run their businesses efficiently and they have incentive to protect employee information and prevent these types of occurrences.’” Thus, the Superior Court concluded that the trial court “properly found that UPMC owed no duty to Employees under Pennsylvania law.”
The Superior Court further agreed that the economic loss doctrine applied to bar employees’ negligence claim. “Reiterating the generalized statement of the doctrine (i.e., that “no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage”),” the court agreed that the sole “narrow exception to the doctrine” fell “only when the losses result from the reliance on the advice of professionals,” which was not the what occurred in the instant matter.
In our next column, we will look closely at the Pennsylvania Supreme Court’s opinion and the consequences of using the common law to resolve issues pertaining to digital devices and issues of technical procedures.
Leonard Deutchman is a legal consultant recently retired from one of the nation’s largest e-discovery providers, KLDiscovery, where he was vice president, Legal. Before joining KLDiscovery, he was a chief assistant district attorney at the Philadelphia District Attorney’s Office, where he founded the Cyber Crime Unit and conducted and oversaw hundreds of long-term investigations involving cybercrime, fraud, drug trafficking and other offenses.