cyber-security-lock
cyber-security-lock (Maksim Kabakou/Fotolia)

The justices of the Pennsylvania Supreme Court have agreed to hear a case alleging the University of Pittsburgh Medical Center was liable for the theft of its employees’ identities.

The court granted allowance of appeal in Dittman v. UPMC. In an apparent case of first impression, a divided three-judge Superior Court panel ruled Jan. 12 that UPMC could not be held liable in a suit brought by several employees who were victims of identity theft after their electronically stored employment information—including dates of birth, addresses and Social Security numbers—was stolen from the health care provider’s servers. The decision affirmed the Allegheny County Court of Common Pleas, which had tossed the proposed class action suit that had alleged negligence and breach of implied contract.

The ruling surprised a number of cybersecurity lawyers, who said it appeared to create a nearly insurmountable hurdle for plaintiffs in Pennsylvania state court and was out of step with several other courts that have tackled similar issues.

According to the Supreme Court’s Sept. 12 allocatur order, the justices will hear arguments on whether UPMC had a duty to safeguard its employees’ electronic information and whether the economic loss doctrine prohibits recovery of pecuniary damages.

Judge Judith Ference Olson, who wrote the Superior Court’s majority opinion, weighed the social utility of UPMC’s use of electronic storage against the risk and foreseeability of being hacked, and determined that the court should not impose a duty on the health care company.

“In the modern era, more and more information is stored electronically and the days of keeping documents in file cabinets are long gone. Without a doubt, employees and consumers alike derive substantial benefits from efficiencies resulting from the transfer and storage of electronic data,” Olson said. “Although breaches of electronically stored data are a potential risk, this generalized risk does not outweigh the social utility of maintaining electronically stored information.”

According to court papers, the company was hacked in 2014 and the financial information, including tax and bank information, from its nearly 62,000 employees was accessed. Almost 800 employees were later the victims of tax fraud.

Senior Judge John L. Musmanno dissented, calling the majority’s holding “untenable, given the ubiquitous nature of electronic data storage.” Judge Victor Stabile wrote a concurring opinion, which Olson joined, saying that the decision “should stand for no more than the conclusion that a legal duty was not found to exist under the facts pled in this case.”

“In this constantly developing area of law and technology we must proceed to establish precedent slowly and with caution,” Stabile said.

The plaintiffs contended UPMC had failed to safeguard information they had provided as a condition of their employment. Specifically, the plaintiffs contended that UPMC failed to encrypt data, establish adequate firewalls and implement adequate authentication protocols.

UPMC challenged the suit, contending that the claims failed as a matter of law. The Allegheny County court agreed and the case was tossed.

On appeal, Olson looked to the five factors needed to establish a duty of care, which were outlined in the state Supreme Court’s 2000 decision in Althaus v. Cohen.

Along with determining that the social utility outweighed the risks, Olson also said the courts did not need to create a duty of care to incentivize companies to protect confidential information.

“There are still statutes and safeguards in place to prevent employers from disclosing confidential information,” Olson said. “We find it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether.”

John Conti of Dickie, McCamey & Chilcote, who handled the case for UPMC, said, “It seemed inevitable given that this is an important case of first impression that the final word would come from the Supreme Court.”

He continued, “That said, the plaintiffs are advancing only a negligence claim, which in our view is clearly barred by the economic loss doctrine, since plaintiffs have not sustained any personal injury or property damages.”

Carlson Lynch Sweet Kilpela & Carpenter attorney Gary Lynch, who handled the case for the plaintiffs, did not return a call seeking comment.