Data Breach – Duty of Employer to Use Reasonable Care to Safeguard Sensitive Personal Information Stored on Employer’s Internet Accessible Computer System; Applicability of Economic Loss Doctrine
UPMC employees filed class action against UPMC for negligence and breach of contract after a data breach in which the names, birth dates, social security numbers, tax information, addresses, salaries, and bank information of approximately 62,000 UPMC employees and former employees were accessed and stolen from UPMC’s computer systems. The stolen information was used to file fraudulent tax returns and steal the tax refunds of certain employees. The digitally-stored data consisted of personal information that UPMC required employees to provide as a condition of their employment.
A Superior Court panel, with Judge Musmanno dissenting, affirmed the trial court’s grant of UPMC’s preliminary objections, finding that no duty of care exists. Superior Court also decided that the economic loss doctrine does not apply, because no duty exists.
Superior Court analyzed the duty of care under the five factor weighing test in Althaus ex. rel. Althaus v. Cohen, 756 A.2d 1166, 1169 (Pa. 2000): (1) the relationship between the parties; (2) the social utility of the actor’s conduct; (3) the nature of the risk imposed and foreseeability of the harm incurred; (4) the consequences of imposing a duty upon the actor; and, (5) the overall public interest in the proposed solution. The court found that: the first factor weighs in favor of finding a duty because of the employer-employee relationship; the second and third factors taken together weigh in favor of finding no duty (“[w]hile a data breach (and its ensuing harm) is generally foreseeable, we do not believe that this possibility outweighs the social utility of electronically storing employee information”); the fourth factor – the consequences of imposing a duty – weighs against finding a duty because “no judicially created duty of care is needed to incentivize companies to protect their confidential information”; and that the fifth factor, the overall public interest, weighs against finding a duty because the legislature has addressed the issue of data breach, the “only duty that the General Assembly has chosen to impose as of today is notification of a data breach” and it “is not for the courts to alter the direction of the General Assembly because public policy is a matter for the [l]egislature.”
Examining applicability of the economic loss doctrine (that is, “no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage.” Adams v. Copper Beach Townhome Cmty., L.P., 816 A.2d 301, 305 (Pa. Super. 2003)),” the court found that to recover for purely economic loss, plaintiff must show that UPMC breached a duty imposed by law, but “[n]o such duty exists here.”
Concurring, Judge Stabile emphasized that plaintiffs “failed to make allegations of specific threats and problems with UPMC’s computer system to alter the finding of no duty in this case” and that “in this constantly developing area of law and technology we must proceed to establish precedent slowly and with caution.”
Dissenting, Judge Musmanno wrote: “the Majority concludes that the social utility of electronically storing information outweighs the risk of harm and the foreseeability of such harm. … I believe that the Majority’s conclusion is untenable, given the ubiquitous nature of electronic data storage, the risk to UPMC’s employees posed by the failure to reasonably protect such information, and the foreseeability of a computer breach and subsequent identity theft.”
The Supreme Court’s grant of allocatur extends to two issues as stated by the plaintiff petitioners:
- Does an employer have a legal duty to use reasonable care to safeguard sensitive personal information of its employees when the employer chooses to store such information on an internet accessible computer system?
- Does the economic loss doctrine permit recovery for purely pecuniary damages which result from the breach of an independent legal duty arising under common law, as opposed to the breach of a contractual duty?