Data security breaches have become ubiquitous. However, in spite of the large number of well-publicized incidents, plaintiffs generally have had limited achievement in bringing private actions against companies suffering the breach. Plaintiffs have seen some greater success establishing Article III standing under a number of state and federal court cases, but a recent decision from the Supreme Court of Pennsylvania in Dittman v. UPMC may signal a significant change in plaintiffs’ fortunes because of the court’s willingness to accept a standard that allows recovery for purely pecuniary damages. This decision should put anyone storing or collecting data on notice for the potential increase in security breach litigation in the employer/employee context, and outside that relationship as well.
The Requirement of Damages
One of the most insurmountable barriers for security breach class action plaintiffs has been the ability to show concrete damages. In order to bring a lawsuit, fundamentally, plaintiffs must have standing to sue. In federal court, this standing to sue is governed by Article III of the U.S. Constitution. The U.S. Supreme Court has articulated standing to sue as requiring (1) injury in fact, (2) fairly traceable to the defendant’s conduct, (3) that is likely redressed by a favorable decision. In the context of injury in fact, federal courts must analyze whether an alleged injury is concrete and particularized. Proving a concrete and particularized injury therefore becomes difficult for plaintiffs in class actions, especially in the context of security breach class actions since it often becomes an individualized analysis of harms. Many state courts follow similar standing requirements as those articulated by the federal courts. While plaintiffs traditionally had difficulty proving standing, a number of federal circuit courts have increasingly trended towards finding standing. Thus, traditionally, proving actual damages has typically barred plaintiffs’ claims of alleged harms suffered as a result of security breaches because most of the alleged harms are speculative, abstract or emotional in nature.
Dittman v. UPMC
In Dittman v. UPMC, plaintiffs were employees of Defendant University of Pittsburgh Medical Center (UPMC). The employees filed a class action complaint alleging the personal and financial information of 62,000 current and former employees had been accessed and stolen from UPMC’s computer systems. Plaintiffs alleged the UPMC breached an implied contract and was negligent by failing to implement adequate security measures to safeguard information relating to employees.
The trial court dismissed the negligence claim, concluding the only injury plaintiffs suffered was economic in nature, therefore barred by the economic loss doctrine, and further concluded that UPMC did not owe a duty of care to employees in the collection and storage of employee data. Notably, the trial court worried about the number of lawsuits that could result from such a decision.
The employees appealed, and the appellate court agreed with the lower court, concluding UPMC owed no duty to employees under Pennsylvania law, and that the employees could not recover for their purely economic loss.
The Pennsylvania Supreme Court
The Pennsylvania Supreme Court granted appeal to address (1) whether an employer had a legal duty to use reasonable care to safeguard sensitive personal data of employees when the employer chose to store the personal information on an internet accessible system, and (2) whether the economic loss doctrine permitted recovery for purely economic damages resulting from the breach of an independent legal duty arising under common law.
The Supreme Court determined the case involved the application of an existing duty, rather than the creation of a new affirmative duty. The court further found the employees had sufficiently alleged that UPMC’s affirmative conduct in collecting the information created the risk of a security breach, and that UPMC therefore owed a duty to exercise reasonable care to protect against an unreasonable risk resulting out of storing the data. The court also determined the criminal acts of third parties did not eliminate the duty UPMC owed to its employees.
Further, the court analyzed previous Pennsylvania decisions addressing the economic loss doctrine and determined they did not bar recovery for purely economic loss. The court reasoned because the employees claimed UPMC breached its common law duty to act with reasonable care in storing personal financial information on its computer systems, rather than alleging a breach of a contractual duty, the doctrine did not bar the employees’ claims.
Based on the foregoing, the Pennsylvania Supreme Court concluded the lower courts erred in determining UPMC did not owe a duty to safeguard the employees’ personal information and that the economic loss doctrine barred the negligence claim. The Pennsylvania Supreme Court reversed and remanded for further proceedings.
While the Pennsylvania decision affects only Pennsylvania for the time being, anyone that collects or stores personal information should be aware that this could signal a new tide for security breach plaintiffs. The Pennsylvania court’s willingness to impose a common law duty of care, rather than look to a statutory scheme, or create a new duty, is notable because it could lead security breach plaintiffs to try and extend this decision beyond the employer/employee context, and argue that anyone that stores data is required to exercise reasonable care.
Any actor collecting and storing personal information should be on notice that courts may be more willing to find that they owe a duty of reasonable care in the collection and storage of such data, and may be liable in tort for the breach or theft of such data, even if the breach is caused by the wrongful acts of a third party.
Further, the recognition plaintiffs could recover for negligence may encourage bringing security breach suits outside the context of a breach of contract claim. The Pennsylvania Supreme Court’s willingness to acknowledge pure pecuniary damages, in the context of potential recovery under a negligence theory, allows plaintiffs in Pennsylvania to have another claim in their pocket to bring during security breach litigation. While the impact of this decision remains to be seen, it may indicate a new chapter for data breach plaintiffs, and could lead to more security breach litigation.
Jim Shreve is chair of Thompson Coburn's Cybersecurity group and holds CIPP/US and CIPT certifications from the International Association of Privacy Professionals (IAPP). He is also a Fellow of Information Privacy (FIP) with the IAPP. Libby Casale is an associate in Thompson Coburn’s Business Litigation group and holds CIPP/US certification.
The Supreme Court of Illinois does not recognize certifications of specialties in the practice of law, and the CIPP/US certificate is not a requirement to practice law in Illinois.