A Pittsburgh-area judge recently ruled that Pennsylvania does not recognize negligence claims in data breach lawsuits. Dittman v. UPMC, No. GD-14-003285 (Pa. Ct. Com. Pl., Allegheny Cnty., May 28, 2015). The case centers on a data breach in 2014 involving the University of Pittsburgh Medical Center (UPMC). In late May 2014, a Pittsburgh-area newspaper reported that the breach “may have exposed Social Security numbers, addresses, salaries and bank account information” of all of UPMC’s 62,000 workers. See Robert Zullo and Rich Lord, UPMC Hacking Widespread, Pittsburgh Post-Gazette, May 31, 2014.
As previously discussed here and here, plaintiffs in data breach cases often have difficulty establishing standing to pursue claims based upon data breaches. Indeed, UPMC argued as much in their preliminary objections (the state-court equivalent to a motion to dismiss) to the class action complaint. Citing both Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), and the Third Circuit opinion in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), UPMC argued that an increased risk of identity theft resulting from a data breach is insufficient to confer standing absent allegations that the data had been or would be misused.
But the judge dismissed the two-count class action complaint for different reasons. The plaintiffs, who sought to represent a class of about 62,000 individuals, asserted two claims against UPMC, negligence and breach of an implied contract. The plaintiffs alleged that “UPMC had a duty to exercise reasonable care to protect and secure [the putative class members’] personal and financial information within its possession or control from being compromised, lost, stolen, misused, and/or disclosed to unauthorized parties.” Second Amended Class Action Complaint ¶ 53. The plaintiffs also alleged that because they are, or were, employees of UPMC, the relationship between plaintiff and UPMC is governed by an implied contract whereby UPMC agreed “to safeguard and protect” the plaintiffs’ “personal and financial information.” Id. ¶ 66.
Addressing the negligence claim, the court first decided that the plaintiffs could not state a claim for negligence based solely on economic losses. The judge held: “Under the economic loss doctrine, no cause of action exists for negligence that results solely in economic losses unaccompanied by physical injury or property damage.” Order at 4.
Next, the court determined that regardless of the economic loss doctrine, “courts should [not] impose a new affirmative duty of care that would allow data breach actions to recover damages” in negligence actions. Ultimately, the court determined that judicial restraint cautions against judges imposing new affirmative duties on companies because the legislature is in a better position to make public policy judgments. The court noted that the Pennsylvania “General Assembly has considered and continues to consider the same issues that plaintiff are requesting this court to consider . . . . The only duty that the general Assembly has chosen to impose as of today is notification of a data breach.” Id. at 10. Interestingly, the judge also noted that although data breaches are “widespread,” the courts were “not equipped to handle [an] increased caseload of negligence actions” if Pennsylvania recognized a private cause of action. Id. at 6. The court also dismissed the breach of implied contract claim, holding that there was no meeting of the minds between UPMC and its employees.
This case illustrates the difficulty data breach plaintiffs continue to face in seeking damages, as well as the tools that businesses can wield in defending data breach lawsuits. Often lost in the headlines, but a fact that this court recognized: businesses and organizations are also victims of data breaches.