According to the Identity Theft Resource Center, so far in 2015, 380 data breaches have occurred in the United States, exposing more than 117 million personal records. According to at least one court, however, such data breaches do not give rise to a cause of action for negligence against a party who fails to protect confidential information. To the contrary, the widespread nature of data breaches and the potential for an overwhelming number of lawsuits may be one reason to limit liability for negligence.
Last month, in Dittman v. UMPC, No. GD-14-003285 (Allegheny County C.C.P. May 28, 2015), a Pennsylvania trial court dismissed a class action law suit brought on behalf of over 62,000 employees and former employees of the University of Pittsburgh Medical Center, whose confidential personal identifying information was stolen from UPMC’s computer system. The class alleged that UMPC acted negligently by failing to protect the personal information it maintained.
The court rejected this claim based, in large part, upon Pennsylvania’s economic loss doctrine, which provides that no cause of action exists for negligence that results solely in economic losses. Interestingly, although the court could have stopped its analysis there, it went on to note that even if the economic loss rule to did not bar Plaintiff’s negligence claim (as it would not in many states, including Florida), public policy did not support the creation of a duty of care to protect employees’ confidential information from data breach.
To the contrary, the court reasoned that “data breaches are widespread . . . [and] the creation of a private cause of action could result within Pennsylvania alone [in] the filing each year of possibly hundreds of thousands of lawsuits . . . . Clearly, the judicial system is not equipped to handle this increased caseload of negligence actions.” The court further reasoned that imposing such a duty of care would penalize “hundreds of profit and nonprofit entities” who were themselves the victims of the same criminal activity as plaintiffs and “courts should not, without guidance from the Legislature, create a body of law that does not allow entities that are victims of criminal activity to get on with their businesses.”
In support of these conclusions, the court observed that the Pennsylvania General Assembly extensively considered the issues surrounding data breaches when enacting the Breach of Personal Information Notification Act 73 P.S. § 2301, et seq. (effective June 20, 2006), and had declined to create a private cause of action.
This case is significant in that it highlights the disparate remedies available to victims of data breach depending on the applicable state common law. In addition, it emphasizes the importance of state statutory remedies to protect victims of data breach in states where no common law remedy may exist.