In Dittman v. UPMC, No. 43 WAP 2017, the Pennsylvania Supreme Court issued an opinion that addressed important issues concerning the scope of an employer’s duty to use reasonable care to safeguard its employees’ sensitive personal information. The Court also addressed and clarified the scope of the economic loss doctrine, as applied to negligence claims seeking the recovery of economic losses. The Court’s majority opinion, authored by Justice Max Baer, was joined by Justices Dougherty, Wecht and Mundy. Chief Justice Saylor filed a concurring and dissenting opinion, in which Justice Todd joined.
The case was filed as a class action on behalf of certain UPMC employees, arising out of a data breach through which personal information related to UPMC’s employees allegedly was stolen from UPMC’s computer systems. The Complaint further alleged that the stolen data, which UPMC had required the employees to provide to it as a condition of employment, was used to file fraudulent tax returns on behalf of certain employees, resulting in actual damages. The employees claimed that UPMC was negligent in failing to exercise reasonable care in safeguarding their personal information.
The trial court granted UPMC’s preliminary objections, declining to find that a negligence cause of action existed for alleged harm arising from a data breach. Among other reasons, the trial court observed the widespread nature of data breaches and expressed concern that allowing such a cause of action could burden the courts with numerous lawsuits. The trial court also found that the employees’ negligence claim was barred by the economic loss doctrine, as the only losses claimed were economic in nature. In a split decision, a panel of the Superior Court affirmed the trial court’s decision.
In reversing the Superior Court, the Supreme Court applied general negligence principles and had little apparent difficulty in concluding that UPMC owed a duty to the employees, “in collecting and storing Employees’ data on its computers systems, … to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.” The Court further held that the criminal wrongdoing of third parties in accessing and misusing the data did not provide a defense to UPMC, at least at the pleadings stage of the case, because the alleged deficiencies in UPMC’s data collection and storage practices were such that “a cybercriminal might take advantage of the vulnerabilities in UPMC’s computer system and steal Employees’ information.”
The Court next addressed whether the employees’ negligence claim was barred by the economic loss doctrine. That doctrine has been generally applied by Pennsylvania courts to bar negligence claims that result solely in economic damages unaccompanied by physical injury or property damage. The Court proceeded with a lengthy discussion of its prior decisions applying the economic loss doctrine – Excavation Technologies, Inc. v. Columbia Gas Co. of Pa., 985 A.2d 840 (Pa. 2009), and Bilt-Rite Contractors, Inc. v. The Architectural Studio, 866 A.2d 270 (Pa. 2005) – and held that “those cases do not stand for the proposition that the economic loss doctrine, as applied in Pennsylvania, precludes all negligence claims seeking economic damages.” The Court explained that the existence of a tort cause of action depends on the source of the duty that the plaintiff contends was owed: “[I]f the duty arises under a contract between the parties, a tort action will not lie from breach of that duty. However, if the duty arises independently of any contractual duties between the parties, then a breach of that duty may support a tort action.” The Court explicitly rejected UPMC’s argument that the Court’s opinion in Bilt-Rite should be read to provide for a broad application of the economic loss doctrine, subject only to a narrow exception for negligent misrepresentation claims under Section 552 of the Restatement (Second) of Torts. The Court concluded: “Employees have asserted that UPMC breached its common law duty to act with reasonable care in collecting and storing their personal and financial information on its computer systems. As this legal duty exists independently from any contractual obligations between the parties, the economic loss doctrine does not bar Employees’ claim.” Interestingly, the Court’s formulation and application of the economic loss doctrine in Dittman arguably results in the further melding of that doctrine with Pennsylvania’s “gist of the action” doctrine. See Bruno v. Erie Ins. Co., 106 A.3d 38 (Pa. 2014).
Dittman undoubtedly will prove to be a significant decision in Pennsylvania jurisprudence – both with respect to the evolving law regarding employer liability for data breaches and to the contours of the economic loss doctrine.