Pennsylvania Court’s ‘Cest la Vie’ View of Data Breach Damages

NOTICE: See the newer Pennsylvania Supreme Court decision in the same case that now reminds employers of their duty to employers to protect sensitive employee information.

The Pennsylvania Superior Court recently held in Dittman v. UPMC, that employees cannot sue employers after a data breach involving the employer’s computer systems even if the employee’s sensitive, personal information such as names, birth dates, social security numbers, tax information, addresses, salaries, and bank information is compromised. Employees cannot sue even if an employee’s tax refunds are stolen. The Superior Court held this despite the Plaintiffs showing that sensitive personal information was stolen from employees of UPMC (at least 27,000 employees) and despite at least 788 of those employees were victims of tax fraud.

Court Holds No Alleged Legal Duty to Protect Employee Sensitive Data

Effectively, the Court concludes that an employer owes no legal duty to protect confidential and sensitive personal information of employees because … well, apparently, because these things just happen.

As the trial court correctly noted, “data breaches are widespread” and “there is not a safe harbor for entities storing confidential information.” No judicially created duty of care is needed to incentivize companies to protect their confidential information…. We find it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether. Employers strive to run their businesses efficiently and they have an incentive to protect employee information and prevent these types of occurrences. (emphasis added)

Sadly, the Court demonstrates a minimal understanding of cybersecurity or data protection. The issue is not whether there is “no true way to prevent data breaches altogether” (emphasis added) as the Court suggests. The issue is whether a business, in this case a large, highly-sophisticated, medical entity in a highly-regulated industry, adequately protected the employees’ data. The opinion provides no analysis of what allegedly “significant costs” are (and compared to what), whether the entity failed to use best practices to secure data (negligence), analyze whether this was a hit-and-run or a sustained breach, assess how long the entity took to determine the breach, determine whether encryption was used, whether data segregation was used, etc.

Instead, the Court simply held that no legal duty exists. The Court left the alleged “creation of” any legal duty to the legislature despite Althaus v. Cohen, 756 A.2d 1166 (Pa. 2000)–the very judicial blueprint for evaluating legal duties of care.

An Ephemeral “Incentive” to Protect Data

Even more disturbing is the crabbed argument suggesting that some type of incentive exists for employers to protect data.  The Court fails to logically explain why an employer has an “incentive” when the employee has little or no recourse to hold the employer legally accountable under the employer’s duty of care. Instead, the Court vaguely cites to computer-related laws as apparent support.

The Court implies that employees are somehow “protected” from data breach damages by, for example, 73 P.S. § 2301 et seq. But even a cursory reading of that statute, the Pennsylvania Data Breach Reporting Law, shows that an employee has no private cause of action or remedy–see 73 P.S. § 2308 (“The Office of Attorney General shall have exclusive authority to bring an action under the Unfair Trade Practices and Consumer Protection Law for a violation of this act.”). The Court then cites Pennsylvania’s Privacy of Social Security Numbers Law–74 P.S. § 201. 74 P.S. § 201 plainly states: “Fines under this section shall be distributed equally between the Crime Victim’s Compensation Fund administered by the Pennsylvania Commission on Crime and Delinquency and the Office of Attorney General for future identity theft prevention.” The Court then cites the federal, Stored Communications Act–18 U.S.C. §§ 2701-2712. The Stored Communications Act is a criminal statute protecting electronic communications, and not data breaches.

Opinion Does Not Maintain Protections for Employee Personal Data

The assumption that “gee, data breaches will occur, cest la vie” without any analysis of why data breaches occur,  without any accounting for how to prevent or mitigate the breaches, and without any analysis of the potential failures of a business to take adequate and reasonable precautions (because they effectively have no liability from lawsuits) is staggering–especially in 2017. Unfortunately, Pennsylvanians continue place their most sensitive personal information at risk without any accountability by the courts or employers simply because they punch-the-clock.