Pennsylvania Court’s ‘Cest la Vie’ View of Data Breach Damages

The Pennsylvania Superior Court recently held in Dittman v. UPMC, that employees cannot sue employers after a data breach involving the employer’s computer systems even if the employee’s sensitive, personal information such as names, birth dates, social security numbers, tax information, addresses, salaries, and bank information is compromised. employees cannot sue even if employee tax refunds are stolen. The Plaintiffs showed that sensitive personal information was stolen from employees of UPMC (at least 27,000 employees) and at least 788 of the employees were victims of tax fraud.

Court Holds No Alleged Legal Duty to Protect Employee Sensitive Data

Effectively, the Court concludes that an employer owes no legal duty to protect confidential and sensitive personal information of employees because … well, apparently, these things just happen.

As the trial court correctly noted, “data breaches are widespread” and “there is not a safe harbor for entities storing confidential information.” No judicially created duty of care is needed to incentivize companies to protect their confidential information…. We find it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether. Employers strive to run their businesses efficiently and they have an incentive to protect employee information and prevent these types of occurrences.

Sadly, the Court demonstrates a minimal understanding of cybersecurity or data protection. The issue is not whether there is “no true way to prevent data breaches altogether” (emphasis added) as the Court suggests. The issue is whether a business, in this case a large, highly-sophisticated, medical entity in a highly-regulated industry, adequately protected the employees’ data. The opinion provides no analysis of what allegedly “significant costs” are (and compared to what), whether the entity failed to use best practices to secure data (negligence), analyze whether this was a hit-and-run or a sustained breach, assess how long the entity took to determine the breach, determine whether encryption was used, whether data segregation was used, etc.

Instead, the Court simply held that no legal duty exists. The Court left the alleged “creation of” any legal duty to the legislature despite Althaus v. Cohen, 756 A.2d 1166 (Pa. 2000)–the very judicial blueprint for evaluating legal duties of care.

An Ephemeral “Incentive” to Protect Data

Even more disturbing is the crabbed argument suggesting that some type of incentive exists for employers to protect data.  The Court fails to logically explain why an employer has an “incentive” when the employee has little or no recourse to hold the employer legally accountable to their duty of care. Instead, the Court cites to computer-related laws as apparent support.

The Court implies that employees are somehow “protected” from data breach damages by, for example, 73 P.S. § 2301 et seq. But even a cursory reading of that statute, the Pennsylvania Data Breach Reporting Law, shows that an employee has no private cause of action or remedy–see 73 P.S. § 2308 (“The Office of Attorney General shall have exclusive authority to bring an action under the Unfair Trade Practices and Consumer Protection Law for a violation of this act.”). The Court then cites Pennsylvania’s Privacy of Social Security Numbers Law–74 P.S. § 201. 74 P.S. § 201 plainly states: “Fines under this section shall be distributed equally between the Crime Victim’s Compensation Fund administered by the Pennsylvania Commission on Crime and Delinquency and the Office of Attorney General for future identity theft prevention.” The Court then cites the federal, Stored Communications Act–18 U.S.C. §§ 2701-2712. The Stored Communications Act is a criminal statute protecting electronic communications, not data breaches.

Opinion Does Not Maintain Protections for Employee Personal Data

The assumption that “gee, data breaches will occur, cest la vie” without any analysis of why data breaches occur,  accounting for how to prevent or mitigate the breaches, and the potential failures of a business to take adequate precautions because they effectively have no liability from lawsuits, is staggering–especially in 2017. Unfortunately, Pennsylvanians continue place their most sensitive personal information at risk because they punch-the-clock.