Pennsylvania Supreme Court Holds Employers Potentially Liable for Data Breaches

On November 21, 2018, the Pennsylvania Supreme Court held that employers in Pennsylvania owe a legal duty to employees to protect the employee’s data from data breaches. Dittman v. UPMC, No. 43 WAP 2017 (Pa. 2018).

The November 2018 opinion by the Pennsylvania Supreme Court corrected a strongly criticized opinion issued earlier by the Pennsylvania Superior Court. The lower Pennsylvania Superior Court had held that because data breaches will happen, an employer cannot be liable for any breach of employee data.

Dittman involves a class-action lawsuit against a healthcare company arising after an alleged data breach exposing 62,000 employee records including tax information and personal information.

Employers in Pennsylvania Still Owe a Duty to Employees to Protect the Employee’s Data

The Pennsylvania Supreme Court concluded that an employer  has a long-standing and pre-existing duty to protect an employees’ data because when an actor undertakes affirmative conduct, the actor must due so with reasonable care. [14, 16] Simply because the facts involve data or “computer technology”does not change that existing duty.

Also, the Pennsylvania Supreme Court held that third-party criminal acts do not alleviate a duty to exercise reasonable care if the criminal acts are foreseeable, likely, and “within the scope of risk” created by an employer. [See 17-18]  In other words, an employer cannot assert that a cybercriminal’s actions somehow alleviates the employer’s potential liability. [18-19]

Economic Loss Doctrine Finally Corrected

The Pennsylvania Supreme Court also took this opportunity explain and correct a myopic reading of Pennsylvania’s so-called “economic loss” doctrine.

Economic Loss Doctrine is a legal artifice that reputedly to limits filing tort claims in what are primarily contract actions. [E.g., see  28, “[i]f the duty arises independently of any contractual duties between the parties, then a breach of that duty may support a tort action.”] Economic Loss Doctrine basically holds that one cannot recover purely economic damages by pleading a tort claim. A tort claim may open additional remedies including punitive damages which are generally not available in contract. Also, corporations claim that the Economic Loss Rule protects them from run-away verdicts by artificially limiting damages to the contract amount (or contract losses).

For about ten years, some claimed that Excavation Technologies acted as a absolute prohibition for victims despite the the the Bilt-Rite rules [30-31]:

no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage.


The Pennsylvania Supreme Court explained that the specific facts in Excavation Technologies do not warrant a broad reading of the above citation. [27-30]  Excavation Technologies relies on the fact that applicable statutes imposed no statutory duty or liability under the facts in Excavation Technologies and that negligent misrepresentation, under Bilt-rite, did not apply because the defendant in Excavation Technologies was not in the business of providing information. [27-30]

Thus, the Pennsylvania Supreme Court in Dittman now resolves the so-called controversy in Bilt-rite and Excavation Technologies by stating that one can recover “purely economic damages” in tort when the claim arises interdependently from contract. How one distinguishes between independent remains unclear–see Concurring and Dissenting Opinion.

Future of Dittman?

The Pennsylvania Supreme Court provides an initial clarification of several issues bedeviling recent cases in Pennsylvania. However, because the original case was on appeal from preliminary objections, no allegations have been proven. Dittman will continue to have life as it proceeds to trial and will continue to be a much-watched case.

Expect to see employers start to demand that employees to enter into a “contract” for employee data to avoid or limit liability under Dittman or expect other artifices rather than employers simply taking reasonable actions to protect employee data.

Previous Comments

Attorney Shannon Brown works with cybersecurity and data law. Shannon previously criticized the lower court’s holding in Dittman in a post titled “Pennsylvania Court’s ‘Cest la Vie’ View of Data Breach Damages.”