As we have previously noted, litigants and jurists alike often turn to conventional causes of action when considering the viability of data security claims – not the least of which has been common law negligence.  In so characterizing these claims, plaintiffs seeking recovery for the unauthorized disclosure of their personally identifiable information (PII) have come to anticipate, as well as aptly challenge, rote objections to standing that are likely to become less effective as the salience of data privacy litigations grows.  In Pennsylvania, however, recent claimants have encountered an even more fundamental bar to recovery.

In Dittman v. UPMC, a putative class of employees of the University of Pittsburgh Medical Center (UPMC) commenced suit against their employer in the wake of a 2014 sustained data breach that resulted in the unauthorized disclosure of PII including names, birthdates, social security numbers, tax information and bank account identifiers.  Specifically, the class alleged that the 2014 data breach affected roughly 62,000 workers, and occurred as a result of UPMC’s failure to recognize network vulnerabilities and implement technical safeguards within the system.  In advancing these particular allegations, the class couched its complaint against UPMC under theories of common law negligence and breach of contract, emphasizing in both instances UPMC’s special position as a data controller entrusted with sensitive PII by virtue of the employer-employee relationship.

In respect of the negligence cause of action, UPMC unsurprisingly challenged the legal sufficiency of the class’s claims by arguing that the employer did not owe an actionable duty to protect or safeguard the PII.  To that end, UPMC cited to Pennsylvania’s 2006 Breach of Personal Information Notification Act and contended that the statute established the entirety of a data controller’s duty to its data subjects by merely requiring breach notification.  UPMC also noted that in enacting the 2006 Act, the Commonwealth General Assembly did not vest a private right of action under the statute, but instead reserved all enforcement for the Office of Attorney General.

Hon. R. Stanton Wettick, Jr. of the Court of Common Pleas, Allegheny County, distilled the class’s theory of liability to the question of whether UPMC owed a duty of care to employees who were economic victims of third-party criminal activity.  Judge Wettick explained that Pennsylvania’s economic loss doctrine generally precludes negligence actions where the claimed loss is unaccompanied by physical injury or property damage.  Consequently, the harm alleged by the UPMC class did not warrant the imposition of a legal duty in spite of the economic loss doctrine, and the negligence claims were dismissed from the suit.

While the application of the economic loss doctrine in Dittman raises significant questions regarding whether PII should be more appropriately characterized as a property interest for the purposes of data privacy litigation, perhaps more intriguing are Judge Wettick’s comments regarding the consequences of imposing a legal duty on data controllers to safeguard sensitive information. In particular, Judge Wettick’s opinion relies heavily on the perception that the public interest would not be served by an uptick in privacy litigation.  Essentially, Judge Wittick’s opinion views the increasing volume of data privacy litigation, coupled with the current absence of a judicially developed standard of care, as reason enough to prevent claimants from seeking redress under the common law.  With all due apologies, however, this contentious interpretation of data security litigation is sure to meet significant debate in both the appellate courts and the legislature as the public’s awareness of their digital privacy rights grow in proportion with the exponential rise in breaches.

Thanks to Adam Gomez for his contribution.  Please email Brian Gibbons with any questions.