Despite daily "data
breaches" and "unauthorized confidential personal and financial
information access and disclosure", Pennsylvania is presently refusing to
recognize any "duty of care"
to safe guard against third-party criminal activity.
Instead, in Dittman v.
UPMC, No. GD-14-003285 (Allegheny County C.C.P. May 28, 2015), Pennsylvania
rejected recognizing data breach negligence claims refusing to provide plaintiffs
with a common law basis to pursue "failure to provide reasonable data
security protections" claims and damages.
However, because of overwhelming
public policy issues and the Dittman opinion's urging of amending
Pennsylvania's Breach of Personal Information Notification Act, 73 P.S.
§ 2301, et seq. ("Act") to
create private right of action, those collecting and maintaining confidential
personal and financial information may soon be liable for failing to employ
safeguards from attack.
Dittman v. UPMC Overview
After their names,
birthdates, social security numbers, confidential tax information, addresses,
salaries, and bank account information were stolen, 62,000 current and former
University of Pittsburgh Medical Center (“UPMC”) employees filed a putative
class action claiming UPMC's failure to exercise reasonable care to protect and
secure this information violated a common law "duty to protect private,
highly sensitive, confidential and personal financial information, and tax
documents with which it had been entrusted from seizure".
Specifically, arising out of
the employee/employer relationship, the Dittman plaintiffs argued that
UPMC’s duties included designing, maintaining, and testing its security systems
to ensure that personal and financial information was adequately secured and protected
including processes that would timely detect a security systems breach and failing
to meet industry standards in the face of a reasonably foreseeable risk.
In finding that "no common
law data breach cause of action" exists, the Allegheny County Court of
Common Pleas held that Pennsylvania’s economic loss doctrine precludes a
negligence claim for monetary loss stemming from a data breach, public policy
considerations mitigated against creating an affirmative duty of care, and
Pennsylvania’s legislature's prior actions evidenced an intent not to impose
such a duty.
Specifically, the Court
concluded that, when enacting the Data Breach Act, Pennsylvania's General
Assembly extensively considered the issues surrounding data breaches and
refused to create a common law duty or private cause of action, but, instead, imposed
only a notification obligation in the event of a breach.
Dittman v. UPMC Impact
The Dittman v. UPMC
decision provides only a temporary stay against imposing a duty of care on those
collecting and maintaining confidential personal and financial information to employ
reasonable safeguards from attack and economic exposure for foreseeable
wrongdoing. To the contrary, the Dittman
opinion simply passed the buck to the Pennsylvania legislature to fashion a
remedy.
While unclear of the
timeline, in light of the massive accumulation of financial information and
inevitable third party criminal activity, public policy will force information
gathers to conform to a standard of care and shoulder direct and actual damage negligence
liability.
Information gatherer and
storers need to be designing, maintaining, and testing their security systems
to ensure that personal and financial information was adequately secured and protected
including processes that would timely detect a security systems breach.
