Affirming a lower court decision this blog discussed here, the Superior Court of Pennsylvania held January 12 that dismissal of a proposed data breach class action was proper, because the University of Pittsburgh Medical Center lacked a legal duty to protect employee information stolen by a third party. The 2-1 majority’s finding that UPMC had no duty of care to protect the compromised information was based upon a thorough analysis of factors the Pennsylvania Supreme Court has established for determining the existence of a duty.  The dissent analyzed the same factors but argued that on balance, they weighed in favor of finding a duty.

A group of UPMC workers brought the suit for negligence and breach of contract in 2014, after personal information of approximately 62,000 employees – including names, birth dates, SSNs, bank information and tax information – was stolen and used to file fraudulent tax returns and steal tax refunds. UPMC had required employees to provide that information as a condition of employment.  According to Plaintiffs, UPMC owed a legal duty to protect their personal information, and failed to do so by failing to “properly encrypt data, establish adequate firewalls, and implement adequate authentication protocols.”  The Court of Common Pleas of Allegheny County (Wettick, J.) disagreed and dismissed the claims, and the Superior Court followed suit.

In doing so, the Superior Court analyzed factors described in Althaus ex. Rel. Althaus v. Cohen, 756 A.2d 116 (Pa. 2000) and reaffirmed in Seebold v. Prison Health Servs., Inc., 57 A.3d 1232 (Pa. 2012), which determine the existence of a duty of care:

The relationship between the parties;

The social utility of the actor’s conduct;

The nature of the risk imposed and foreseeability of the harm incurred;

The consequences of imposing a duty upon the actor; and

The overall public interest in the proposed solution.

While the Superior Court found that the employer-employee relationship was of a type that typically gives rise to duties, the first factor was the only one that favored imposing a duty on UPMC. The Superior Court observed that the social utility of electronic information storage is high, and while harm from data breaches is foreseeable, an intervening third party stealing data is a superseding cause. Additionally, the Court explained that a judicially created duty of care would be unnecessary to motivate employers to protect employee information, as “there are still statutes and safeguards in place to prevent employers from disclosing confidential information” in addition to business considerations. Finally, the Court agreed with the trial court’s conclusion that creating a duty in this context would not serve the public interest; rather, it would interrupt the deliberative legislative process and expend judicial resources needlessly.  Indeed, while the Pennsylvania General Assembly has imposed a duty of notification, it has not felt compelled to impose a duty to safeguard information beyond those already described by statute.

In addition, the Superior Court rejected the breach of contract claim, finding that UPMC had not entered into an implied contract to protect its employees’ information, and there were no indications UPMC intended to enter into such a contract. “Despite their contrary assertions, [Plaintiffs] did not give their information to UPMC for the consideration of its safe keeping, but instead, for employment purposes,” the Court said.