The body of cybersecurity case law continues to grow. On April 10, 2018, the Pennsylvania Supreme Court is set to hear arguments regarding employers’ liability for data breaches in Dittman v. UPMC.
Specifically, Pennsylvania’s justices will consider and ultimately decide whether UPMC had a duty to safeguard its employees’ electronic information and whether the economic loss doctrine applies, thus barring recovery for purely economic losses.
Previously, in Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center, 2017 PA Super. 8 (Jan. 12, 2017), a divided Superior Court of Pennsylvania, in a case of first impression, held that no separate common law duty exists requiring employers to protect and safeguard employees’ personal and financial information from disclosure in a data breach resulting from a third-party intrusion in its computer network. In a concurring opinion by Justice Stabile, and joined by Justice Olson, the Court wrote that the decision “should stand for no more than the conclusion that a legal duty was not found to exist under the facts pled in this case.” Agreeing with the trial court’s reasoning, and reflecting judicial constraint, the concurring opinion further exhorted that courts should “establish precedent slowly and with caution” in the rapidly developing area of law and technology, such as cybersecurity. It also looked to Pennsylvania’s legislature to fill in the gap of law, if any, identified by the claimants in the data breach lawsuit. The Pennsylvania Supreme Court’s decision in this matter will be well-watched throughout the country.
For prior analysis of the Superior Court and Common Pleas decisions in this matter, see the following:
Pennsylvania Court Refuses to Impose New Duty on Employers to Protect PII from Data Breaches