Do employers owe a duty to protect employee ESI? State court says ‘no’

By Joy Waltemath

By Lisa Milam-Perez, J.D.

A university medical center owed no legal duty to protect employees’ confidential electronically stored information from potential data breaches, a divided Pennsylvania Superior Court majority held. The appeals court refused to hold that employers owed such a duty as a matter of law, citing the efficiencies realized by storing such information electronically and concluding that its social utility outweighed the risks of harm brought by breaches. Noting that “the days of keeping documents in file cabinets are long gone,” the appeals court reasoned that employers already had incentive to safeguard employees’ confidential information; they needn’t be held liable for intervening third-party breaches in order to be brought in line (Dittman v. UPMC dba The University of Pittsburgh Medical Center, January 12, 2017, Olson, J.).

Data breach. A data breach compromised the names, social security numbers, salaries, banking and tax information, and other personal data of 62,000 current and former employees of the University of Pittsburgh Medical Center (UPMC). After the digitally stored data—which UPMC required employees to provide as a condition of employment—was accessed and stolen from the UPMC computer system, the employer first announced that only 22 employees were affected; later, it told staff that 27,000 employees were impacted; finally, it acknowledged that the personal data of its entire workforce had been compromised. This class action negligence and breach of contract suit ensued.

Class action. UPMC owed a legal duty to safeguard their information and it failed to do so, the employees contended. Specifically, it failed to properly encrypt the personal data, build adequate firewalls, and take other measures to protect the sensitive information in its computer network, and the lapse was a direct and proximate cause of harm: The stolen data was used to file fraudulent tax returns, and some employees had their tax refunds stolen. Allegations brought on behalf of a separate but overlapping class contended, further, that UPMC’s failure to protect their information put them at imminent risk of falling prey to identify theft in the near future; consequently, they suffered damages in the form of costs incurred in taking steps to safeguard their private information.

The state trial court dismissed their suit. The negligence and breach of implied contract claims failed as a matter of law because UPMC owed no duty to employees related to the handling of their confidential information, the court held. In its view, there should not be a private negligence cause of action to recover economic damages against employers for third-party theft of confidential information. The appeals court affirmed.

No duty of care. Under Pennsylvania negligence law, courts balance five factors to discern whether a duty of care exists: the relationship between the parties; the social utility of the actor’s conduct; the nature of the risk imposed and foreseeability of the harm incurred; the consequences of imposing a duty upon the actor; and the overall public interest in the proposed solution. The first factor supported imposing a duty, as an employment relationship usually gives rise to such duties on an employer’s part.

Risk vs. reward. Moreover, there was “obvious social utility” in collecting and storing the employee data electronically. It promotes efficiency for the employer, and the substantial benefit of that efficiency flows downstream to employees and consumers as well. Also, although the risk of storing such information electronically increases as data breaches (like the one here) become more common, and it was foreseeable that such a breach would cause harm, that risk didn’t outweigh the benefits. Moreover, the Pennsylvania Supreme Court has held that an entity does not have a duty to guard against the criminal acts of superseding third-parties unless it realizes (or should have realized) the likelihood of a criminal breach.

Consequences of imposing a duty. Also, the potential consequences of imposing such a duty weighed against finding a legal duty here. Employers already have an inherent interest in protecting confidential information, and there are statutes currently in place to ensure they do so. “No judicially created duty of care is needed to incentivize companies to protect their confidential information,” the appeals court concluded, rejecting the notion that without such a legal duty, employers are left free to open such information to public viewing.

“We find it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether,” the court added. Nor would the public interest be served by imposing such a duty, as it would burden the state’s judicial resources.

Economic loss doctrine applied. The appeals court next addressed whether a tort claim for negligence could be maintained when the alleged losses, while admittedly purely economic, result from the breach of a legal duty recognized by common law, and not from a duty arising under a contract? No, according to the state’s economic loss doctrine, which provides that “no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage.” Citing precedent that created a narrow exemption to this principle, the employees argued they were not barred from recovery under the doctrine merely because their claim sounded in tort rather than contract. But for the exception to apply, there must have been a legal duty, and there was no such duty here, the court reiterated.

No implied contract. The court also rejected the employees’ implied contract theory, finding no merit to their contention that when an employer requires employees to submit sensitive personal information as a condition of employment, an implied agreement exists that the employer will adopt reasonable safeguards to protect it. There was no “objective manifestation” of this intent on the employer’s part to enter into such a contract, so the court wouldn’t know what to “enforce” even if it were inclined to do so, it said. At any rate, there was no consideration supporting the existence of a contract between them.

Concurrence: Tread slowly. Judge Stabile joined in the opinion but wrote separately to note that “in this constantly developing area of law and technology we must proceed to establish precedent slowly and with caution.” He urged that the decision at hand should apply only to the facts pled here. Also, he suggested, while there is clearly social utility in the storage of electronic data, the balancing of utility vs. risk may well shift going forward, “as the foreseeability of harm changes with the evolution and increased use of this technology.”

Dissent: A duty exists. Dissenting, Judge Musmanno thought the balancing of factors already favored imposing a duty on the employer “given the ubiquitous nature of electronic data storage, the risk to UPMC’s employees posed by the failure to reasonably protect such information, and the foreseeability of a computer breach and subsequent identity theft.” If the allegations were true here—that UPMC didn’t encrypt its data, build adequate firewalls around it, or undertake other reasonable protections, that would establish that it “knew or should have realized that inadequate electronic data protections would create a likelihood that its employees’ personal information would be compromised, and that a third party would avail itself of the opportunity to steal this sensitive data.” Under these circumstances, he didn’t think intervening criminal acts should relieve UPMC of its duty to protect the sensitive personal data of its workforce.

Musmanno also rejected the majority’s conclusion that employers didn’t need an added incentive to protect employee ESI, and he balked at the notion that it wouldn’t be appropriate to ask them to take on significant added costs to do so since there was “no true way to prevent data breaches altogether.” He thought the cost burden to employers should be weighed against “the cost to employees (sometimes for years) resulting from a data breach.” Also, he argued the public interest supported imposing a duty. In his view, conserving judicial resources should take a back seat to the greater public interest “in protecting the personal and sensitive data collected and electronically stored by employers.”

Source:: Employment Law Daily Newsfeed