In 2014, a group of employees from the University of Pittsburgh Medical Center (UMPC) filed a class action lawsuit against the organization, claiming that a breach in data compromised sensitive personal employee information, including social security numbers, tax information, and confidential bank account information. The plaintiffs alleged that UMPC failed to adopt the appropriate security measures, which increased the risk of identity theft and other crimes.
In a landmark decision, the Pennsylvania Supreme Court held that employers have a legal duty to protect employee information that is stored on internet-accessible computer systems. In addition, by limiting the economic loss doctrine, claimants can sue for economic losses resulting from a failure to protect their personal data.
According to the plaintiffs involved in the Dittman v. UPMC case, as a condition of employment, they were required to provide certain personal information, including Social Security numbers and bank account information. As a result, the plaintiffs argued that UPMC had a duty to protect their information against the threat of identity theft crimes.
The plaintiffs alleged that UPMC breached this duty by failing to implement effective security measures, including encryption programs, firewalls, and adequate authentication protocols. The plaintiffs sought economic damages for losses associated with fraudulent tax returns, as well as the potential risk of identity theft crimes.
Significance of the Pennsylvania Supreme Court Ruling
The Court’s decision in the Dittman v. UPMC case made the rule of law in Pennsylvania very clear. Employers who collect personal data must take reasonable measures to protect that information. The Pennsylvania Supreme Court also adopted a wide interpretation of the economic loss doctrine, and found that employees may recover economic losses in a variety of tort actions. By limiting the economic loss doctrine, claimants can now sue for the economic losses resulting from a failure to protect personal data.
The Court’s decision also reflects the rise in cyberattacks, and the growing need for improved cybersecurity frameworks. The lower court found that employers should not be held responsible for security breaches that were not preventable. However, the PA Supreme Court overturned this argument, because companies are now expected to take advantage of the latest cybersecurity systems that protect confidential employee data.
Because of the expansive interpretation of the economic loss doctrine, defendants will not be able to rely on this line of defense to summarily dismiss negligence claims.