• Allegheny Court Refuses to Recognize Negligence Claim for Data Breach
  • June 12, 2015 | Authors: Mark L. Mattioli; Mary Kate McGrath
  • Law Firm: Marshall Dennehey Warner Coleman & Goggin, P.C. - Philadelphia Office
  • Dittman v. UPMC, C.C.P. Allegheny No. GD-14-003285

    On May 28, 2015, the Honorable Stanton Wettick sustained preliminary objections in Dittman v. UPMC, dismissing all counts in a class action matter brought on behalf of 62,000 employees of the University of Pittsburgh Medical Center (UPMC). The plaintiffs alleged that UPMC failed to enact appropriate cyber security mechanisms, which caused a data breach when hackers infiltrated UPMC’s system and obtained the employees’ personal information, including their names, addresses, social security numbers, banking information and tax information. Judge Wettick also sustained the defendant’s preliminary objections and dismissed the plaintiffs’ claims that UPMC breached a contractual obligation to prevent the data breach.

    Judge Wettick reasoned that Pennsylvania courts should not recognize a common law negligence claim for failure to prevent unauthorized access of computerized information because the Pennsylvania General Assembly ostensibly considered this issue when promulgating the Data Breach Act (73 P.S. Sec. 2301, et. seq. (effective June 20, 2006)). The court recognized that the Pennsylvania General Assembly declined to statutorily create both a duty to safeguard computerized information as well as a private cause of action in the event of a data breach caused by the unauthorized access of computerized information.

    According to Judge Wettick, the plaintiffs’ claims failed to meet a prima facie negligence claim under the economic loss doctrine because no cause of action exists for negligence that results solely in economic losses unaccompanied by physical injury or property damage. Excavation Technologies, Inc. v. Columbia Gas Co. of Pa., 985 A.2d 840, 841 (Pa. 2009). Even if the economic loss doctrine did not preclude a negligence claim in Dittman, Judge Wettick determined that the analysis created by the Pennsylvania Supreme Court under Seebold/Althaus did not warrant the creation at common law of an affirmative duty that would permit recovery in data breach actions. Seebold v. Prison Health Servs., Inc., 57 A.3d 1232 (Pa. 2012). The court pointed out that cyber security attacks are conducted by sophisticated third-party criminals and there is not a safe harbor for entities storing confidential information. The court maintained that the judicial system would be overwhelmed by the hundreds of thousands of potential litigants in data breach claims. The court also determined that a duty could not be appropriately established under a negligence theory because no generally accepted reasonable care standards have been created by experts.

    The court determined that both private and non-profit employers would not be able to afford the costs associated with data breach lawsuits caused by unauthorized access of computerized information. Singling out health care providers, the Dittman court held:

    I cannot say with reasonable certainty that the best interests of society would be served through the recognition of new affirmative duties of care imposing liability on health care providers and other entities electronically storing confidential information, the financial impact of which could even put these entities out of business.

    Judge Wettick determined that the plaintiffs’ complaint failed to plead with legal sufficiency that the utilization of a superior cyber security protection mechanism would have prevented the data breach at issue. The court concluded its opinion with the determination that there was no contract, whether express or implied, between UPMC and its employees establishing that UPMC agreed to allow its employees to sue the health care system for damages allegedly sustained as a result of a data breach.