Data Security Snafu not Negligent
It was a true data security horror story. Hackers, according to a recent appeals court opinion in Pennsylvania, accessed and stole confidential information of 62,000 employees and former employees of the University of Pittsburgh Medical Center (UPMC). The information included names, birth dates, social security numbers, tax information, addresses, salaries, and bank information which employees were required to provide to UPMC. Thieves used the stolen data to file fraudulent tax returns and abscond with employees’ tax refunds; at least 788 employees were victims of tax fraud.
UPMC never learned exactly how the data breach occurred, and in the beginning, had trouble wrapping its arms around the extent of the breach. UPMC announced the consequences of the hack on five occasions over the following few months, and each time the number of employees reportedly affected quickly escalated: 22 employees, then 322, then 27,000, then finally 62,000 (all of UPMC’s employees).
Employees filed a class action lawsuit against UPMC for negligence and breach of an implied contract to keep employee information safe. They alleged that UPMC failed to protect information on its computer networks by failing to adequately encrypt data, establish firewalls, and implement authentication protocols, resulting in actual harm and risk of future harm to the employees. The trial court dismissed the case, which the employees appealed to the Pennsylvania Superior Court.
Determining Duty or Blame
A divided majority of judges on the appeals court ruled that UPMC could not have been legally negligent in protecting its employees from a data breach because the company did not have a duty to safeguard their data from hackers.
Judge Olson noted that even though the law does impose many duties on employers to protect employees, the law does not clearly spell out that these duties include safeguarding employee data. Employers, Judge Olson explained, generally have no duty to guard against third-party criminal acts like hacking unless the employer knew or should have known the criminal act was likely.
In this case, UPMC did not know that hacking was likely because there was no evidence the center had been aware of “a specific threat of intrusion into its computer systems,” Judge Olson wrote. It is not clear from the UPMC opinion whether the employees entered into evidence, or Judge Olson otherwise considered, other incidents of data breaches involving UPMC in 2013, May 2015, and June 2015.
Consequences & Incentives
“No judicially created duty of care is needed to incentivize companies to protect their confidential information,” Judge Olson opined, explaining that “[w]e find it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether.” “Employers,” Judge Olson concluded, “strive to run their businesses efficiently and they have an incentive to protect employee information and prevent these types of occurrences.”
On the issue of whether there was an implied employment contract to protect employee data, Judge Olson noted that there had been no agreement to protect employee data, and that the employees “did not give their information to UPMC for the consideration of its safe keeping, but instead, for employment purposes.”
Judge Stabile wrote separately to emphasize that while he concurred with Judge Olson’s conclusions, the ruling was narrow and based on the facts. For example, if the employees had alleged “specific threats and problems with UPMC’s computer system,” the result may have differed. Judge Stabile also stated that the analysis of future cases could change depending on the evolution of data storage technology protections.
Judge Musmanno dissented, and would have imposed duty of reasonable care on UPMC (and allowed the negligence lawsuit to go forward). Since UPMC’s systems were vulnerable, Judge Musmanno explained, the harm to the employees was foreseeable and hence, a duty to protect employee data should have been imposed. [Dittman v. UPMC (PA SC 2017) no. 971 WDA 2015]
Evolving Situations & Standards
The court in Dittman took pains to analyze the lack of foreseeability of the data breach at UPMC. But the unforeseen consequences of a data security snafu may be worse than a foreseeable one. Examples include a data breach at Yahoo calling into question Verizon’s $5 billion agreement to buy the company, and a credit union’s decision to temporarily decline credit and debit cards at Wendy’s after the franchise suffered a serious data breach.
The law on this issue remains in flux. For example, the New York Cybersecurity Regulations have been delayed and will soon look different than they did in proposal form. The Federal Trade Commission (FTC) has litigated against lax data security as an unfair practice. However, as we wrote previously in the context of the EU Privacy Shield:
Some experts have doubts about the viability of data breach claims as it has been hard for plaintiffs to prove damages. This perspective is particularly apt after Spokeo Inc. v. Robins where the US Supreme Court confirmed that victims have to prove they suffered an actual injury, or will likely suffer injury, as a result of a data breach even if a company’s security measures were unreasonable.
Regardless of whether negligence actions hold up in court, new notification rules are coming into play, including in California (requiring notification of unauthorized access to encrypted data) and in Massachusetts (the Office of Consumer Affairs and Business Regulation plans to post online information about data breaches going back to 2007). These laws put companies with lax data security in a double-bind: on the one hand, they are required to notify the public of breaches; on the other, they may face internal pressure not to comply with these laws to protect their reputations.
But minimizing, or worse, ignoring a data breach often winds up courting worse consequences than dealing with it right away. Better yet, smart companies are making cybersecurity a top priority and proactively building consumer and employee safeguards even when the law is less than crystal clear.
LawRoom (powered by EverFi) delivers online compliance courses to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.