PA Judge: UPMC Not Negligent in Data Breach

Worried about liability for a data breach?

A recent Pennsylvania court opinion may assuage your concerns.

On May 28th, a Pennsylvania judge dismissed a class action negligence claim against UPMC, which arose from the 2014 data breach that compromised the personally identifiable information (“PII”) of approximately 62,000 UPMC employees.  Among the information that was stolen were social security numbers, bank account information, and tax information.  The class action lawsuit alleged that UPMC had a duty to protect this information from third-party criminal activity.  In other words, like a car accident, the plaintiffs claimed that UPMC was negligent in its handling of their PII.

The judge based his decision to dismiss this negligence claim on public policy reasons.  The judge began by noting that data breaches are widespread, they occur because of the criminal activity of third persons, and there is no safe harbor for entities storing PII.  If Pennsylvania courts allowed negligence lawsuits from individuals whose PII was compromised in a data breach, the judge stated that this would have disastrous consequences.  Possibly hundreds of thousands of claims would be filed each year, and countless for-profit and non-profit entities would be force to expend substantial resources responding to the lawsuits.  These were consequences that the judge did not want the Commonwealth to suffer.

Additionally, the judge noted how the Pennsylvania Legislature had already considered these issues and had not authorized private lawsuits.  In fact, the only legislation covering the issue requires entities that suffer a breach to provide notification to the individuals whose PII was compromised.  Through this statute, the Legislature also gave the Office of the Attorney General the power to bring an action against entities that violate this notice requirement.

While this decision is encouraging for businesses and non-profits, you should know that this decision does not mean the elimination of all liability for data breaches.  Here are some of the reasons why:

• Appeal: This is only the trial court.  This decision is likely to be appealed, so this may not be the final word on these negligence claims.
• Other PA Judges & Other States: This decision comes from one judge in Allegheny County.  While this opinion may be persuasive, judges in Erie County or in New York state do not have to abide by this decision. 
• Other Lawsuit Claims: While most data breach lawsuits allege negligence as the main claim, these lawsuits make other arguments as well, such as breach of contract and consumer fraud claims.  In this case, the plaintiffs allege that there was an implied contract between UPMC and its employees in which UPMC agreed to safeguard the employees’ PII.  The judge dismissed this claim, as well, saying that UPMC had never agreed to such responsibility.
• Statutory Duties: As noted in the judge’s opinion, Pennsylvania state law requires entities that have suffered a breach to notify the individuals’ who had their information compromised.  A failure to abide by these notification requirements could result in penalties from the Attorney General.  Just about every state has one of these data breach notification laws.  This means that you have to abide by the rules of those states in which your customers or employees reside.
  

As demonstrated above, you may still face some liability for a data breach, so you should be taking necessary preventative measures to safeguard data, particularly that of individuals.

If you have questions about your legal responsibilities in the wake of a data breach, please contact our office at 814-870-7600 or complete this form on our website.