On November 21, 2018, the Supreme Court of Pennsylvania ruled in Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center that an employer owes a duty to employees to use reasonable care to safeguard what the court described as the employee’s “sensitive” personal data when storing it on an internet-accessible computer system. As the first state Supreme Court decision formally recognizing such a duty, the decision could increase the risk for companies facing potential class action litigation arising out of a data breach. The court also held that a negligence claim based on the breach of this duty is not barred by Pennsylvania’s economic loss doctrine, a defense frequently asserted by defendants in such lawsuits.
On June 25, 2014, Dittman and several others filed suit against the University of Pittsburgh Medical Center and UPMC McKeesport (“UPMC”) on behalf a class of employees. The employees alleged that a data breach had occurred whereby their personal and financial information was stolen from UPMC’s computer systems, and were used to file fraudulent tax returns. Asserting a negligence claim, among others, the employees contended that UPMC breached its duty to exercise reasonable care to implement security measures to safeguard the information against unauthorized access by third parties. The employees further contended that such duty existed because UPMC required that the employees provide the information as a condition of their employment.
UPMC filed preliminary objections, claiming that the employees’ claim was barred by the economic loss doctrine, which disallows recovery for purely economic damages. The...
