Now a business that was hacked may be successfully sued under state common law by data subjects whose information was compromised in the crime. For the first time, a state supreme court has held that a company that was victimized by hackers can also be successfully sued for damages under state negligence law by people whose data was compromised in the hack.

The Pennsylvania Supreme Court has determined that an employer has a common law duty to use reasonable care to safeguard employees’ personal information stored on an internet-accessible computer system (Dittman v. UPMC, No. 43 WAP 2017, Pa., Nov. 21, 2018). The court held that failure to do so can be negligent, and employees may recover damages that are solely economic in nature (without physical injury or property damage).

The trial court had been concerned that such a finding could open the floodgates of lawsuits, creating a private negligence cause of action to recover actual damages from data breaches. The state’s highest court has opened the door to such deluge. This holding has potentially wide-reaching effects on cybersecurity litigation in Pennsylvania and elsewhere.

A class of University of Pittsburgh Medical Center (UPMC) employees sued UPMC in 2014 over the theft of sensitive personal information. They claimed the compromised information included names, birth dates, social security numbers, addresses, tax forms, and bank account information of 62,000 current and former UPMC employees. The stolen information, which they were required to provide to their employer as a condition of employment, was apparently used to file fraudulent tax returns resulting in actual monetary damages to the employees. The employees claimed this amounts to employer negligence.

To establish negligence, the employees said their employer has a duty to exercise reasonable care to protect employee personal data from theft and misuse, including a duty to secure the information in light of the special employer-employee relationship. In this case, the employer was alleged to have violated its duty by failing to adopt and maintain adequate data security. Specifically, the employees claimed that the employer failed to take industry standard measures such as encrypting sensitive data and failing to have adequate firewalls to repel intruders to its servers. The employees believed these omissions to be a direct and proximate cause of the damages they suffered from the filing of fraudulent tax returns in their names.

Both lower courts had determined that the employer does not have the duty claimed by the employees under Pennsylvania law. The supreme court reviewed the matter de novo (anew) as a matter of law, and rejected the premise that it was creating a “new, affirmative duty” under common law, and instead held that it was applying the “existing [employer] duty to a novel factual scenario.” The criminal acts of the thieves did not alleviate the employer from the foreseeable risk of a data security breach it created through inadequate security measures with respect to information it required employees to provide.

It appears the employer in this case largely failed to have a cybersecurity program. It is possible that the outcome of this case may have differed if the employer had better security. What would constitute adequate security is likely a factual question to be determined in a “battle of experts” in the course of litigation, which could increase costs to litigate. However, where this case is groundbreaking is in the very fact that an employer has to worry about its security as a legal matter. Whether this case is persuasive in other states remains to be seen, but states are increasingly “copying” other states on data security matters and this case could have wide-reaching effects.