Pennsylvania court finds UPMC not liable for data breach
The Pennsylvania Superior Court has ruled that University of Pittsburgh Medical Center has no duty under state law to protect employee information and dismissed a class action lawsuit against the delivery system.
The ruling, which is in response to a February 2014 incident that eventually affected all of UPMC’s 62,000 current and former employees, has ramifications not just for healthcare organizations, but for all businesses in the state, observers say.
Data compromised in the breach included names, dates of birth, Social Security numbers, tax information, addresses, and salary and bank information. In April, 2014, UPMC confirmed compromised information for as many as 27,000 employees with at least 788 employees becoming victims of tax fraud, and a month later confirmed all employees were compromised, according to court filings.
Attorneys for the employees argued in court that UPMC had a legal duty to protect employee information and that the organization did not properly encrypt data, establish firewalls and implement appropriate user authentication protocols.
A trial court ruled that UPMC did not owe a duty of reasonable care in collecting and storing employee information. The Superior Court agreed, noting the pervasiveness of electronic storage of data with an obvious social utility to promote efficiency. Further, the Superior Court in its opinion said the only duty that Pennsylvania’s legislature has imposed on companies in the state is notification of a data breach, and it is not for the courts to alter the direction of the legislature because public policy is a matter for the legislature.
“While a data breach (and its ensuring harm) is generally foreseeable, we do not believe that this possibility outweighs the social utility of electronically storing employee information,” the Superior Court noted in its decision. “In the modern era, more and more information is stored electronically and the days of keeping documents in file cabinets are long gone. Without doubt, employees and consumers alike derive substantial benefits from efficiencies resulting from the transfer and storage of electronic data.”
The Superior Court doubled down on its assertions, saying a judicially created duty of care is not needed to incentivize companies to protect their confidential information. “We find it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether. Employers strive to run their businesses efficiently, and they have an incentive to protect employee information and prevent these types of occurrences.”
Appellants, the court ruled, did not give their information to UPMC for the consideration of its safe keeping but for employment purposes. The full ruling is available here.