Dittman, B., Aplt. v. UPMC
196 A.3d 1036
| Pa. | 2018Background
- A class of current and former UPMC employees alleged a 2014 data breach exposed sensitive personal and financial information of ~62,000 persons, which was then used to file fraudulent tax returns and caused monetary harm.
- Plaintiffs sued UPMC for negligence (and breach of implied contract), alleging UPMC collected and stored required employee data on an internet‑accessible system without reasonable security (encryption, firewalls, authentication) and thus breached a duty to protect it.
- UPMC filed preliminary objections arguing (1) no duty to protect against third‑party criminal acts and (2) the economic loss doctrine bars negligence recovery for purely pecuniary losses absent physical injury or property damage.
- Trial court sustained objections, dismissing negligence claims; Superior Court affirmed in a split decision, concluding no duty and that the economic loss doctrine barred recovery (treating Bilt‑Rite narrowly).
- The Supreme Court of Pennsylvania granted review to decide (a) whether an employer owes a duty to safeguard employee data stored on internet‑accessible systems and (b) whether the economic loss doctrine bars negligence recovery for purely economic harms when the duty arises independently of contract.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether an employer owes a duty to use reasonable care to safeguard employees' sensitive data stored on an internet‑accessible system | Duty arises from UPMC's affirmative act of collecting/storing required employee data; foreseeable risk of cyber theft; duty exists to take reasonable protective measures | No duty because possession of data is nonfeasance; third‑party criminal acts are superseding causes; imposing duty is a major policy decision | Court held a duty exists: collecting and storing employee data on internet‑accessible systems is affirmative conduct that creates a foreseeable risk and imposes a duty to use reasonable care |
| Whether third‑party criminality defeats duty/liability | Criminal acts do not absolve defendant when the defendant’s affirmative conduct created or exposed victims to a foreseeable risk | Cybercriminals are superseding causes and unforeseeable; defendant did not create the risk | Court applied Ford standard: a third‑party act is not superseding if the actor realized or should have realized the likelihood third parties would exploit the risk; here plaintiffs alleged facts sufficient to overcome that defense at this stage |
| Whether Pennsylvania's economic loss doctrine bars negligence claims seeking purely pecuniary damages | Bilt‑Rite supports recovery where a common‑law duty exists independently of contract; economic loss doctrine should not categorically bar tort claims for economic harm | Doctrine bars negligence claims for purely economic loss except narrow Section 552 negligent‑misrepresentation claims (per Excavation Technologies) | Court held economic loss doctrine does not categorically bar negligence claims for purely economic harm where the duty alleged arises independently of contract; Bilt‑Rite’s approach governs |
| Whether Bilt‑Rite and Excavation Technologies foreclose Plaintiffs’ negligence claim | Bilt‑Rite supports tort recovery for economic losses when duty exists independently of contract; Excavation is distinguishable | Excavation narrowed Bilt‑Rite to a narrow exception for professionals supplying information for pecuniary gain | Court reaffirmed Bilt‑Rite’s source‑of‑duty approach and read Excavation as fact‑specific; neither precludes Plaintiffs’ negligence claim here |
Key Cases Cited
- Bilt‑Rite Contractors, Inc. v. The Architectural Studio, 866 A.2d 270 (Pa. 2005) (adopted Restatement §552 and held economic loss recoverable where duty arises independently of contract)
- Excavation Technologies, Inc. v. Columbia Gas Co. of Pa., 985 A.2d 840 (Pa. 2009) (distinguished Bilt‑Rite; held Section 552 inapplicable to utility marking statute and emphasized statutory/ public‑policy context)
- Ford v. Jeffries, 379 A.2d 111 (Pa. 1977) (third‑party criminal acts are not superseding if the actor realized or should have realized the likelihood third parties would exploit the situation)
- Seebold v. Prison Health Servs., Inc., 57 A.3d 1232 (Pa. 2012) (explains duty arises where affirmative conduct creates risk and duty inquiry is often presumed when conduct creates risk)
- Tommy L. Griffin Plumbing & Heating Co. v. Jordan, Jones & Goulding, Inc., 463 S.E.2d 85 (S.C. 1995) (source‑of‑duty approach to economic loss doctrine endorsed and relied upon in Bilt‑Rite)