BARBARA A. DITTMAN, GARY R. DOUGLAS, ALICE PASTIRIK, JOANN DECOLATI, TINA SORRENTINO, KRISTEN CUSHMAN AND SHANNON MOLYNEAUX, INDIVIDUALLY AND ON BEHALF OF ALL OTHERS SIMILARLY SITUATED, Appellants v. UPMC D/B/A THE UNIVERSITY OF PITTSBURGH MEDICAL CENTER, AND UPMC McKEESPORT, Appellees
The question before this Court is whether Appellants have stated a cause of action against UPMC for negligence. More particularly, we must determine whether UPMC owed Appellants a duty of reasonable care in the collection and storage of its employees' personal information and data. After a discussion of the five factors set forth by our Supreme Court in Althaus ex. Rel. Althaus v. Cohen, 756 A.2d 1066 (Pa. 2000), the Majority would conclude that UPMC owed no duty to Appellants. However, upon review, I disagree with the Majority's conclusion.
“[T]o maintain a negligence action, the plaintiff must show that the defendant had a duty “to conform to a certain standard of conduct;” that the defendant breached that duty; that such breach caused the injury in question; and actual loss or damage.” Phillips v. Cricket Lighters, 841 A.2d 1000, 1008 (Pa. 2003). In determining whether a duty of care exists, we consider
1. the relationship between the parties;
2. the social utility of the actor's conduct;
3. the nature of the risk imposed and foreseeability of the harm incurred;
4. the consequences of imposing a duty upon the actor; and
5. the overall public interest in the proposed solution.
Althaus, 756 A.2d at 1169; accord Seebold v. Prison Health Servs., Inc., 57 A.3d 1232, 1243 (Pa. 2012). As the Majority correctly states, “[w]e will find a duty where the balance of these factors weigh in favor of placing such a burden on a defendant.” Slip Opinion at 6 (internal quotation marks omitted) (quoting Phillips, 841 A.2d at 1008-09).
The Majority would conclude that the second through fifth factors weigh against the imposition of a duty upon UMPC. Upon review, however, I would conclude that the balance of the Althaus factors weighs in favor of imposing a duty of reasonable care upon UPMC.
Regarding the first Althaus factor, the Majority correctly observes that the parties had an employer-employee relationship, and that “[t]his type of relationship traditionally has given rise to duties on the employer.” Slip Opinion at 7 (citation omitted). Thus, the Majority weighed this factor in favor of imposing a duty upon UPMC. Id.
Regarding the second and third Althaus factors, the Majority states that there is “an obvious social utility” in the practice of storing information electronically. Id. The Majority observes that there is an increased risk in storing electronic information, and that it is foreseeable that harm from breaches would be incurred. Id. The Majority recognizes that while the criminal acts of a third party may constituted a superseding cause,
an actor may still be liable for his negligence[,] despite the superseding criminal acts of another if, at the time of his negligent conduct, he realized or should have realized the likelihood that such a situation might be created and that a third person might avail himself of the opportunity to commit such a tort or crime.
Slip Opinion at 7-8 (quoting Mahan v. Am-Guard, Inc., 841 A.2d 1061 (Pa. Super. 2003)). The Majority ultimately concludes, however, that “[w]hile a data breach (and its ensuing harm) is generally foreseeable, we do not believe that this possibility outweighs the social utility of electronically storing employee information.” Slip Opinion at 8. Thus, the Majority concludes that the social utility of electronically storing information outweighs the risk of harm and the foreseeability of such harm. See id. I believe that the Majority's conclusion is untenable, given the ubiquitous nature of electronic data storage, the risk to UPMC's employees posed by the failure to reasonably protect such information, and the foreseeability of a computer breach and subsequent identity theft.
Here, the Appellants claimed that UPMC had failed to use reasonable care in the storage of their personal information by, inter alia, properly encrypting the data, establishing adequate firewalls, and implementing an appropriate authentication protocol. Appellants' assertions, if proven, would establish that UPMC knew or should have realized that inadequate electronic data protections would create a likelihood that its employees' personal information would be compromised, and that a third party would avail itself of the opportunity to steal this sensitive data. See id. Under the circumstances alleged, the criminal acts of third parties do not relieve UPMC of its duty of care in the protection of Appellants sensitive personal data. Thus, I would weigh this factor in favor of imposing a duty of reasonable care upon UPMC.
I also disagree with the conclusion of the Majority that “[n]o judicially created duty of care is needed to incentivize companies to protect their confidential information.” Slip Opinion at 9. The Majority would refrain from imposing a duty based upon a belief that such protection would impose significant costs upon employers to increase security measures, “when there is no true way to prevent data breaches altogether.” Id. The Majority opines that “[t]here are still statutes and safeguards in place to prevent employers from disclosing confidential information.” Id. (emphasis added).
The Majority places great weight upon the cost to UPMC of imposing a duty, and the inability to prevent every data breach. However, Althaus does not require that the proposed duty prevent all harm; rather, the consequences of imposing a duty of reasonable care are to be weighed. I would conclude that this factor weighs in favor of imposing a duty, when considered against the cost to employees (sometimes for years) resulting from a data breach.
Finally, I disagree with the Majority's conclusion that the public interest in imposing a duty weighs in favor of UPMC. While judicial resources may be expended during litigation of data breaches, the public has a greater interest in protecting the personal and sensitive data collected and electronically stored by employers.
Based upon the foregoing, I would reverse the Order of the trial court, and conclude that UPMC owes a duty of reasonable care to safeguard the personal information of its employees.
DISSENTING STATEMENT BY MUSMANNO, J.: