publications full of ideas

Pennsylvania Supreme Court Permits Negligence Claim To Proceed In Data Breach Class Action

Will Other States Follow?


In finding a common law duty to protect employees’ personal data, the Pennsylvania Supreme Court has unexpectedly, and dramatically, altered the contours of the data breach litigation landscape.

In Dittman v. UPMC, hackers penetrated the University of Pittsburgh Medical Center (UPMC) computer systems. They obtained the personal information of 62,000 current and former employees. The data included names, birthdays, Social Security numbers, addresses, salaries, bank, and tax information. The hackers used this data to file fraudulent tax returns and steal tax refunds.

The affected employees sued, arguing that UPMC had a duty of care to secure their personal data. It had allegedly breached that duty by not protecting its computer systems. They insisted UPMC should have implemented measures such as proper firewalls, data encryption, and authentication protocols. They also pointed out that UPMC required their personal data as a condition of employment.

The employee arguments did not gain traction in the lower courts. The lower courts found no statutory or policy rationale for a duty to protect data. Nor was there a common law duty in such a scenario. The Pennsylvania Supreme Court agreed to consider the matter, and reversed. Three points stand out from the decision.

First, the court found that the duty to protect data stemmed from common law negligence doctrine. UPMC had “a legal duty to exercise reasonable care to safeguard” personal data stored on accessible systems.

While it did not discuss the technical measures that would establish the standard of care, the court did cite the allegation that UPMC did not provide “proper encryption, adequate firewalls, and an adequate authentication protocol.” Those actions affirmatively increased exposure to a data breach.

Dittman opens the doors to more suits stemming from a common law duty to protect data. Since the court’s analysis hinged on classic tort law rather than the employment relationship, plaintiffs will rely on this reasoning in future cases. While it is too early to state that the floodgates have opened, hacked corporate defendants can expect a surge in litigation.

Second, Dittman reflects evolving expectations. The lower courts had stressed the lack of generally accepted standards of care for cybersecurity in finding no duty. But the Pennsylvania Supreme Court turned this around, pointing to a reasonable and prevailing expectation of affirmative measures to protect personal data.

Finally, the holding will command the attention of smaller entities and their insurers. Smaller corporations, with limited information technology resources, tend to be more vulnerable to hackers. The removal of the economic loss doctrine also makes it harder to obtain threshold dismissals of class action complaints.

Taken together, these factors encourage the prudent company to undertake affirmative measures proactively on both the technical and legal fronts to safeguard corporate interests. At a minimum, companies should consult with counsel to ensure that their defenses track the applicable standard of care.

After all, UPMC may be the first hospital or large entity to face a negligence class action stemming from a breach but it will most assuredly not be the last.

Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or Mike may be reached at 919.783.2851 or

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.

related information

what's new at the firm

Poyner Spruill names new partner, welcomes three new attorneys to strengthen North Carolina practice


RALEIGH, N.C. — Poyner Spruill LLP, a commercial law firm with offices across North Carolina, is pleased to announce the firm has named Emily Meeker a partner of the firm while also welcoming three new attorneys, one of whom is returning after serving in an in-house counsel role with a healthcare company.

Our Voices - Cultivating Leadership: An Intimate Discussion with Leaders in our Communities


The Poyner Spruill Diversity Committee is celebrating Black History Month by hosting an intimate panel discussion with key leaders who have been successful in the legal field. The hour-long discussion will focus on how young minorities can navigate the legal industry and position themselves as leaders in their respective communities. Diversity is critical for an organization to be able to adapt in a fast-changing environment. The panel will shed light on the challenges of attaining meaningful diversity and create discussion and generate ideas on how to continue advancing diversity within the legal industry.

Eight attorneys earn distinction in Business North Carolina's 2019 Legal Elite


RALEIGH, N.C. — Poyner Spruill LLP is proud to announce that eight attorneys received a total of nine recognitions as members of Business North Carolina’s 2019 class of Legal Elite. This included Keith Johnson becoming a member of the Business North Carolina’s Legal Elite Hall of Fame for Environmental attorneys.

p.s. Lunch & Learn: How Certain Tax Changes Could Impact Your Personal Life


The Tax Cuts and JOBS Act will affect divorce, estate planning, and much more. Join us to learn what you can do to mitigate the impact.

Poyner Spruill named a firm of the year winner in Lawyer Monthly Legal Awards 2018


RALEIGH, N.C. — Poyner Spruill is pleased to have earned recognition in the Lawyer Monthly Legal Awards 2018 as the Administrative and Environmental Law Firm of the Year for the United States.