Pennsylvania Supreme Court Rules In Favor Of Data Breach Plaintiffs

Pennsylvania Supreme Court Rules In Favor Of Data Breach Plaintiffs

December 14, 2018 Business Insurance and Risk Management, The Beacon Blog 0 Comments

Todd Rowe of law firm Tressler LLP has posted a Supreme Court decision last month finding a duty for employers to safeguard employees’ personal information. The case is Dittman v. The Univ. of Pittsburgh Medical Center, decided 11/21/18. This was a class action alleging the Medical Center breached the personal information of its 62,000 employees, who were required to provide personal information as a condition of their employment. The employees claimed this information was used (by third party criminals) to file fraudulent tax returns.

The Supreme Court made two holdings:

  • An employer has a duty to use reasonable care to safeguard employee personal information. The Medical Center claimed it was not responsible for a third party breach and did not create the risk of harm. The Court rejected this position and found the Medical Center did not take adequate security measures.
  • The “economic loss” doctrine did not bar recovery for damages. The Medical Center’s duty to secure employee personal information was independent of any contractual obligation to its employees.

The Court did not directly address the factual question of whether there was a casual link between the breach and employee allegations.

The implications of this decision are that organizations are at risk of suits for failure to provide adequate security for personal information. It is a safe assumption that the duty recognized in Dittman will be applied to anyone’s protected personal information, not just employees. All organizations should strive for data security that meets best practices. As a backup, purchase Cyber insurance to cover security and privacy liability (including coverage for class action suits) and costs of breach notification and monitoring.


About the Author

Harry Cylinder

Harry Cylinder, CPCU, ARM has spent nearly fifty years in the insurance industry, the majority of the time as a consultant. He has been employed by The Beacon Group of Companies since 2008, specializing in the review and analysis of property and casualty coverage forms. Mr. Cylinder has been reviewing policy forms as they have evolved over the past decades. In 2008 he published an article in the CPCU Journal which was the first description of cyber insurance coverage for a general insurance audience. Since that time he has regularly written on cyber and other topics for The Beacon Companies’ blog.