Two Significant Data Breach Cases Moving to Higher Courts

Two significant data breach cases have been appealed, and this past week, it was announced that one will be heard by the Supreme Court of Pennsylvania. The other has been stayed while plaintiffs move for certiorari before the United States Supreme Court.

In Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center, 2017 PA Super.  8 (covered previously in The Coverage Inkwell) the Superior Court of Pennsylvania held that an employer did not owe employees an independent duty to protect and safeguard their personally identifiable information (PII) from disclosure in a data breach. In 2014, UPMC sustained a data breach that resulted in the disclosure of PII of approximately 62,000 current and former employees. Lawsuits followed, alleging that UPMC failed to keep plaintiffs’ PII safe and asserting a common-law duty to protect the information. The trial court dismissed the lawsuit and the Superior Court affirmed, holding that there was no common-law duty (based on negligence) for an employer to protect employee PII from disclosure by a data breach.

Explaining their decisions, both trial and appellate court reasoned that there was no need to incentivize companies into protecting PII by permitting recovery for a data breach under a common-law duty of care. The courts recognized that the costs of responding to a data breach, both financial and reputational, were severe enough to motivate companies to protect PII. One federal court decision, Enslin v. The Coca-Cola Company, et al, No. 2:14-cv-06476 (E.D. Pa. 2017), reached the same conclusion based on Dittman. The Supreme Court of Pennsylvania has now agreed to hear the Dittman case.

In Attias v. CareFirst, Inc., No. 16-7108 (D.C. Cir. 2017), the United States Court of Appeals for the District of Columbia Circuit granted an unopposed stay of its decision to permit CareFirst to appeal the court’s decision to the United States Supreme Court. In CareFirst, the court held that a class action alleging injuries of increased risk of identity theft from a data breach of personal health information (PHI) satisfied Article III standing under Spokeo Inc. v. Robins, 136 S. Ct. 1540 (2016). The decision garnered attention because the D.C. Circuit reasoned its decision in part on the type and sensitivity of the information compromised. The court observed:

CareFirst does not seriously dispute that plaintiffs would face a substantial risk of identity theft if their social security and credit card numbers were accessed by a network intruder, and, drawing on ‘experience and common sense,’ we agree.

The court also reasoned that the “combination of members’ names, birth dates, email addresses and subscriber identification number[s] alone qualifies as personal information, and the unauthorized access to said combination of information creates a material risk of identity theft.” Based on this analysis, the Court concluded that “a substantial risk of harm exists already, simply be virtue of the hack and the nature of the data that the plaintiffs allege was taken.”

Whether the supreme courts affirm or reverse these decisions, they will be significant in the development of duties of care and Article III standing for data breach litigation.