Dittman, B. v. UPMC

J-A13012-16

2017 PA Super 8

BARBARA A. DITTMAN, GARY R. IN THE SUPERIOR COURT OF
DOUGLAS, ALICE PASTIRIK, JOANN PENNSYLVANIA
DECOLATI, TINA SORRENTINO, KRISTEN
CUSHMAN AND SHANNON MOLYNEAUX,
INDIVIDUALLY AND ON BEHALF OF ALL
OTHERS SIMILARLY SITUATED,

Appellants

v.

UPMC D/B/A THE UNIVERSITY OF
PITTSBURGH MEDICAL CENTER, AND
UPMC MCKEESPORT,

Appellees No. 971 WDA 2015

Appeal from the Order Entered May 28, 2015
In the Court of Common Pleas of Allegheny County
Civil Division at No(s): GD14-003285

BEFORE: OLSON, STABILE AND MUSMANNO, JJ.:

OPINION BY OLSON, J.: FILED JANUARY 12, 2017

Appellants, Barbara Dittman, Gary Douglas, Alice Pastirik, Joann

Decolati, Tina Sorrentino, Kristin Cushman, and Shannon Molyneaux,

individually and on behalf of all others similarly situated, 1 appeal from the

May 28, 2015 order sustaining preliminary objections on behalf of UPMC.

After careful review, we affirm.

We summarize the relevant factual background and procedural history

as follows. Appellants brought an action for negligence and breach of
____________________________________________

1
Collectively, we will refer to this group as “Appellants” or “Employees.”
J-A13012-16

contract against UPMC after a data breach, wherein the names, birth dates,

social security numbers, tax information, addresses, salaries, and bank

information of approximately 62,000 UPMC employees and former

employees were accessed and stolen from UPMC’s computer systems (“the

data breach”). The stolen information was used to file fraudulent tax returns

and steal the tax refunds of certain employees. The digitally-stored data

consisted of personal information that UPMC required employees to provide

as a condition of their employment.

The exact manner in which the data breach occurred is unknown. The

manner in which UPMC announced the data breach to the public and

employees suggested that it was unaware of the breach, its scope, or both.

In its first confirmation of the data breach in February 2014, UPMC stated

that only 22 employees were affected. In March 2014, UPMC reported 322

employees’ information had been stolen. In April 2014, it confirmed that

information for up to 27,000 employees was compromised and at least 788

of those employees had been victims of tax fraud. Finally, in May 2014,

UPMC announced that the data breach compromised information from all of

its employees.

Appellants assert that UPMC owed a legal duty to protect their

personal and financial information. They also allege that UPMC failed to

keep their information safe and prevent vulnerabilities in its computer

system. Specifically, they allege UPMC failed to properly encrypt data,

establish adequate firewalls, and implement adequate authentication

-2-
J-A13012-16

protocols to protect the information in its computer network. Appellants

assert that UPMC’s failure to safeguard their information was the direct and

proximate cause of actual damages sustained from the filing of fraudulent

tax returns using their stolen information. Appellants further allege that

UPMC’s failure to protect their information put them at an increased and

imminent risk of becoming victims of identity theft crimes, fraud, and abuse

in the future. This resulted in monetary damages incurred to protect

themselves and their information.

Appellants brought actions for both negligence and breach of implied

contract. These claims were brought on behalf of two separate but

overlapping classes of similarly situated persons. The first proposed class

included those current and former employees of UPMC who have already

been victimized by identity theft resulting from the data breach. The second

proposed class included those individuals whose personal and financial

information has been stolen, and who are at an increased and imminent risk

of becoming victims of identity theft crimes, fraud, and abuse as a result of

the data breach.

Appellants filed a class action complaint on February 27, 2014, to

which UPMC filed preliminary objections on April 30, 2014. Appellants then

filed the first amended class action complaint on May 16, 2014. UPMC filed

renewed preliminary objections and Appellants responded by filing their

second amended class action complaint on June 25, 2014. UPMC again filed

preliminary objections, arguing the second amended complaint should be

-3-
J-A13012-16

dismissed on the grounds that Appellants lacked standing to assert claims on

behalf of individuals who had not yet been injured. UPMC further asserted

that Appellants’ negligence and breach of implied contract claims fail as a

matter of law. Appellants responded in opposition.

The parties appeared for oral argument on UPMC’s preliminary

objections on October 22, 2014. The trial court then ordered both parties to

file supplemental briefs on the issue of whether UPMC owed a duty to its

employees with respect to the handling of their personal and financial data

which UPMC requires employees produce. On May 28, 2015, the court

sustained UPMC’s preliminary objections and dismissed both claims. This

timely appeal followed.2

Appellants present three issues for our review:

1. Does an employer have a legal duty to act reasonably in
managing its computer systems to safeguard sensitive personal
information collected from its employees, when the employer
elects, for purposes of its own business efficiencies, to store and
manage such sensitive employee data on its internet-accessible
computer system, leaving it vulnerable to computer hackers, in
the absence of reasonable safeguards?

2. Can a tort claim for negligence be maintained when the
alleged losses, while admittedly purely economic in nature,
result from the breach of a legal duty recognized by common
law, and not from a duty arising under a contract?
____________________________________________

2
Appellants filed a notice of appeal on June 22, 2015. On June 30, 2015,
the trial court ordered them to file a concise statement of matters
complained of on appeal (“concise statement”). See Pa.R.A.P. 1925(b).
Appellants timely complied on June 21, 2015. The trial court issued its Rule
1925(a) opinion on July 22, 2015.

-4-
J-A13012-16

3. Is there an implied agreement between an employer and its
employees requiring the employer to act reasonably to safeguard
its computer systems when the employer requires its employees,
as a condition of employment, to provide sensitive personal
information and then elects, for purposes of its own business
efficiencies, to store and manage such sensitive employee data
on its internet-accessible computer system, leaving it vulnerable
to computer hackers, in the absence of such reasonable
safeguarding?

Appellants’ Brief at 3-4.3

In our review of a trial court’s order sustaining preliminary objections

in the form of a demurrer, we must consider all well-pleaded facts set forth

in the complaint, and all inferences, in the light most favorable to the

non-moving party. Seebold v. Prison Health Servs., Inc., 57 A.3d 1232,

1243 (Pa. 2012). Our standard of review is limited to deciding whether,

based on the facts and inferences, “the law says with certainty that no

recovery is possible.” Bilt-Rite Contractors, Inc. v. The Architectural

Studio, 866 A.2d 270, 274 (Pa. 2005). We will reverse the trial court’s

order sustaining preliminary objections only if there is a clear abuse of

discretion or an error of law. Soto v. Nabisco, Inc., 32 A.3d 787, 790 (Pa.

Super. 2011).

Appellants first argue that the trial court erred in finding that UPMC did

not owe a duty of reasonable care in its collection and storage of the

employees’ information and data. Appellants’ Brief at 21. Whether a duty
____________________________________________

3
We have re-ordered the issues for ease of disposition.

-5-
J-A13012-16

exists is a question for the courts to decide. R.W. v. Manzek, 888 A.2d

740, 746 (Pa. 2005). To determine whether a duty of care exists, we look to

the five factors set out in our Supreme Court’s decision in Althaus ex. rel.

Althaus v. Cohen, 756 A.2d 1166, 1169 (Pa. 2000) and reaffirmed in

Seebold, 57 A.3d at 1243. Those factors are:

1. the relationship between the parties;

2. the social utility of the actor’s conduct;

3. the nature of the risk imposed and foreseeability of the harm
incurred;

4. the consequences of imposing a duty upon the actor; and,

5. the overall public interest in the proposed solution.

Althaus, 756 A.2d at 1169; Seebold, 57 A.3d at 1243. None of the five

factors is dispositive. Phillips v. Cricket Lighters, 841 A.2d 1000, 1008

(Pa. 2003). We will find a duty “where the balance of these factors weighs

in favor of placing such a burden on a defendant.” Id. at 1008-1009.

Here, the trial court found the fourth and fifth factors (consequences of

imposing a duty and overall public interest in the proposed solution) were

controlling and weighed in favor of not imposing a duty on UPMC. Trial

Court Opinion, 2/22/2016, at 6. Additionally, the trial court concluded that

there should not be a private negligence cause of action to allow recovery of

economic damages against employers where confidential information is

stolen by third parties in a data breach. Id. at 6, 11.

-6-
J-A13012-16

The first of the five factors in the Althaus test is the relationship

between the parties. Althaus, 756 A.2d at 1169. A duty is “predicated on

the relationship that exists between the parties at the relevant time.”

Manzek, 888 A.2d at 747. The relationship does not have to be specific or

legally defined. Charlie v. Erie Ins. Exchange, 100 A.3d 244, 252 (Pa.

Super. 2014). Here, the parties had an employer-employee relationship.

This type of relationship traditionally has given rise to duties on the

employer. See e.g. Mitchell v. Scharf, 115 A.2d 774 (Pa. Super. 1995).

Accordingly, the first factor weighs in favor of imposing a duty on UPMC to

protect its employees’ personal information.

The second factor looks at the social utility of the conduct at issue and

is weighed against the third factor, which looks at the nature of the risk

imposed and foreseeability of the harm incurred. Althaus, 759 A.2d at

1169-1170. Employers, such as UPMC, have an obvious need to collect and

store personal information about their employees. With the increased use of

electronics and technology today, it is not surprising that this information is

often stored electronically. There is an obvious social utility in this practice

to promote efficiency. However, as data breaches become more common,

the risk of storing information electronically increases. Also, it is foreseeable

that harm from these breaches would be incurred. Our Supreme Court has,

however, held that a third party committing a crime is a superseding cause.

Ford v. Jeffries, 379 A.2d 111, 115 (Pa. 1977). It is well established that a

-7-
J-A13012-16

defendant does not have a duty to guard against the criminal acts of

superseding third-parties unless he realized, or should have realized, the

likelihood of such a situation. Mahan v. Am-Guard, Inc., 841 A.2d 1052,

1060-1061 (Pa. Super. 2003) (citation omitted).

While a data breach (and its ensuing harm) is generally foreseeable,

we do not believe that this possibility outweighs the social utility of

electronically storing employee information. In the modern era, more and

more information is stored electronically and the days of keeping documents

in file cabinets are long gone. Without doubt, employees and consumers

alike derive substantial benefits from efficiencies resulting from the transfer

and storage of electronic data. Although breaches of electronically stored

data are a potential risk, this generalized risk does not outweigh the social

utility of maintaining electronically stored information. We note here that

Appellants do not allege that UPMC encountered a specific threat of intrusion

into its computer systems.4 Thus, the second factor of the Althaus test,

____________________________________________

4
Following oral argument, Appellants filed an Application to Submit
Supplemental Authority drawing this Court’s attention to a recent decision
from the United States District Court for the Northern District of Georgia, In
re: The Home Depot, Inc. Customer Data Security Breach Litigation,
2016 WL 2897520 (N.D. Ga., May 18, 2016). In that case, the court found
that Home Depot, Inc. (“Home Depot”) had an independent duty to
customers whose personal information was stolen from Home Depot’s
computers because the plaintiffs expressly pled that Home Depot knew
about substantial data security risks dating back to 2008. Specifically, the
court found that Home Depot had numerous warnings of a problem with its
computer systems, including a hacking of the terminals in one of its Texas
(Footnote Continued Next Page)

-8-
J-A13012-16

when weighed against the third factor, augurs against imposing a duty on

UPMC.

The fourth factor of the Althaus test looks at the consequences of

imposing a duty. Althaus, 756 A.2d at 1169. The trial court found this to

be a controlling factor and found that it did not support the imposition of a

duty. Trial Court Opinion, 2/22/2016, at 6. We agree. As the trial court

correctly noted, “data breaches are widespread” and “there is not a safe

harbor for entities storing confidential information.” Id. No judicially

created duty of care is needed to incentivize companies to protect their

confidential information. Appellants are misguided in their assertion that the

absence of a legal duty equates to the freedom of UPMC to make employees’

confidential information openly available to the public. See Appellants’ Brief

at 33. There are still statutes and safeguards in place to prevent employers

from disclosing confidential information. See e.g. 73 P.S. § 2301, et seq.,

74 P.S. § 201, et seq., 18 U.S.C. § 2701-2712. We find it unnecessary to

require employers to incur potentially significant costs to increase security

measures when there is no true way to prevent data breaches altogether.

Employers strive to run their businesses efficiently and they have an

_______________________
(Footnote Continued)

stores, an infection with data-stealing malware in one of its Maryland stores,
and a finding by its outside security consultant that its network was
vulnerable to attack and did not comply with industry standards. In the case
at bar, Appellants failed to make similar allegations of specific threats and
problems with UPMC’s computer system.

-9-
J-A13012-16

incentive to protect employee information and prevent these types of

occurrences. As the trial court correctly found, the fourth factor weighs in

favor of not imposing a duty.

Finally, the last Althaus factor is the public interest in imposing a

duty. Althaus, 756 A.2d at 1169. The trial court also found this factor

controlling. Trial Court Opinion, 2/22/2016, at 6. In addressing this factor,

the trial court noted that creating a duty here would greatly expend judicial

resources. Id. at 7. Importantly, it also considered the Pennsylvania

General Assembly’s legislative history on this subject and reasoned that the

public interest is not served by judicial action that disrupts that deliberative

process. The trial court noted:

The General Assembly has considered and continues to consider
the same issues that [Appellants] are requesting [the] court to
consider under the Seebold/Althaus line of cases. The only
duty that the General Assembly has chosen to impose as of
today is notification of a data breach. It is not for the courts to
alter the direction of the General Assembly because public policy
is a matter for the [l]egislature.

[The trial court finds] persuasive the [o]pinion of an Illinois
appellate court in Cooney v. Chicago Pub. Sch., 943 N.E.2d
23, 28-29 (Ill. App. Ct. 2010), which rejected the plaintiffs’
request that the court create a new common law duty to protect
and safeguard confidential information because the [l]egislature
had already imposed a duty of notification:

While we do not minimize the importance of protecting this
information, we do not believe that the creation of a new
legal duty beyond legislative requirements already in place
is part of our role on appellate review. As noted, the
legislature has specifically addressed the issue and only
required the defendant to provide notice of the disclosure.

- 10 -
J-A13012-16

Id. at 10 (internal alterations and emphasis omitted). We agree with the

trial court’s reasoning and also find Cooney to be persuasive. The fifth

factor weighs against finding a duty. Accordingly, the trial court did not err

in finding that UPMC owed no duty under Pennsylvania law.

Despite finding that no duty exists, we will still examine whether the

economic loss doctrine applies to the instant case. The economic loss

doctrine states that “no cause of action exists for negligence that results

solely in economic damages unaccompanied by physical injury or property

damage.” Adams v. Copper Beach Townhome Cmty., L.P., 816 A.2d

301, 305 (Pa. Super. 2003). Appellants rely on Bilt-Rite, supra for the

proposition that a plaintiff is not barred from recovering economic losses

simply because the action sounds in tort rather than contract law. The trial

court correctly noted that Bilt-Rite never was intended to weaken or

undermine the economic loss doctrine; it was only meant to provide a

narrow exception when losses are the result of reliance on the advice of

professionals. See Sovereign Bank v. BJ’s Wholesale Club, Inc., 533

F.3d 162, 177-178 (3d Cir. 2008) (holding that the economic loss doctrine

barred a negligence claim resulting from a data breach). The narrow

exception articulated in Bilt-Rite does not apply in this case. In order to

recover for purely economic loss, Appellants must show that UPMC breached

a duty imposed by law. See Bilt-Rite, 866 A.2d at 288. No such duty

exists here. Without a duty imposed by law or a legally recognized special

- 11 -
J-A13012-16

relationship, the economic loss doctrine bars Appellants claims, which assert

purely economic losses. See In Re Target Corp. Data Sec. Breach

Litigation, 66 F.Supp.3d 1154, 1175-1176 (D. Minn. 2014) (noting

Pennsylvania recognizes a special relationship exception to the economic

loss doctrine). Accordingly, the trial court properly found that the Althaus

factors did not weigh in favor of imposing a duty on UPMC and that the

Bilt-Rite exception to the economic loss doctrine does not apply in the

instant case.

Appellants also claim that the trial court erred when it dismissed their

breach of contract claim after finding no implied contract existed between

the parties. Specifically, the trial court found that UPMC did not agree to

enter into an implied contract to protect Appellants’ personal information.

Trial Court Opinion, 2/22/2016, at 11. We agree.

An implied contract arises “where the parties agree upon the

obligations to be incurred, but their intention, instead of being expressed in

words, is inferred from their acts in the light of the surrounding

circumstances.” Rissi v. Capella, 918 A.2d 131, 140 (Pa. Super. 2007),

citing Martin v. Little, Brown, and Co., 450 A.2d 984, 987 (Pa. Super.

1981) (emphasis omitted). Implied contracts arise under circumstances

which, “according to the ordinary course of dealing and the common

understanding of men, show a mutual intention to contract.” Id., citing

Ingrassia Const. Co., Inc. v. Walsh, 486 A.2d 478, 483 (Pa. Super.

- 12 -
J-A13012-16

1984). When ascertaining the intent of the parties, we must look to the

“outward and objective manifestations” of the assent to enter into the

contract. Ingrassia Construction Co. v. Walsh, 486 A.2d 478, 482-483

(Pa. Super. 1984).

Here, Appellants did not allege any objective manifestations of UPMC’s

intent to enter into a contract to protect their information. “A court cannot

enforce a contract unless it can determine what it is.” Ingrassia

Construction Co., 846 A.2d at 484, quoting Corbin on Contracts § 95

(1963). Without any allegations that UPMC intended to enter into a contract

to protect Appellants’ information, the trial court did not err in dismissing the

breach of contract claim.

Appellants also rely on McGuire v. Shubert, 722 A.2d 1087 (Pa.

Super. 1998). However, this case is distinguishable. The McGuire court

implied a duty of confidentiality owed to bank customers based upon the

relationship between a financial institution and its depositors. This is a

relationship based in contract. Id. at 1090. This is not the same as the

at-will relationship that exists between UPMC and Appellants. Thus,

McGuire does not apply here.

Further, the trial court correctly determined that there was no

consideration for the alleged implied contract between the parties. Trial

Court Opinion, 2/22/2016, at 12-13. Consideration to establish a valid

contract, either express or implied, “must be an act, a forbearance, or a

- 13 -
J-A13012-16

return promise bargained for and given in exchange for the promise.”

Thomas v. R.J. Reynolds tobacco Co., 38 A.2d 61, 62 (Pa. 1944), citing

Restatement (First) of Contracts § 75. “The promise must induce the

detriment and the detriment must induce the promise.” Pennsy Supply,

Inc. v. Am. Ash Recycling Corp., 895 A.2d 595, 601 (Pa. Super. 2006)

(citations omitted). Despite their contrary assertions, Appellants did not

give their information to UPMC for the consideration of its safe keeping, but

instead, for employment purposes. Thus, no consideration supports an

implied contract between the parties in this case. Accordingly, the trial court

did not err in dismissing Appellant’s breach of contract claim.

Order affirmed. Application to Submit Supplemental Authority granted.

Judge Stabile files a Concurring Statement in which Judge Olson joins.

Judge Musmanno files a Dissenting Statement.

Judgment Entered.

Joseph D. Seletyn, Esq.
Prothonotary

Date: 1/12/2017

- 14 -