J-A13012-16
2017 PA Super 8
BARBARA A. DITTMAN, GARY R. : IN THE SUPERIOR COURT OF
DOUGLAS, ALICE PASTIRIK, JOANN : PENNSYLVANIA
DECOLATI, TINA SORRENTINO, :
KRISTEN CUSHMAN AND SHANNON :
MOLYNEAUX, INDIVIDUALLY AND ON :
BEHALF OF ALL OTHERS SIMILARLY :
SITUATED, :
:
Appellants :
:
v. :
:
UPMC D/B/A THE UNIVERSITY OF :
PITTSBURGH MEDICAL CENTER, AND :
UPMC McKEESPORT, :
:
Appellees : No. 971 WDA 2015
Appeal from the Order entered May 28, 2015
in the Court of Common Pleas of Allegheny County,
Civil Division, No(s): GD-14-003285
BEFORE: OLSON, STABILE and MUSMANNO, JJ.
DISSENTING STATEMENT BY MUSMANNO, J.: FILED JANUARY 12, 2017
The question before this Court is whether Appellants have stated a
cause of action against UPMC for negligence. More particularly, we must
determine whether UPMC owed Appellants a duty of reasonable care in the
collection and storage of its employees’ personal information and data. After
a discussion of the five factors set forth by our Supreme Court in Althaus
ex. Rel. Althaus v. Cohen, 756 A.2d 1066 (Pa. 2000), the Majority would
conclude that UPMC owed no duty to Appellants. However, upon review, I
disagree with the Majority’s conclusion.
J-A13012-16
“[T]o maintain a negligence action, the plaintiff must show that the
defendant had a duty "to conform to a certain standard of conduct;" that the
defendant breached that duty; that such breach caused the injury in
question; and actual loss or damage.” Phillips v. Cricket Lighters, 841
A.2d 1000, 1008 (Pa. 2003). In determining whether a duty of care exists,
we consider
1. the relationship between the parties;
2. the social utility of the actor’s conduct;
3. the nature of the risk imposed and foreseeability of the harm
incurred;
4. the consequences of imposing a duty upon the actor; and
5. the overall public interest in the proposed solution.
Althaus, 756 A.2d at 1169; accord Seebold v. Prison Health Servs.,
Inc., 57 A.3d 1232, 1243 (Pa. 2012). As the Majority correctly states, “[w]e
will find a duty where the balance of these factors weigh in favor of placing
such a burden on a defendant.” Slip Opinion at 6 (internal quotation marks
omitted) (quoting Phillips, 841 A.2d at 1008-09).
The Majority would conclude that the second through fifth factors
weigh against the imposition of a duty upon UMPC. Upon review, however, I
would conclude that the balance of the Althaus factors weighs in favor of
imposing a duty of reasonable care upon UPMC.
Regarding the first Althaus factor, the Majority correctly observes that
the parties had an employer-employee relationship, and that “[t]his type of
-2-
J-A13012-16
relationship traditionally has given rise to duties on the employer.” Slip
Opinion at 7 (citation omitted). Thus, the Majority weighed this factor in
favor of imposing a duty upon UPMC. Id.
Regarding the second and third Althaus factors, the Majority states
that there is “an obvious social utility” in the practice of storing information
electronically. Id. The Majority observes that there is an increased risk in
storing electronic information, and that it is foreseeable that harm from
breaches would be incurred. Id. The Majority recognizes that while the
criminal acts of a third party may constituted a superseding cause,
an actor may still be liable for his negligence[,] despite the
superseding criminal acts of another if, at the time of his
negligent conduct, he realized or should have realized the
likelihood that such a situation might be created and that a third
person might avail himself of the opportunity to commit such a
tort or crime.
Slip Opinion at 7-8 (quoting Mahan v. Am-Guard, Inc., 841 A.2d 1061 (Pa.
Super. 2003)). The Majority ultimately concludes, however, that “[w]hile a
data breach (and its ensuing harm) is generally foreseeable, we do not
believe that this possibility outweighs the social utility of electronically
storing employee information.” Slip Opinion at 8. Thus, the Majority
concludes that the social utility of electronically storing information
outweighs the risk of harm and the foreseeability of such harm. See id. I
believe that the Majority’s conclusion is untenable, given the ubiquitous
nature of electronic data storage, the risk to UPMC’s employees posed by the
-3-
J-A13012-16
failure to reasonably protect such information, and the foreseeability of a
computer breach and subsequent identity theft.
Here, the Appellants claimed that UPMC had failed to use reasonable
care in the storage of their personal information by, inter alia, properly
encrypting the data, establishing adequate firewalls, and implementing an
appropriate authentication protocol. Appellants’ assertions, if proven, would
establish that UPMC knew or should have realized that inadequate electronic
data protections would create a likelihood that its employees’ personal
information would be compromised, and that a third party would avail itself
of the opportunity to steal this sensitive data. See id. Under the
circumstances alleged, the criminal acts of third parties do not relieve UPMC
of its duty of care in the protection of Appellants sensitive personal data.
Thus, I would weigh this factor in favor of imposing a duty of reasonable
care upon UPMC.
I also disagree with the conclusion of the Majority that “[n]o judicially
created duty of care is needed to incentivize companies to protect their
confidential information.” Slip Opinion at 9. The Majority would refrain from
imposing a duty based upon a belief that such protection would impose
significant costs upon employers to increase security measures, “when there
is no true way to prevent data breaches altogether.” Id. The Majority
opines that “[t]here are still statutes and safeguards in place to prevent
employers from disclosing confidential information.” Id. (emphasis added).
-4-
J-A13012-16
The Majority places great weight upon the cost to UPMC of imposing a
duty, and the inability to prevent every data breach. However, Althaus
does not require that the proposed duty prevent all harm; rather, the
consequences of imposing a duty of reasonable care are to be weighed. I
would conclude that this factor weighs in favor of imposing a duty, when
considered against the cost to employees (sometimes for years) resulting
from a data breach.
Finally, I disagree with the Majority’s conclusion that the public
interest in imposing a duty weighs in favor of UPMC. While judicial resources
may be expended during litigation of data breaches, the public has a greater
interest in protecting the personal and sensitive data collected and
electronically stored by employers.
Based upon the foregoing, I would reverse the Order of the trial court,
and conclude that UPMC owes a duty of reasonable care to safeguard the
personal information of its employees.
-5-