J-A13012-16
2017 PA Super 8
BARBARA A. DITTMAN, GARY R. IN THE SUPERIOR COURT OF
DOUGLAS, ALICE PASTIRIK, JOANN PENNSYLVANIA
DECOLATI, TINA SORRENTINO, KRISTEN
CUSHMAN AND SHANNON MOLYNEAUX,
INDIVIDUALLY AND ON BEHALF OF ALL
OTHERS SIMILARLY SITUATED,
Appellants
v.
UPMC D/B/A THE UNIVERSITY OF
PITTSBURGH MEDICAL CENTER, AND
UPMC MCKEESPORT,
Appellees No. 971 WDA 2015
Appeal from the Order Entered May 28, 2015
In the Court of Common Pleas of Allegheny County
Civil Division at No(s): GD14-003285
BEFORE: OLSON, STABILE AND MUSMANNO, JJ.:
OPINION BY OLSON, J.: FILED JANUARY 12, 2017
Appellants, Barbara Dittman, Gary Douglas, Alice Pastirik, Joann
Decolati, Tina Sorrentino, Kristin Cushman, and Shannon Molyneaux,
individually and on behalf of all others similarly situated, 1 appeal from the
May 28, 2015 order sustaining preliminary objections on behalf of UPMC.
After careful review, we affirm.
We summarize the relevant factual background and procedural history
as follows. Appellants brought an action for negligence and breach of
____________________________________________
1
Collectively, we will refer to this group as “Appellants” or “Employees.”
J-A13012-16
contract against UPMC after a data breach, wherein the names, birth dates,
social security numbers, tax information, addresses, salaries, and bank
information of approximately 62,000 UPMC employees and former
employees were accessed and stolen from UPMC’s computer systems (“the
data breach”). The stolen information was used to file fraudulent tax returns
and steal the tax refunds of certain employees. The digitally-stored data
consisted of personal information that UPMC required employees to provide
as a condition of their employment.
The exact manner in which the data breach occurred is unknown. The
manner in which UPMC announced the data breach to the public and
employees suggested that it was unaware of the breach, its scope, or both.
In its first confirmation of the data breach in February 2014, UPMC stated
that only 22 employees were affected. In March 2014, UPMC reported 322
employees’ information had been stolen. In April 2014, it confirmed that
information for up to 27,000 employees was compromised and at least 788
of those employees had been victims of tax fraud. Finally, in May 2014,
UPMC announced that the data breach compromised information from all of
its employees.
Appellants assert that UPMC owed a legal duty to protect their
personal and financial information. They also allege that UPMC failed to
keep their information safe and prevent vulnerabilities in its computer
system. Specifically, they allege UPMC failed to properly encrypt data,
establish adequate firewalls, and implement adequate authentication
-2-
J-A13012-16
protocols to protect the information in its computer network. Appellants
assert that UPMC’s failure to safeguard their information was the direct and
proximate cause of actual damages sustained from the filing of fraudulent
tax returns using their stolen information. Appellants further allege that
UPMC’s failure to protect their information put them at an increased and
imminent risk of becoming victims of identity theft crimes, fraud, and abuse
in the future. This resulted in monetary damages incurred to protect
themselves and their information.
Appellants brought actions for both negligence and breach of implied
contract. These claims were brought on behalf of two separate but
overlapping classes of similarly situated persons. The first proposed class
included those current and former employees of UPMC who have already
been victimized by identity theft resulting from the data breach. The second
proposed class included those individuals whose personal and financial
information has been stolen, and who are at an increased and imminent risk
of becoming victims of identity theft crimes, fraud, and abuse as a result of
the data breach.
Appellants filed a class action complaint on February 27, 2014, to
which UPMC filed preliminary objections on April 30, 2014. Appellants then
filed the first amended class action complaint on May 16, 2014. UPMC filed
renewed preliminary objections and Appellants responded by filing their
second amended class action complaint on June 25, 2014. UPMC again filed
preliminary objections, arguing the second amended complaint should be
-3-
J-A13012-16
dismissed on the grounds that Appellants lacked standing to assert claims on
behalf of individuals who had not yet been injured. UPMC further asserted
that Appellants’ negligence and breach of implied contract claims fail as a
matter of law. Appellants responded in opposition.
The parties appeared for oral argument on UPMC’s preliminary
objections on October 22, 2014. The trial court then ordered both parties to
file supplemental briefs on the issue of whether UPMC owed a duty to its
employees with respect to the handling of their personal and financial data
which UPMC requires employees produce. On May 28, 2015, the court
sustained UPMC’s preliminary objections and dismissed both claims. This
timely appeal followed.2
Appellants present three issues for our review:
1. Does an employer have a legal duty to act reasonably in
managing its computer systems to safeguard sensitive personal
information collected from its employees, when the employer
elects, for purposes of its own business efficiencies, to store and
manage such sensitive employee data on its internet-accessible
computer system, leaving it vulnerable to computer hackers, in
the absence of reasonable safeguards?
2. Can a tort claim for negligence be maintained when the
alleged losses, while admittedly purely economic in nature,
result from the breach of a legal duty recognized by common
law, and not from a duty arising under a contract?
____________________________________________
2
Appellants filed a notice of appeal on June 22, 2015. On June 30, 2015,
the trial court ordered them to file a concise statement of matters
complained of on appeal (“concise statement”). See Pa.R.A.P. 1925(b).
Appellants timely complied on June 21, 2015. The trial court issued its Rule
1925(a) opinion on July 22, 2015.
-4-
J-A13012-16
3. Is there an implied agreement between an employer and its
employees requiring the employer to act reasonably to safeguard
its computer systems when the employer requires its employees,
as a condition of employment, to provide sensitive personal
information and then elects, for purposes of its own business
efficiencies, to store and manage such sensitive employee data
on its internet-accessible computer system, leaving it vulnerable
to computer hackers, in the absence of such reasonable
safeguarding?
Appellants’ Brief at 3-4.3
In our review of a trial court’s order sustaining preliminary objections
in the form of a demurrer, we must consider all well-pleaded facts set forth
in the complaint, and all inferences, in the light most favorable to the
non-moving party. Seebold v. Prison Health Servs., Inc., 57 A.3d 1232,
1243 (Pa. 2012). Our standard of review is limited to deciding whether,
based on the facts and inferences, “the law says with certainty that no
recovery is possible.” Bilt-Rite Contractors, Inc. v. The Architectural
Studio, 866 A.2d 270, 274 (Pa. 2005). We will reverse the trial court’s
order sustaining preliminary objections only if there is a clear abuse of
discretion or an error of law. Soto v. Nabisco, Inc., 32 A.3d 787, 790 (Pa.
Super. 2011).
Appellants first argue that the trial court erred in finding that UPMC did
not owe a duty of reasonable care in its collection and storage of the
employees’ information and data. Appellants’ Brief at 21. Whether a duty
____________________________________________
3
We have re-ordered the issues for ease of disposition.
-5-
J-A13012-16
exists is a question for the courts to decide. R.W. v. Manzek, 888 A.2d
740, 746 (Pa. 2005). To determine whether a duty of care exists, we look to
the five factors set out in our Supreme Court’s decision in Althaus ex. rel.
Althaus v. Cohen, 756 A.2d 1166, 1169 (Pa. 2000) and reaffirmed in
Seebold, 57 A.3d at 1243. Those factors are:
1. the relationship between the parties;
2. the social utility of the actor’s conduct;
3. the nature of the risk imposed and foreseeability of the harm
incurred;
4. the consequences of imposing a duty upon the actor; and,
5. the overall public interest in the proposed solution.
Althaus, 756 A.2d at 1169; Seebold, 57 A.3d at 1243. None of the five
factors is dispositive. Phillips v. Cricket Lighters, 841 A.2d 1000, 1008
(Pa. 2003). We will find a duty “where the balance of these factors weighs
in favor of placing such a burden on a defendant.” Id. at 1008-1009.
Here, the trial court found the fourth and fifth factors (consequences of
imposing a duty and overall public interest in the proposed solution) were
controlling and weighed in favor of not imposing a duty on UPMC. Trial
Court Opinion, 2/22/2016, at 6. Additionally, the trial court concluded that
there should not be a private negligence cause of action to allow recovery of
economic damages against employers where confidential information is
stolen by third parties in a data breach. Id. at 6, 11.
-6-
J-A13012-16
The first of the five factors in the Althaus test is the relationship
between the parties. Althaus, 756 A.2d at 1169. A duty is “predicated on
the relationship that exists between the parties at the relevant time.”
Manzek, 888 A.2d at 747. The relationship does not have to be specific or
legally defined. Charlie v. Erie Ins. Exchange, 100 A.3d 244, 252 (Pa.
Super. 2014). Here, the parties had an employer-employee relationship.
This type of relationship traditionally has given rise to duties on the
employer. See e.g. Mitchell v. Scharf, 115 A.2d 774 (Pa. Super. 1995).
Accordingly, the first factor weighs in favor of imposing a duty on UPMC to
protect its employees’ personal information.
The second factor looks at the social utility of the conduct at issue and
is weighed against the third factor, which looks at the nature of the risk
imposed and foreseeability of the harm incurred. Althaus, 759 A.2d at
1169-1170. Employers, such as UPMC, have an obvious need to collect and
store personal information about their employees. With the increased use of
electronics and technology today, it is not surprising that this information is
often stored electronically. There is an obvious social utility in this practice
to promote efficiency. However, as data breaches become more common,
the risk of storing information electronically increases. Also, it is foreseeable
that harm from these breaches would be incurred. Our Supreme Court has,
however, held that a third party committing a crime is a superseding cause.
Ford v. Jeffries, 379 A.2d 111, 115 (Pa. 1977). It is well established that a
-7-
J-A13012-16
defendant does not have a duty to guard against the criminal acts of
superseding third-parties unless he realized, or should have realized, the
likelihood of such a situation. Mahan v. Am-Guard, Inc., 841 A.2d 1052,
1060-1061 (Pa. Super. 2003) (citation omitted).
While a data breach (and its ensuing harm) is generally foreseeable,
we do not believe that this possibility outweighs the social utility of
electronically storing employee information. In the modern era, more and
more information is stored electronically and the days of keeping documents
in file cabinets are long gone. Without doubt, employees and consumers
alike derive substantial benefits from efficiencies resulting from the transfer
and storage of electronic data. Although breaches of electronically stored
data are a potential risk, this generalized risk does not outweigh the social
utility of maintaining electronically stored information. We note here that
Appellants do not allege that UPMC encountered a specific threat of intrusion
into its computer systems.4 Thus, the second factor of the Althaus test,
____________________________________________
4
Following oral argument, Appellants filed an Application to Submit
Supplemental Authority drawing this Court’s attention to a recent decision
from the United States District Court for the Northern District of Georgia, In
re: The Home Depot, Inc. Customer Data Security Breach Litigation,
2016 WL 2897520 (N.D. Ga., May 18, 2016). In that case, the court found
that Home Depot, Inc. (“Home Depot”) had an independent duty to
customers whose personal information was stolen from Home Depot’s
computers because the plaintiffs expressly pled that Home Depot knew
about substantial data security risks dating back to 2008. Specifically, the
court found that Home Depot had numerous warnings of a problem with its
computer systems, including a hacking of the terminals in one of its Texas
(Footnote Continued Next Page)
-8-
J-A13012-16
when weighed against the third factor, augurs against imposing a duty on
UPMC.
The fourth factor of the Althaus test looks at the consequences of
imposing a duty. Althaus, 756 A.2d at 1169. The trial court found this to
be a controlling factor and found that it did not support the imposition of a
duty. Trial Court Opinion, 2/22/2016, at 6. We agree. As the trial court
correctly noted, “data breaches are widespread” and “there is not a safe
harbor for entities storing confidential information.” Id. No judicially
created duty of care is needed to incentivize companies to protect their
confidential information. Appellants are misguided in their assertion that the
absence of a legal duty equates to the freedom of UPMC to make employees’
confidential information openly available to the public. See Appellants’ Brief
at 33. There are still statutes and safeguards in place to prevent employers
from disclosing confidential information. See e.g. 73 P.S. § 2301, et seq.,
74 P.S. § 201, et seq., 18 U.S.C. § 2701-2712. We find it unnecessary to
require employers to incur potentially significant costs to increase security
measures when there is no true way to prevent data breaches altogether.
Employers strive to run their businesses efficiently and they have an
_______________________
(Footnote Continued)
stores, an infection with data-stealing malware in one of its Maryland stores,
and a finding by its outside security consultant that its network was
vulnerable to attack and did not comply with industry standards. In the case
at bar, Appellants failed to make similar allegations of specific threats and
problems with UPMC’s computer system.
-9-
J-A13012-16
incentive to protect employee information and prevent these types of
occurrences. As the trial court correctly found, the fourth factor weighs in
favor of not imposing a duty.
Finally, the last Althaus factor is the public interest in imposing a
duty. Althaus, 756 A.2d at 1169. The trial court also found this factor
controlling. Trial Court Opinion, 2/22/2016, at 6. In addressing this factor,
the trial court noted that creating a duty here would greatly expend judicial
resources. Id. at 7. Importantly, it also considered the Pennsylvania
General Assembly’s legislative history on this subject and reasoned that the
public interest is not served by judicial action that disrupts that deliberative
process. The trial court noted:
The General Assembly has considered and continues to consider
the same issues that [Appellants] are requesting [the] court to
consider under the Seebold/Althaus line of cases. The only
duty that the General Assembly has chosen to impose as of
today is notification of a data breach. It is not for the courts to
alter the direction of the General Assembly because public policy
is a matter for the [l]egislature.
[The trial court finds] persuasive the [o]pinion of an Illinois
appellate court in Cooney v. Chicago Pub. Sch., 943 N.E.2d
23, 28-29 (Ill. App. Ct. 2010), which rejected the plaintiffs’
request that the court create a new common law duty to protect
and safeguard confidential information because the [l]egislature
had already imposed a duty of notification:
While we do not minimize the importance of protecting this
information, we do not believe that the creation of a new
legal duty beyond legislative requirements already in place
is part of our role on appellate review. As noted, the
legislature has specifically addressed the issue and only
required the defendant to provide notice of the disclosure.
- 10 -
J-A13012-16
Id. at 10 (internal alterations and emphasis omitted). We agree with the
trial court’s reasoning and also find Cooney to be persuasive. The fifth
factor weighs against finding a duty. Accordingly, the trial court did not err
in finding that UPMC owed no duty under Pennsylvania law.
Despite finding that no duty exists, we will still examine whether the
economic loss doctrine applies to the instant case. The economic loss
doctrine states that “no cause of action exists for negligence that results
solely in economic damages unaccompanied by physical injury or property
damage.” Adams v. Copper Beach Townhome Cmty., L.P., 816 A.2d
301, 305 (Pa. Super. 2003). Appellants rely on Bilt-Rite, supra for the
proposition that a plaintiff is not barred from recovering economic losses
simply because the action sounds in tort rather than contract law. The trial
court correctly noted that Bilt-Rite never was intended to weaken or
undermine the economic loss doctrine; it was only meant to provide a
narrow exception when losses are the result of reliance on the advice of
professionals. See Sovereign Bank v. BJ’s Wholesale Club, Inc., 533
F.3d 162, 177-178 (3d Cir. 2008) (holding that the economic loss doctrine
barred a negligence claim resulting from a data breach). The narrow
exception articulated in Bilt-Rite does not apply in this case. In order to
recover for purely economic loss, Appellants must show that UPMC breached
a duty imposed by law. See Bilt-Rite, 866 A.2d at 288. No such duty
exists here. Without a duty imposed by law or a legally recognized special
- 11 -
J-A13012-16
relationship, the economic loss doctrine bars Appellants claims, which assert
purely economic losses. See In Re Target Corp. Data Sec. Breach
Litigation, 66 F.Supp.3d 1154, 1175-1176 (D. Minn. 2014) (noting
Pennsylvania recognizes a special relationship exception to the economic
loss doctrine). Accordingly, the trial court properly found that the Althaus
factors did not weigh in favor of imposing a duty on UPMC and that the
Bilt-Rite exception to the economic loss doctrine does not apply in the
instant case.
Appellants also claim that the trial court erred when it dismissed their
breach of contract claim after finding no implied contract existed between
the parties. Specifically, the trial court found that UPMC did not agree to
enter into an implied contract to protect Appellants’ personal information.
Trial Court Opinion, 2/22/2016, at 11. We agree.
An implied contract arises “where the parties agree upon the
obligations to be incurred, but their intention, instead of being expressed in
words, is inferred from their acts in the light of the surrounding
circumstances.” Rissi v. Capella, 918 A.2d 131, 140 (Pa. Super. 2007),
citing Martin v. Little, Brown, and Co., 450 A.2d 984, 987 (Pa. Super.
1981) (emphasis omitted). Implied contracts arise under circumstances
which, “according to the ordinary course of dealing and the common
understanding of men, show a mutual intention to contract.” Id., citing
Ingrassia Const. Co., Inc. v. Walsh, 486 A.2d 478, 483 (Pa. Super.
- 12 -
J-A13012-16
1984). When ascertaining the intent of the parties, we must look to the
“outward and objective manifestations” of the assent to enter into the
contract. Ingrassia Construction Co. v. Walsh, 486 A.2d 478, 482-483
(Pa. Super. 1984).
Here, Appellants did not allege any objective manifestations of UPMC’s
intent to enter into a contract to protect their information. “A court cannot
enforce a contract unless it can determine what it is.” Ingrassia
Construction Co., 846 A.2d at 484, quoting Corbin on Contracts § 95
(1963). Without any allegations that UPMC intended to enter into a contract
to protect Appellants’ information, the trial court did not err in dismissing the
breach of contract claim.
Appellants also rely on McGuire v. Shubert, 722 A.2d 1087 (Pa.
Super. 1998). However, this case is distinguishable. The McGuire court
implied a duty of confidentiality owed to bank customers based upon the
relationship between a financial institution and its depositors. This is a
relationship based in contract. Id. at 1090. This is not the same as the
at-will relationship that exists between UPMC and Appellants. Thus,
McGuire does not apply here.
Further, the trial court correctly determined that there was no
consideration for the alleged implied contract between the parties. Trial
Court Opinion, 2/22/2016, at 12-13. Consideration to establish a valid
contract, either express or implied, “must be an act, a forbearance, or a
- 13 -
J-A13012-16
return promise bargained for and given in exchange for the promise.”
Thomas v. R.J. Reynolds tobacco Co., 38 A.2d 61, 62 (Pa. 1944), citing
Restatement (First) of Contracts § 75. “The promise must induce the
detriment and the detriment must induce the promise.” Pennsy Supply,
Inc. v. Am. Ash Recycling Corp., 895 A.2d 595, 601 (Pa. Super. 2006)
(citations omitted). Despite their contrary assertions, Appellants did not
give their information to UPMC for the consideration of its safe keeping, but
instead, for employment purposes. Thus, no consideration supports an
implied contract between the parties in this case. Accordingly, the trial court
did not err in dismissing Appellant’s breach of contract claim.
Order affirmed. Application to Submit Supplemental Authority granted.
Judge Stabile files a Concurring Statement in which Judge Olson joins.
Judge Musmanno files a Dissenting Statement.
Judgment Entered.
Joseph D. Seletyn, Esq.
Prothonotary
Date: 1/12/2017
- 14 -
Dittman, B. v. UPMC
Combined Opinion