Sexy title, I know. Here’s the thing – this is a big deal. Particularly for employers, and likely for any entity that collects and stores personal data, the law in Pennsylvania just changed dramatically.
First, a bit of law 101. The “economic loss rule” is a legal concept that recognizes the division of the law into essentially two worlds: tort (i.e., negligence) and contract. Under the rule, no claim exists for negligence that results solely in economic damages without physical injury or property damage. Example: You pay a painter to paint your house. He doesn’t. You want to sue for everything, including the emotional distress that comes with living in a home the color of which does not reflect the “real you.” But you (probably) can’t. Under the economic loss rule, the economic injury suffered when you paid for nothing does not give rise to a negligence claim or to the broader range of damages that may recoverable in tort. You’re stuck with a breach of contract claim for your money back and maybe the increased cost of hiring somebody else to paint your house. There are exceptions and nuances, but that’s all you need to know for this post.
Courts have reached different conclusions as to whether the economic loss rule bars negligence claims for financial losses caused by data breaches. And some states don’t even recognize an independent tort duty to support a negligence claim for a data breach that is accompanied by physical damage (say, to your hardware). The United States District Court for the District of Minnesota examined this state-by-state variation in the Target data breach class action. The court held that, at least of 2014, negligence claims for data breaches were barred by the economic loss rule in Alaska, California, Illinois, Iowa, Massachusetts and…Pennsylvania. As for class members from the District of Columbia, Georgia, Idaho, New Hampshire and New York, the law was still sufficiently unsettled in those jurisdictions that their negligence claims survived Target’s motion to dismiss.