“Common Law Duty to Protect Employee Data Undercuts Contractual Liability Exclusion”

Sexy title, I know.  Here’s the thing – this is a big deal.  Particularly for employers, and likely for any entity that collects and stores personal data, the law in Pennsylvania just changed dramatically.

First, a bit of law 101.  The “economic loss rule” is a legal concept that recognizes the division of the law into essentially two worlds: tort (i.e., negligence) and contract.  Under the rule, no claim exists for negligence that results solely in economic damages without physical injury or property damage.  Example:  You pay a painter to paint your house.  He doesn’t.  You want to sue for everything, including the emotional distress that comes with living in a home the color of which does not reflect the “real you.”  But you (probably) can’t.  Under the economic loss rule, the economic injury suffered when you paid for nothing does not give rise to a negligence claim or to the broader range of damages that may recoverable in tort.  You’re stuck with a breach of contract claim for your money back and maybe the increased cost of hiring somebody else to paint your house.  There are exceptions and nuances, but that’s all you need to know for this post.

Courts have reached different conclusions as to whether the economic loss rule bars negligence claims for financial losses caused by data breaches.  And some states don’t even recognize an independent tort duty to support a negligence claim for a data breach that is accompanied by physical damage (say, to your hardware). The United States District Court for the District of Minnesota examined this state-by-state variation in the Target data breach class action.  The court held that, at least of 2014, negligence claims for data breaches were barred by the economic loss rule in Alaska, California, Illinois, Iowa, Massachusetts and…Pennsylvania.  As for class members from the District of Columbia, Georgia, Idaho, New Hampshire and New York, the law was still sufficiently unsettled in those jurisdictions that their negligence claims survived Target’s motion to dismiss.

Pennsylvania has officially flipped.

On November 21, 2018, the Pennsylvania Supreme Court held in Dittman v. University of Pittsburgh Medical Center  that employers have a duty to use reasonable care to protect employee data, and that the economic loss rule does not bar tort recovery for financial damages caused by data breaches.   Dittman is a class action brought on behalf of over 60,000 UPMC employees whose personal information was compromised in a data breach.  The employees claim that UPMC failed to use appropriate information security systems to protect their data (social security numbers, birthdates, financial and health information etc.).  The trial court dismissed the class’s negligence claims, believing that it is for the legislature and not the courts to establish a new common law duty in the data breach context.  The Superior Court affirmed.  And the Supreme Court reversed, opening the door for plaintiffs to assert negligence claims arising out of data breaches and seriously expanding the scope of data breach liability in the Commonwealth.

But this is an insurance law blog, isn’t it?  Yes, and Dittman has important consequences in the world of cyberinsurance.

You may recall the contractual liability exclusion, and how excited I was when the Fifth Circuit drew a roadmap around it in the Spec’s case.  Most cyberinsurance policies contain language like this: “This insurance does not apply to…’Loss’ on account of any ‘Claim’ made against any ‘Insured’ directly or indirectly based upon, arising out of, or attributable to any actual or alleged liability under a written or oral contract or agreement.  However, this exclusion does not apply to your liability that would have attached in the absence of such contract of agreement.”

Before Dittman, insurers could have argued that employee data is collected and maintained pursuant to the contract of employment, the employee handbook or any of the arguably contractual forms routinely filled out by employees during the on-boarding process.  Application of the contractual liability exclusion would have likely barred coverage for an employee class action suit like the one in Dittman, as there was not yet a clear indication that liability “would have attached in the absence of such contract.”

Dittman, however, makes clear that irrespective of what all that paper says, employers have an independent duty to protect employee data, and the economic loss doctrine is no shield to liability if employers fail to do so.  The Court explained: “Employees have asserted that UPMC breached its common law duty to act with reasonable care in collecting and storing their personal and financial information on its computer systems.  As this legal duty exists independently from any contractual obligations between the parties, the economic loss doctrine does not bar Employees’ claim.”  This language likely renders the contractual liability exclusion inapplicable in this context.

Dittman, on the heels of Spec’s and other cases across the country, reflects a trend of Courts adapting traditional legal frameworks to create, rather than foreclose, liability in the data breach context.  As courts define the contours of data breach liability, in both the tort and contract worlds, these decisions will have profound impacts on cyberinsurance coverage issues.  For employers that have not yet purchased coverage, Dittman warrants a call to your broker.  For any entity that already has coverage, Dittman is the most recent example of the need to examine evolving laws and liabilities at renewal time.