I received a press release a few days ago that I found very distressing and the more I looked into things the worse it got. I wrote an article about it (here) but it still nagged at me so here’s another take.
Ballard Spahr LLP is a law firm that among other things, helps companies deal with cyber-crime compliance issues and litigation. They sent out a press release dealing with a recent Pennsylvania judge’s dismissal of a class action lawsuit filed against the University of Pittsburgh Medical Center (UPMC). The lawsuit was filed on behalf of 62,000 UPMC employees who had their birthdates, Social Security numbers, confidential tax information, addresses, salaries and bank account information stolen by cyber-criminals who hacked the university networks.
The suit claimed that UPMC had a common law duty to protect their employee’s sensitive personal data and that UPMC should at minimum pay for credit monitoring and identity theft services.
Judge R. Stanton Wettick, Jr. threw the case out based on the fact that there is no ‘common law duty’ to protect sensitive data. “As of this date, the only legislation which the General Assembly has chosen to enact requires entities that suffer a breach of their security systems to provide notification,” he stated.
He also pointed out that fear of potential identity theft is not enough to warrant someone paying damages – you have to prove actual loss.
The Ballard Spahr press release also added, “Most state courts examining the issue have found, like Judge Wettick, that there is no common law duty to provide adequate and reasonable data security.”
At first I was outraged at the judge but then I spoke to a retired lawyer friend of mine about this and he agreed with the judge’s ruling. He pointed out that even though it may sound silly the fact is the court can only make decisions on laws that have been enacted by legislative branches of government – the courts can’t make up new laws, they can only make rulings based on existing laws.
In the state of Pennsylvania (and most other states) there are no laws regarding data security or how to deal with data breaches. If there are any laws in place they are extremely limited as in Pennsylvania where the only requirements are that companies who have been hacked ‘provide notification.’
The UPMC case is not like celebrity nude photos being stolen from compromised Facebook accounts. Those 62,000 UPMC employees did not sign up to have UPMC provide storage to house their personal data – they didn’t have a choice. And apparently UPMC wasn’t legally obligated to protect that data or even ‘provide adequate and reasonable data security.’
And since the only law in place regarding cyber-crime only requires UPMC to notify the employees of the breach, those employees have no legal right to seek damages. If UPMC was negligent in their security efforts or even purposely ignored security flaws they were still operating fully within the law – since there are no laws regarding how, or even if, companies should protect data.
Basically, the UPMC employees are screwed.
And this should serve as a wakeup call to all of us.
Because there are no laws in place regarding cyber-security or companies providing reasonable data protection no one can be held accountable for breaches no matter how negligent they may have been. And as long as they tell people they have been hacked those companies have fulfilled their legal obligations and that’s where it ends. Because there are no laws regarding cyber-security and data breaches the courts are essentially powerless to do anything.
So don’t be surprised when you get that email from your employer that reads, “Dear employee, this email is to inform you that the company databases have been hacked and all your information was stolen. By informing you of the data breach we have officially fulfilled all our legal obligations and doing so absolves us from any further responsibility in this matter. We recommend that you sign up for a credit monitoring service, change all your passwords and notify your bank. Have a nice day.”