With all the recent data breaches at government offices, health insurance agencies, investment corporations and retail stores you might wonder why none of these companies or institutions are being taken to court. Well, if you think the law is going to protect the millions of victims of cyber-crimes, think again. The law is definitely not on the side of the victims.
Recently a Pennsylvania judge dismissed a class action lawsuit filed against the University of Pittsburgh Medical Center (UPMC). The UPMC networks were hacked and the thieves made off with personal information of 62,000 employees including birthdates, Social Security numbers, confidential tax information, addresses, salaries and bank account information. Naturally the employees were not happy about it and filed a class action lawsuit against the university (Dittman vs. UPMC).
The plaintiffs claimed that UPMC had a common law duty to protect their highly sensitive personal and financial information by designing, maintaining and testing its security systems.
Judge R. Stanton Wettick, Jr. disagreed saying the Pennsylvania law did not recognize such a common law duty (which would need to be created by the state General Assembly) and “As of this date, the only legislation which the General Assembly has chosen to enact requires entities that suffer a breach of their security systems to provide notification.” And the judge added that only the Office of the Attorney General can bring action for violation of the notification requirement – no private actions are permitted.
He also said that fear of imminent identity theft is not enough – you have to prove actual damage (and, I assume, directly link it to a particular data breach).
In a press release from Ballard Spahr LLP, a law firm that assists clients in complying with regulatory privacy and data security requirements, they state:
Dittman is the latest in a line of cases rejecting class actions seeking economic damages arising out of data breaches. The balance of federal case law currently favors dismissal of such actions on the grounds that fear of identity theft is not a sufficient harm to trigger Article III standing. Most state courts examining the issue have found, like Judge Wettick, that there is no common law duty to provide adequate and reasonable data security.
So there is no common law duty for organizations to ‘provide adequate and reasonable data security’ – that’s comforting.
And the Ballard Spahr press release added:
The case, if anything, goes further than other state court decisions analyzing the wisdom of imposing a common law duty to protect sensitive personal information, noting the public policy implications if state courts were to permit such claims to go forward. In particular the Court expressed concern that a ruling in favor of the plaintiffs could result in hundreds of thousands of new lawsuits being filed in Pennsylvania. “Clearly, the judicial system is not equipped to handle this increased caseload of negligence actions,” Judge Wettick said. “Courts will not adopt a proposed solution that will overwhelm Pennsylvania’s judicial system” and would require defendant companies, victims themselves as the Court noted, to expend substantial resources to defend such claims.
In other words they don’t want to hear these cases because it would create more work than they can handle – not because the claims are unjustified. It’s a bit like saying ‘if we bring all murderers to trial then our courts would be swamped with murder trials and we certainly don’t want that.’
So organizations are not legally required to make any effort to protect your data and if they are hacked all they have to do is notify you (and if they don’t only the Attorney General can do anything about it). They are not obligated to pay anything unless you can prove financial damages. And the courts would rather not have to deal with this issue at all.