Ben Yelin from UMD CHHS on a PA supreme court ruling on protection of employee's personal information.
Dave Bittner: I'm pleased to be joined, once again, by Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, always great to have you back. This was a story that came by from the National Law Review and it's titled, Pennsylvania Supreme Court recognizes common law duty to safeguard employees' personal data. What's going on here?
Ben Yelin: Yes, this is a fascinating case. It's called Dittman v UPMC, which is the University of Pittsburgh Medical Center. Some personal information was stolen from the database at the center, that this medical center had maintained. Information from 62,000 employees, that's a lot of people and very personal information. Social security, birth date, tax information, bank card information, etc.
Ben Yelin: Some employees or former employees of UPMC sued the hospital, saying that they had a reasonable duty of care, under Common Law, to safeguard that information and what that means is that, if they did not use reasonable care, if they did not use, you know, the most advanced practices in protecting digital information, they would be liable in tort for some sort of damages and that's exactly what happened here. So the court found that the hospital was negligent.
Ben Yelin: Negligence is a Common Law tort and the standard for negligence, as it has been since basically our Common Law system has evolved from our greatest ancestors, is whether the defendant used ordinary, reasonable care. What this decision does is it defines ordinary, reasonable care or the standard of reasonable care in the context of data security and says that by exposing this information to breach, by not using the best practices in terms of safeguarding personal information, that organization or the defendant in this case is not acting according to the standard of reasonable care.
Ben Yelin: As a result, these individuals suffered some economic losses. I think the article says that somebody used the stolen information to start false bank accounts in the names of some of the plaintiffs and, therefore, the hospital, the medical system is going to have to compensate those victims.
Ben Yelin: What's interesting about this case is that it is applying this old Common Law doctrine to the modern circumstance of data privacy and, because it's the first decision of its kind across the country, even though this is only binding on the State of Pennsylvania institutions, this is going to be instructional for other courts, as they deal with whether to apply that Common Law duty of reasonable care to private actors, who have been entrusted in safeguarding information.
Ben Yelin: So this, at least right now, is the North Star case, the groundbreaking case and I think this is something that other State courts and Federal courts are going to look into when similar cases present themselves.
Dave Bittner: Now, the situation here is, this allows folks to go after them from a civil point of view, going after money? There's no criminal element here?
Ben Yelin: No, there's no criminal element, this is just about civil damages. Obviously, this could be a big financial hit for the medical center, the medical institution, to be potentially liable to a class of 62,000 employees for what is a significant economic loss. That includes, you know, all different types of economic damages. That's going to be a major liability for that medical system.
Ben Yelin: Now, theoretically what that means is, just as hospitals have to take measures to protect themselves against other types of Common Law lawsuits, for example medical malpractice, they're going to have to take proactive measures to protect the integrity of their data. Now that they know that they are potentially liable for data breaches, even if they're not the ones, you know, stealing the private information, that means there's going to be a added cost on the front end for the medical system to protect that data.
Ben Yelin: What we've seen in other torts cases is that turns into a bit of a consumer tax. In the long run, you know, because the hospital will have to use more of its resources to secure that data, you know, that's gonna add to their overhead costs of doing business and eventually that filters down to the patients or, more likely, to the insurance companies.
Ben Yelin: But that's something that's existed forever in the world of torts, now it's just being applied in a new manner, reflecting the digital age.
Dave Bittner: Yes. Alright, Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.