Ballard Spahr LLP, a law firm that helps companies with cyber-crime compliance issues and litigation, as well as other things, released information of the lawsuit on a major hack within a university’s networks. The press release was of Pennsylvania judge’s dismissal of a class action lawsuit filed against the University of Pittsburgh Medical Center (UPMC). The lawsuit consisted of stolen birthdates, confidential tax information, salaries, Social Security numbers, bank account information, and addresses of 62,000 UPMC employees, by cyber-criminals who hacked through the networks of the university.
Judge R. Stanton Wettick, Jr. dismissed the case because of the fact that there is no ‘common law duty’ to help protect sensitive or personal data. Which the lawsuit was trying to claim that UPMC had a common law duty to protect their employee’s data, as well as stating that UPMC at least pay for the credit monitoring and identify theft services. The judge stated that the only legislation, which the General Assembly chose to enact, requires entities that have a security system breached, to provide notification.
He also added that the fear of potential identity theft isn’t enough to warrant someone who is already paying for the damages, you have to provide actual loss. Judge Wettick wasn’t the only one who thought this, the Ballard Spahr press release also stated that most state courts have found no common law duty to provide adequate and reasonable data security.
Courts can only make their decisions on pre-existing laws that have been made by legislative branches of government, meaning that they can’t make up new laws. There’s no laws on how to deal with data breaches or regarding data security in the state of Pennsylvania, like most other states. Any other laws that are in effect are very limited. Pennsylvania’s companies are only required to provide notification if they have been hacked.
The 62,000 UPMC employees didn’t sign up to have their personal data stored and protected by UPMC, they didn’t have that option. Apparently UPMC isn’t legally obligated to protect their data or even “provide adequate and reasonable data security”. The UPMC employees have no legal right to seek damages because the only law regarding cyber-crime is for the company to notify their employees. Even if the company were to ignore security flaws or efforts, they still would be working fully within the law. No matter what the case is or could have been, the employees are out of luck.
Since there are no laws in effect regarding cyber-security or making companies provide data protection, there’s absolutely no one that can be put to blame for breaches, no matter how negligent they could or have been. As long as they supply future employees with the fact that the company has been or was hacked, they have legally fulfilled their obligations. The courts are basically powerless in these situations, since there is no laws regarding data breaches and cyber-security.
Content originally published here