Dittman v. UPMC, 196 A.3d 1036 (2018)

Nov. 21, 2018 · Supreme Court of Pennsylvania · No. 43 WAP 2017

196 A.3d 1036

Barbara A. DITTMAN, Gary R. Douglas, Alice Pastirik, Joann Decolati, Tina Sorrentino, Kristen Cushman and Shannon Molyneaux, Individually and on Behalf of All Others Similarly Situated, Appellants
v.
UPMC d/b/a The University of Pittsburgh Medical Center, and UPMC McKeesport, Appellees

No. 43 WAP 2017

Supreme Court of Pennsylvania.

Argued April 10, 2018
Decided November 21, 2018

Jamisen A. Etzel, Carlson Lynch Sweet & Kilpela, LLP, Joseph A. Del Sole, Stickman, William Shaw, IV, Del Sole Cavanaugh Stroyd, L.L.C., Gary F. Lynch, Pittsburgh, PA, for Appellant.

John C. Conti, Megan Justine Block, Dickie McCamey & Chilcote PC, Pittsburgh, PA, for Appellee.

James Michael Beck, Reed Smith LLP, Philadelphia, PA, for Amicus Curiae.

SAYLOR, C.J., BAER, TODD, DONOHUE, DOUGHERTY, WECHT, MUNDY, JJ.

OPINION

JUSTICE BAER

We granted discretionary review in this matter to determine whether an employer has a legal duty to use reasonable care to safeguard its employees' sensitive personal information that the employer stores on an internet-accessible computer system. We also examine the scope of Pennsylvania's economic loss doctrine, specifically whether it permits recovery in negligence for purely pecuniary damages. For the reasons discussed below, we hold that an employer has a legal duty to exercise reasonable care to safeguard its employees' sensitive personal information stored by the employer on an internet-accessible computer system. We further hold that, under Pennsylvania's economic loss doctrine, recovery for purely pecuniary damages is permissible under a negligence theory provided that the plaintiff can establish the defendant's breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract. As the Superior Court came to the opposite conclusions, we now vacate its judgment.

Barbara A. Dittman, Gary R. Douglas, Alice Pastirik, Joann Decolati, Tina Sorrentino, Kristen Cushman, and Shannon Molyneaux, individually and on behalf of all others similarly situated (collectively, Employees), filed the operative class action complaint in this matter against UPMC d/b/a the University of Pittsburgh Medical Center and UPMC McKeesport (collectively, UPMC) on June 25, 2014. In the complaint, Employees alleged that a data breach had occurred through which the personal and financial information, including names, birth dates, social security numbers, addresses, tax forms, and bank account information of all 62,000 UPMC employees and former employees was accessed and stolen from UPMC's computer systems. Second Amended Class Action Complaint, 6/25/2014, at ¶¶ 21-22, 27, 53. Employees further alleged that the stolen data, which consisted of information UPMC required Employees to provide as a condition of their employment, was used to file fraudulent tax returns on behalf of the victimized Employees, resulting in actual damages. Id. ¶¶ 21, 23, 35.

Based on the foregoing, Employees asserted a negligence claim and breach of implied contract claim against UPMC.¹ With respect to their negligence claim, Employees alleged that UPMC had a duty to exercise reasonable care to protect their "personal and financial information within its possession or control from being compromised, lost, stolen, misused, and/or disclosed to unauthorized parties." Id. at ¶ 53. Employees further alleged that UPMC undertook a duty of care to ensure the security of their information in light of the special relationship between Employees and UPMC, whereby UPMC required Employees to provide the information as a condition of their employment. Id. at ¶ 56. Employees averred that this "duty included, among other things, designing, maintaining, and testing its security systems to ensure" that Employees' information was adequately protected, and implementing "processes that would detect a breach of its security systems in a timely manner." Id. at ¶¶ 54-55.

Additionally, Employees claimed that UPMC breached its duty to use reasonable care "by failing to adopt, implement, and maintain adequate security measures to safeguard [Employees'] ... information, failing to adequately monitor the security of its network, allowing unauthorized access to [Employees'] ... information, and failing to recognize in a timely manner that [Employees'] ... information had been compromised." Id. at ¶ 57. Employees further averred that UPMC "violated administrative guidelines" and "failed to meet current data security industry standards," specifically by failing to encrypt data properly, "establish adequate firewalls to handle a server intrusion contingency," and "implement adequate authentication protocol to protect the confidential information contained in its computer network."Id. at ¶¶ 33-34.

Employees also claimed that UPMC's breach of its duties was the direct and proximate cause of the harm to Employees. Id. at ¶¶ 59-60. Finally, Employees alleged that, as a result of UPMC's negligence, Employees "incurred damages relating to fraudulently filed tax returns" and are "at an increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse." Id. at ¶¶ 61-62. Based on the foregoing, Employees sought monetary damages, among other forms of relief. Id. at ¶ 70.

On July 16, 2014, UPMC filed preliminary objections to Employees' complaint arguing that, inter alia , their negligence claim failed as a matter of law. Specifically, UPMC argued that no cause of action exists for negligence because Employees did not allege any physical injury or property damage and, under the economic loss doctrine, "no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage." UPMC's Preliminary Objections to Employees' Second Amended Class Action Complaint, 7/16/2014, at ¶¶ 15-17 (quoting Excavation Technologies, Inc. v. Columbia Gas Co. of Pa. , 604 Pa. 50, 985 A.2d 840, 841 n.3 (2009) ). Employees responded in opposition, and UPMC filed a reply to Employees' response. Thereafter, on October 22, 2014, the parties appeared before the trial court for oral argument on UPMC's preliminary objections. Following argument, at the court's direction, both parties filed supplemental briefs addressing whether UPMC owed a duty of care to Employees under the five-factor test set forth in Althaus ex rel. Althaus v. Cohen , 562 Pa. 547, 756 A.2d 1166 (2000).²

On May 28, 2015, the court sustained UPMC's preliminary objections and dismissed Employees' negligence claim.³ Relying upon the general description of the economic loss doctrine quoted from Excavation Technologies above, the trial court observed that, while Employees claimed that UPMC owed them a duty of care, the only losses Employees sustained were economic in nature. Trial Ct. Op., 5/28/2015, at 4. The trial court then briefly examined this Court's decision in Bilt-Rite Contractors, Inc. v. The Architectural Studio , 581 Pa. 454, 866 A.2d 270 (2005), which allowed a negligence action based upon economic loss alone, viewing it as merely creating an exception to the economic loss doctrine for losses incurred as a result of a plaintiff's reliance on advice given by professionals for pecuniary gain.⁴ Id. at 4-5. The trial court concluded that, because this "case does not involve defendants in the business of supplying information for economic gain," the exception did not apply. Id.

The trial court further opined that the Althaus factors and duty of care "should not be considered where the plaintiff seeks to recover only economic losses," as "the Pennsylvania appellate courts have already balanced the competing interests through adoption of the economic loss doctrine." Id. at 5. This determination notwithstanding, the trial court went on to analyze the Althaus factors and conclude that courts should not impose "a new affirmative duty of care that would allow data breach actions to recover damages recognized in common law negligence actions." Id. The trial court found the controlling factors of the Althaus test to be (1) the consequences of imposing a duty upon the actor, and (2) the overall public interest in the proposed solution. In this regard, the trial court observed that data breaches are widespread and frequent. The trial court further explained that, under Employees' proposed solution of creating a private negligence cause of action to recover actual damages resulting from data breaches, "hundreds of thousands of lawsuits" could result, which would overwhelm the judicial system and require entities to expend substantial resources in defending against those actions. Id. at 6. Additionally, the trial court reasoned that there are no generally accepted reasonable care standards for evaluating one's conduct in protecting data, and that use of expert testimony and jury findings is not a viable method to develop those standards in data breach litigation. Id.

The trial court opined that it could not say with reasonable certainty that the best interests of society would be served through the recognition of a new affirmative duty under these circumstances, noting that the financial impact of doing so could put entities out of business. Id. at 7. The trial court further explained that entities storing confidential information already have an incentive to protect that information because any breach will affect their operations, that an improved system would not necessarily prevent a breach, and that the entities were also victims of the criminal activity involved. Id. at 7-8. Finally, the trial court observed that the Legislature is aware of and has considered the issues that Employees sought the court to consider herein as evidenced by the Breach of Personal Information Notification Act (Data Breach Act), 73 P.S. §§ 2301 - 2329. Specifically, the court explained that, under the Data Breach Act, the Legislature has imposed a duty on entities to provide notice of a data breach only, 73 P.S. § 2303, and given the Office of Attorney General the exclusive authority to bring an action for violation of the notification requirement, id. at § 2308. Trial Ct. Op., 5/28/2015, at 8-10. The court thus reasoned that, as public policy was a matter for the Legislature, it was not for the courts to alter the Legislature's direction.⁵ Id. at 10.

Employees appealed to the Superior Court. Relevant to the issues before this Court, Employees argued that the trial court erred in finding that UPMC did not owe a duty of reasonable care in its collection and storage of Employees' information, and that the economic loss doctrine barred their claim.

In a split opinion, a three-judge panel of the Superior Court affirmed the order of the trial court sustaining UPMC's preliminary objections and dismissing Employees' claims. Dittman v. UPMC , 154 A.3d 318 (Pa. Super. 2017). As to the issue of duty, the Superior Court applied the Althaus factors, concluding first that the relationship between the parties weighed in favor of imposing a duty on UPMC because the employer-employee relationship "traditionally has given rise to duties on the employer." Id. at 323. The court also reasoned that "[t]here is an obvious social utility" in electronically storing employees' personal information "to promote efficiency," which outweighed the nature of the risk imposed and foreseeability of the harm incurred in so doing. Id. at 323-24. While the court noted that the general risk of storing information electronically increases as data breaches become more common and that data breaches and the ensuing harm were generally foreseeable, "more and more information is stored electronically" in the modern era and "employees and consumers alike derive substantial benefits from" the resulting efficiencies. Id. at 323. The court further observed that "a third party committing a crime is a superseding cause" against which "a defendant does not have a duty to guard ... unless he realized, or should have realized, the likelihood of such a situation."⁶ Id.

The Superior Court further agreed with the trial court's analysis of the fourth and fifth Althaus factors, the consequences of imposing a duty upon the actor and the overall public interest in the proposed solution, respectively. As to the fourth factor, the Superior Court added to the trial court's reasoning that no judicially created duty of care is needed to incentivize companies to protect their employees' confidential information because there are "statutes and safeguards in place to prevent employers from disclosing confidential information." Id. at 324 (citing, inter alia , the Data Breach Act). The Superior Court also found it "unnecessary to require employers to incur potentially significant costs to increase security measures when there was no true way to prevent data breaches altogether." Id. The court reasoned that "[e]mployers strive to run their businesses efficiently and they have incentive to protect employee information and prevent these types of occurrences." Id.

Thus, upon consideration of all of the Althaus factors, the Superior Court concluded that the trial court properly found that UPMC owed no duty to Employees under Pennsylvania law. Nevertheless, the Superior Court continued to examine whether the economic loss doctrine applied to bar Employees' negligence claim. Reiterating the generalized statement of the doctrine (i.e. , that "no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage"), the Superior Court opined that the trial court was correct in noting that the Bilt-Rite decision was meant to provide a narrow exception to the doctrine only when the losses result from the reliance on the advice of professionals. Id. at 325. The Superior Court further agreed with the trial court that the narrow exception did not apply to this case.⁷ Id.

Judge Stabile filed a concurring statement that Judge Olson, the author of the majority opinion, joined. Judge Stabile reasoned that the court's decision declining to find a legal duty should be limited to the facts as alleged in this case. Id. at 326 (Stabile, J., concurring). He further reasoned that the balance of the Althaus factors may change in favor of employees at some point in the future "with the evolution and increased use of" electronic storage of information. Id. at 327 (Stabile, J., concurring).

Judge Musmanno wrote a dissenting statement concluding that, on balance, the Althaus factors weighed in favor of imposing a duty of reasonable care on UPMC. Specifically, Judge Musmanno challenged the majority's conclusion that the social utility of electronically storing employee information outweighed the risk and foreseeability of the harm, believing it to be "untenable, given the ubiquitous nature of electronic data storage, the risk to UPMC's employees posed by the failure to reasonably protect such information, and the foreseeability of a computer breach and subsequent identify theft." Id. at 328 (Musmanno, J., dissenting). Moreover, Judge Musmanno posited that Employees' "assertions, if proven, would establish that UPMC knew or should have realized that inadequate electronic data protections would create a likelihood that its employees' personal information would be compromised, and that a third party would avail itself of the opportunity to steal this sensitive data." Id. (Musmanno, J., dissenting). Further, Judge Musmanno reasoned that, "[u]nder the circumstances alleged, the criminal acts of third parties do not relieve UPMC of its duty of care in the protection of [Employees'] sensitive personal data." Id. (Musmanno, J., dissenting).

Judge Musmanno also disagreed with the majority's conclusion that the imposition of a duty of care is unnecessary to incentivize companies to protect their confidential information. Judge Musmanno noted that, while the majority declined to impose a duty due to the significant costs imposed upon employers and the inability to prevent every data breach, the Althaus test does not require that the proposed duty prevent all harm.⁸ Id. (Musmanno, J., dissenting). Judge Musmanno continued that, when considered against the cost to employees resulting from the data breach, the factor relating to the consequences of imposing a duty weighed in favor of imposing a duty. Id. (Musmanno, J., dissenting). Finally, Judge Musmanno disagreed with the majority's conclusion that the public interest in imposing a duty weighed in favor of UPMC, opining that, "[w]hile judicial resources may be expended during litigation of data breaches, the public has a greater interest in protecting the personal and sensitive data collected and electronically stored by employers." Id. at 328-29 (Musmanno, J., dissenting).

We granted allowance of appeal to address the following issues, as stated by Employees:

a. Does an employer have a legal duty to use reasonable care to safeguard sensitive personal information of its employees when the employer chooses to store such information on an internet accessible computer system?

b. Does the economic loss doctrine permit recovery for purely pecuniary damages which result from the breach of an independent legal duty arising under common law, as opposed to the breach of a contractual duty?

Dittman v. UPMC , 642 Pa. 572, 170 A.3d 1042 (2017) (per curiam ).

This matter presents pure questions of law, over which our standard of review is de novo , and our scope of review is plenary. Skotnicki v. Insurance Department , --- Pa. ----, 175 A.3d 239, 247 (2017). Further, as Employees' negligence claim was dismissed on preliminary objections in the nature of a demurrer, we must determine "whether, on the facts averred, the law says with certainty that no recovery is possible." Bilt-Rite Contractors , 866 A.2d at 274. Any existing doubt as to whether a demurrer should be sustained should be resolved in favor of overruling it. Id. Additionally, we accept as true all material facts as set forth in the complaint and any inferences reasonably deducible therefrom in conducting our review. Id. at 272.

A. Duty

Employees contend that, in collecting and storing the sensitive personal and financial information it required Employees to provide, UPMC owed a duty to Employees to exercise reasonable care under the circumstances, which includes using reasonable measures to protect the information from the foreseeable risk of a data breach. In support of their position, Employees first argue that resort to the Althaus factors for purposes of determining the existence of a duty in this case is unnecessary. Specifically, Employees argue that the Althaus test applies only when determining whether to impose a new, affirmative duty not yet existing under common law, and not when a longstanding preexisting duty arises in a novel factual scenario. Employees' Brief at 14-15 (quoting Alderwoods (Pennsylvania), Inc. v. Duquesne Light Co. , 630 Pa. 45, 106 A.3d 27, 40 (2014) (explaining that, inter alia , the Althaus factors are "more relevant to the creation of new duties than to the vindication of existing ones") ). Employees contend that the trial court and Superior Court erred in treating their claim as one seeking the creation of a new, affirmative duty requiring application of the Althaus test, and in concluding that UPMC did not owe a duty. As further explained below, Employees claim that they instead seek to impose upon UPMC a duty of care long-established in Pennsylvania law under the novel facts of this case.

In support of their assertion, Employees argue that, as a general rule, "anyone who does an affirmative act is under a duty to others to exercise the care of a reasonable man to protect them against an unreasonable risk of harm to them arising out of the act." Employees' Brief at 17 (quoting Restatement (Second) of Torts § 302, cmt. a (1965) ). Employees claim that this is a broad expression of duty applicable to many forms of activity, even in novel factual scenarios with no direct precedent such as this one. Applying this broad expression of duty to the facts herein, Employees contend that UPMC engaged in the affirmative act of collecting Employees' sensitive personal data and storing it on their internet-accessible computer systems. Employees maintain that, in so doing, UPMC was under a duty to them to exercise reasonable care under the circumstances, which includes taking reasonable measures to protect them from the foreseeable risk that third parties would attempt to access and pilfer that information. Thus, Employees claim that they are alleging misfeasance on behalf of UPMC in collecting and storing Employees' sensitive personal data.

Employees further contend that this broad duty is limited by the concept of foreseeability.⁹ With respect to foreseeability, Employees argue that troves of electronic data stored on internet-accessible computers held by large entities are obvious targets for cyber criminals and that a reasonable entity in UPMC's position should foresee that a failure to use basic security measures can lead to exposure of the data and serious financial consequences for the victims. Employees thus claim that, in light of the prevalence of electronic data storage in the employment context and the foreseeable risk of breaches of such data, it is appropriate to require employers to use reasonable care when handling and storing employee data in order to protect it from compromise. Employees argue that there is no sound justification for exempting employers from a duty to act with reasonable care when they collect and store employees' sensitive personal information.

Finally, Employees contend that the fact that the ultimate harm in this case resulted from criminal activity does not eviscerate the duty UPMC owed to Employees to handle its collection and storage of employee data with reasonable care. Employees acknowledge that one generally does not owe a duty to others to protect them against criminal conduct. Employees contend, however, that there are many exceptions to this rule and that the duty to take reasonable anticipatory measures against foreseeable criminal conduct in certain scenarios has deep roots in common law. Employees' Brief at 22-24 (relying upon Sections 302 and 302B of the Restatement (Second) of Torts and Comment E thereto, discussed infra ).

In response, UPMC challenges Employees' assertion that it assumed a legal duty to protect against a criminal data breach through commission of an affirmative act. UPMC contends that it merely possessed employee information incident to a general employment relationship, which cannot constitute an affirmative act that entails legal liability for third-party criminal conduct. UPMC notes that it is not in the business of providing data security, was not retained to provide data security, was not otherwise tasked with providing data security, and never pursued such an undertaking.

Indeed, according to UPMC, Employees are not claiming any affirmative misfeasance on UPMC's part but, rather, nonfeasance in that UPMC failed to prevent the harm incurred or some speculative future harm. In that regard, UPMC notes that there is a "no-duty rule in rescue/protection scenarios where the defendant did not create the risk resulting in harm to the plaintiff." UPMC's Brief at 45 (quoting Seebold v. Prison Health Services, Inc. , 618 Pa. 632, 57 A.3d 1232, 1246 (2012) ). UPMC contends that "[i]t is nonsensical to suggest that [it] created the risk of harm from a criminal data breach[ ] simply by possessing employee data" and its business neither increased the risk of criminal activity nor posed a special danger to the public regarding unshielded data. Id. at 45, 50-51. UPMC contends that third party criminality, not any affirmative conduct on UPMC's part, created the risk of harm and that it cannot be held liable for an external criminal hack merely because of the general prevalence or conceivable risk of data breaches. UPMC further argues that a third-party criminal act is a superseding cause of the resulting harm and should not be deemed "foreseeable by a negligent actor merely because he or she could have speculated that they might conceivably occur." Id. at 51 (citing, inter alia , Ford v. Jeffries , 474 Pa. 588, 379 A.2d 111, 115 (1977), and Mahan v. Am-Gard, Inc. , 841 A.2d 1052, 1061 (Pa. Super. 2003) ).

UPMC thus argues that Employees "are proposing a radical reconstruction of duty" where they seek to impose liability on UPMC for the criminal acts of unknown third parties. Id. at 45. UPMC contends that the decision to impose a legal duty requires a policy determination, made through analysis of the Althaus factors, regarding whether a plaintiff is entitled to recover from a defendant for a particular harm on particular facts. UPMC further claims that, as recognized by the courts below, policy considerations do not permit Employees' recovery in negligence in this case under both an Althaus analysis and the economic loss doctrine, and numerous other jurisdictions have likewise declined to adopt that duty. UPMC contends that, having failed below to establish an exception to the economic loss doctrine or a legal duty under Althaus , Employees now seek to ignore the requisite policy analysis and instead make the specious claim that UPMC owes them a duty under general negligence principles. UPMC contends that no general rule of negligence can subject them to liability for third-party criminal conduct and claims that to subject all Pennsylvania companies that store employee data to liability for criminal data breaches is untenable and against the lower courts' policy determination pursuant to Althaus that no such duty be imposed.¹⁰

Having considered the parties' arguments, we agree with Employees that this case is one involving application of an existing duty to a novel factual scenario, as opposed to the imposition of a new, affirmative duty requiring analysis of the Althaus factors. As Employees set forth in their brief, this Court observed in Alderwoods that the Althaus factors are "more relevant to the creation of new duties than to the vindication of existing ones." Alderwoods , 106 A.3d at 40. This Court further explained that it is unnecessary "to conduct a full-blown public policy assessment in every instance in which a longstanding duty imposed on members of the public at large arises in a novel factual scenario. Common-law duties stated in general terms are framed in such fashion for the very reason that they have broad-scale application." Id. at 40-41 ; see also Scampone v. Highland Park Care Center, LLC , 618 Pa. 363, 57 A.3d 582, 599 (2012) ("Like any other cause of action at common law, negligence evolves through either directly applicable decisional law or by analogy, meaning that a defendant is not categorically exempt from liability simply because appellate decisional law has not specifically addressed a theory of liability in a particular context.").

As for the common law duty at issue here, this Court has observed that "[i]n scenarios involving an actor's affirmative conduct, he is generally 'under a duty to others to exercise the care of a reasonable man to protect them against an unreasonable risk of harm to them arising out of the act." Seebold , 57 A.3d at 1246 (quoting Section 302 cmt. a of the Restatement (Second) of Torts). The Seebold Court explained that "[t]his duty appropriately undergirds the vast expanse of tort claims in which a defendant's affirmative, risk-causing conduct is in issue." Id. Indeed, this Court noted that "many judicial opinions on the subject of negligence do not specifically address the duty element," not because they "fail to see duty as an element of negligence, but because they presume the existence of a duty where the defendant's conduct created a risk." Id. at 1246 n.21 (quoting Cardi & Green, Duty Wars , 81 S. CAL. L. REV. 671, 702 (2008) ).

Employees have alleged and, as the case is before us at the preliminary objection stage, we currently must accept as true that, as a condition of employment, UPMC required them to provide certain personal and financial information, which UPMC collected and stored on its internet-accessible computer system without use of adequate security measures, including proper encryption, adequate firewalls, and an adequate authentication protocol. These factual assertions plainly constitute affirmative conduct on the part of UPMC. Additionally, while UPMC is correct that, generally, "there is no duty to protect or rescue someone who is at risk on account of circumstances the defendant had no role in creating," id. at 1246, Employees have sufficiently alleged that UPMC's affirmative conduct created the risk of a data breach. Thus, we agree with Employees that, in collecting and storing Employees' data on its computer systems, UPMC owed Employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.

Further, to the extent that UPMC argues that the presence of third-party criminality in this case eliminates the duty it owes to Employees, we do not agree. As stated above, UPMC relies on selected portions of Ford and Mahan in support of its position that it cannot be liable for third-party criminal conduct that could "conceivably occur." However, as Ford more fully outlined:

The act of a third person in committing an intentional tort or crime is a superseding cause of harm to another resulting therefrom, although the actor's negligent conduct created a situation which afforded an opportunity to the third person to commit such a tort or crime, unless the actor at the time of his negligent conduct realized or should have realized the likelihood that such a situation might be created, and that a third person might avail himself of the opportunity to commit such a tort or crime.

Ford , 379 A.2d at 115 (quoting Section 448 of the Restatement (Second) of Torts (1965) ).¹¹ Further, while the Superior Court in Mahan observed that "the wrongful actions of a third party are not deemed to be foreseeable by a negligent actor merely because he or she could have speculated that they might conceivably occur," the court, citing Jeffries , acknowledged that liability could be found if the actor "realized or should have realized the likelihood that such a situation might be created and that a third person might avail himself of the opportunity to commit such a tort or crime." Mahan , 841 A.2d at 1061.¹²

Again, Employees allege that UPMC, their employer, undertook the collection and storage of their requested sensitive personal data without implementing adequate security measures to protect against data breaches, including encrypting data properly, establishing adequate firewalls, and implementing adequate authentication protocol. The alleged conditions surrounding UPMC's data collection and storage are such that a cybercriminal might take advantage of the vulnerabilities in UPMC's computer system and steal Employees' information; thus, the data breach was "within the scope of the risk created by" UPMC. See Ford , 379 A.2d at 115 (explaining that the dilapidated condition of the appellee's property, which had caught fire and damaged the appellant's neighboring property, "was such that third persons might avail themselves of the opportunity to commit a tort or crime" and that "such acts were within the scope of the risk created by the appellee"). Therefore, the criminal acts of third parties in executing the data breach do not alleviate UPMC of its duty to protect Employees' personal and financial information from that breach.

Based on the foregoing, we conclude that the lower courts erred in finding that UPMC did not owe a duty to Employees to exercise reasonable care in collecting and storing their personal and financial information on its computer systems. This conclusion notwithstanding, Employees' claim cannot proceed if we nonetheless hold that it is barred by the economic loss doctrine. Thus, we turn to our analysis of that doctrine.

B. The Economic Loss Doctrine

The crux of the dispute before us is whether the economic loss doctrine as applied in Pennsylvania precludes all negligence claims that seek to recover for purely economic damages, save for specifically delineated and narrow exceptions, or whether such claims are generally permitted provided that a plaintiff can establish a breach of a legal duty independent of any contractual duties existing between the parties. As evidenced throughout this opinion, much of the dispute in this regard centers on the proper interpretation of our decisions in Bilt-Rite and Excavation Technologies , which form the basis of the parties' arguments and which we analyze in further detail below.

Beginning with the parties' contentions, Employees argue that courts have incorrectly read our decision in Bilt-Rite as merely permitting negligent misrepresentation claims under Section 552 of the Restatement (Second) of Torts, see infra at page 1051 n.17, as a narrow exception to an otherwise broad economic loss doctrine precluding all negligence claims for solely monetary harm. Employees claim that, under Bilt-Rite , the economic loss doctrine does not bar negligence-based tort claims involving purely financial harm, provided that the plaintiff establishes that the defendant owed a common law duty arising independently from any contract between the parties. Employees argue that the holding in Bilt-Rite did not rely or otherwise depend upon the particular legal duty imposed or tort alleged in that case and therefore was not limited in that manner.

Employees contend that Bilt-Rite 's iteration of the rule as they believe it should be interpreted is more coherent and precise than the general statement of the rule, "which fails to explain or reconcile a plethora of obvious 'exceptions.' " Employees' Brief at 51. Employees further argue that their interpretation of the doctrine, which focuses on the source of the duty, is consistent with the definition accepted by many states and scholars, and will reduce confusion and unjust deployment of the rule against legitimate tort claims while serving the rule's purpose of precluding those claims that seek to compensate parties for losses resulting from a breach of contractual duties. Employees thus contend that, here, we need only to reaffirm Bilt-Rite 's enunciation of the rule as stated by them and hold that it does not bar their negligence claim.

UPMC counters that the lower courts correctly held that the economic loss doctrine precludes Employees' negligence claim for monetary damages.¹³ UPMC argues that the economic loss doctrine is well-settled in Pennsylvania and broadly applies to bar negligence claims that result "solely in economic damages unaccompanied by physical injury or property damage." UPMC's Brief at 12, 14-15 (quoting Excavation Technologies, Inc. , 985 A.2d at 841 n.3 ). Relying upon Excavation Technologies , UPMC further interprets Bilt-Rite 's holding as creating a narrow exception to the broad economic loss doctrine for negligent misrepresentation claims under Section 552 of the Restatement (Second) of Torts that involve design professionals supplying information to others for pecuniary gain. UPMC claims that no Pennsylvania court has applied Employees' interpretation of Bilt-Rite in an action to recover purely economic damages under a common law negligence theory and argues that this Court already declined to expand Bilt-Rite in the manner Employees suggest in Excavation Technologies .

UPMC also claims that Employees, focusing upon "misleading dicta" in Bilt-Rite , argue for an improperly expansive interpretation of that case which would effectively render the economic loss doctrine a nullity by exempting all common law negligence claims from its application.¹⁴ Id. at 16-18. UPMC contends that the language Employees rely upon from Bilt-Rite in support of their position "merely recognizes an uncontroversial aspect of tort law": that "financial damages may be recoverable under several specific torts [that include] financial detriment ... as an element of the tort itself." Id. at 18. UPMC argues that Employees' failure to distinguish between common law negligence and specific tort claims highlights the error in their argument.

UPMC argues that Employees' "tortured construction" of the economic loss doctrine "distills to the untenable proposition that our appellate courts have misconstrued the rule since its inception" and that accepting Employees' position would contravene the doctrine's purpose of preventing indeterminate liability. Id. at 12-13, 16 n.4. UPMC further maintains that the Third Circuit has already considered and rejected Employees' arguments regarding the contours of Pennsylvania's economic loss doctrine and Bilt-Rite 's holding, including in the context of computer information theft. Id. at 18-20 (citing, inter alia , Sovereign Bank v. BJ's Wholesale Club, Inc. , 533 F.3d 162, 178 (3d Cir. 2008) (opining that this Court in Bilt-Rite "simply carved out a narrow exception [to the economic loss doctrine] when losses result from the reliance on the advice of professionals") ). Additionally, UPMC claims that a majority of jurisdictions confronting data breach litigation have dismissed negligence claims in accord with the economic loss doctrine.¹⁵ ^,¹⁶

As the parties' arguments focus on this Court's decisions in Bilt-Rite (2005) and Excavation Technologies (2009), we begin with a summary of those cases. In Bilt-Rite , East Penn School District (District) entered into a contract with The Architectural Studio (TAS) for architectural services related to the design and construction of a new school. These services included the preparation of plans, drawings, and specifications that would be submitted to contractors for the purpose of preparing bids for the new school's construction. The District solicited bids from contractors for the project, including TAS's plans, drawings, and specifications in the bid documents supplied to the contractors. The District eventually awarded the contract to Bilt-Rite Contractors, Inc. (Bilt-Rite), and the District and Bilt-Rite entered into a contract for the project. The contract specifically referred to and incorporated by reference the plans, drawings, and specifications from TAS.

As part of the project, TAS's plans provided for the installation of certain systems that TAS "expressly represented could be installed and constructed through the use of normal and reasonable construction means and methods, using standard construction design tables." Bilt-Rite , 866 A.2d at 272. However, once Bilt-Rite began the work, it discovered that construction of the systems required it to employ special construction means, methods, and design tables, resulting in substantially increased construction costs. It thus "sued TAS on a theory of negligent misrepresentation under Section 552 of the Restatement (Second) of Torts,^[¹⁷ ^] claiming that TAS's specifications were false and/or misleading, and seeking damages for its increased construction costs." Id. at 272-73. TAS filed preliminary objections in the nature of a demurrer, arguing that " 'the economic loss doctrine,' which holds that a tort plaintiff cannot recover for purely economic losses" barred Bilt-Rite 's action and that TAS did not owe a duty to Bilt-Rite, with whom it had no contractual relationship. Id. at 273. The trial court sustained TAS's preliminary objections, and the Superior Court affirmed.

On appeal, this Court was presented with the issue of "whether a building contractor may maintain a negligent misrepresentation claim against an architect for alleged misrepresentations in the architect's plans for a public construction contract, where there was no privity of contract between the architect and the contractor, but the contractor reasonably relied upon the misrepresentations in submitting its winning bid and consequently suffered purely economic damages as a result of that reliance." Id. at 272. In addressing that issue, this Court formally adopted Section 552 of the Restatement (Second) of Torts as the law in Pennsylvania for negligent misrepresentation claims involving those in the business of supplying information to others, such as an architect or design professional.¹⁸ Id. at 287. The Court noted that recovery was possible even if the third party had no direct contractual relationship with the supplier of the information, as "Section 552 negates any requirement of privity." Id.

Most importantly for our current purposes, with respect to application of the economic loss doctrine, the Court looked to the "reasoned approach to the rule" expressed by the South Carolina Supreme Court in Tommy L. Griffin Plumbing & Heating Co. v. Jordan, Jones & Goulding, Inc. , 320 S.C. 49, 463 S.E.2d 85 (1995), which observed that its

application of the "economic loss" rule maintains the dividing line between tort and contract while recognizing the realities of modern tort law. Purely "economic loss" may be recoverable under a variety of tort theories. The question, thus, is not whether the damages are physical or economic. Rather, the question of whether the plaintiff may maintain an action in tort for purely economic loss turns on the determination of the source of the duty plaintiff claims the defendant owed. A breach of a duty which arises under the provisions of a contract between the parties must be redressed under contract, and a tort action will not lie. A breach of duty arising independently of any contract duties between the parties, however, may support a tort action.

Id. at 287-88 (quoting Tommy L. Griffin Plumbing , 463 S.E.2d at 88 (footnote and citation omitted) ). The Tommy L. Griffin Plumbing Court listed libel and defamation, accountant malpractice, legal malpractice, and architect liability among the examples of tort actions for which purely economic loss is recoverable. Tommy L. Griffin Plumbing , 463 S.E.2d at 88 & n.2.

This Court in Bilt-Rite explained that, "[l]ike South Carolina, Pennsylvania has long recognized that purely economic losses are recoverable in a variety of tort actions including the professional malpractice actions noted by the South Carolina Supreme Court." Bilt-Rite Contractors , 866 A.2d at 288. It thus agreed that "a plaintiff is not barred from recovering economic losses simply because the action sounds in tort rather than contract law." Id. In so doing, the Court noted that Bilt-Rite had no contractual relationship with TAS and thus, recovery under a contract theory was unavailable. However, because Bilt-Rite stated a viable claim for negligent misrepresentation under Section 552, which did not require privity, "logic dictate[d] that Bilt-Rite not be barred from recovering the damages it incurred, if proven."¹⁹ Id. The Court therefore held that the economic loss doctrine was inapplicable to negligent representation claims arising under Section 552. Id.

Following Bilt-Rite , this Court decided Excavation Technologies . In that case, Excavation Technologies, Inc. (Excavation Technologies) requested that Columbia Gas Company of Pennsylvania (Columbia) mark the locations of gas lines around work sites pursuant to the One Call Act.²⁰ Columbia improperly marked some lines and failed to mark others, resulting in Excavation Technologies striking various gas lines, which in turn hampered its work and caused it economic damages. Based on the foregoing, Excavation Technologies sued Columbia on a theory of negligent misrepresentation under Section 552 of the Restatement (Second) of Torts, alleging that Columbia failed to comply with its duties under the One Call Act. In response, Columbia filed preliminary objections in the nature of a demurrer, claiming that the economic loss doctrine precluded liability. The trial court sustained Columbia's preliminary objections, and the Superior Court affirmed.

This Court granted review to decide "whether [Section] 552 of the Restatement (Second) of Torts [see supra at page 1051 n.17] imposes liability for economic losses to a contractor caused when a gas utility company fails to mark or improperly marks the location of gas lines." Excavation Technologies , 985 A.2d at 842. In answering this question, the Court distinguished the case from Bilt-Rite on the basis that Columbia was "not in the business of providing information for pecuniary gain" and therefore concluded that Section 552(1) and (2) of the Restatement (Second) of Torts were inapplicable. Id. at 843. Additionally, the Court declined Excavation Technologies' invitation to impose liability under Section 552(3) of the Restatement (Second) of Torts, which was not at issue and thus not addressed by Bilt-Rite . The Court rejected the argument that Section 552(3) applied because Columbia was under a duty to provide accurate information as to the location of its underground lines. In support of its conclusion, the Court reasoned that: (1) the Act's purpose was to protect against physical harm and property damage, not economic losses; (2) excavators, and not utility companies, ultimately retained the duty to identify the precise location of facilities pursuant to the Act; and (3) public policy weighed against imposing liability, as the costs would inevitably be passed to the consumer if utility companies were exposed to liability for an excavators' economic losses.²¹ Id. at 844.

In addition to its analysis above, the Court concluded that there was no statutory basis to impose liability for economic losses. It is at this point the Court discussed the economic loss doctrine, which the Court previously defined in a footnote as providing that "no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage." Id. at 841 n.3 (quoting Adams v. Copper Beach Townhome Communities. L.P. , 816 A.2d 301, 305 (Pa. Super. 2003) ). The Court reasoned that the "economic loss doctrine was well-established in tort law when the [One Call] Act was enacted" and later amended. Id. at 842 (citing Aikens v. Baltimore and Ohio Railroad Co. , 348 Pa.Super. 17, 501 A.2d 277 (1985), which noted that the roots of the economic loss doctrine were first recognized in Robins Dry Dock & Repair Co. v. Flint , 275 U.S. 303, 48 S.Ct. 134, 72 L.Ed. 290 (1927) ). The Court continued by explaining that "[t]he legislature was presumably aware of the economic loss doctrine when it established the statutory scheme governing the relationship among the entities required to participate under the Act," and found that "our legislature did not intend utility companies to be liable for economic harm caused by an inaccurate response under the Act, because it did not provide a private cause of action for economic losses." Id. at 842-43. In the context of this discussion, the Court cited In re Rodriguez , 587 Pa. 408, 900 A.2d 341, 345 (2003), for the proposition that "courts must assume [that the] legislature understands [the] legal landscape on which it enacts laws, and when [the] common law rule is not abrogated, they must assume it persists." Id. at 843.

Having set forth our decisions in Bilt-Rite and Excavation Technologies , we hold that those cases do not stand for the proposition that the economic loss doctrine, as applied in Pennsylvania, precludes all negligence claims seeking solely economic damages. Indeed, the Bilt-Rite Court unequivocally stated that "Pennsylvania has long recognized that purely economic losses are recoverable in a variety of tort actions" and that "a plaintiff is not barred from recovering economic losses simply because the action sounds in tort rather than contract law." Bilt-Rite , 866 A.2d at 288. In so doing, the Court set forth a "reasoned approach" to applying the economic loss doctrine that "turns on the determination of the source of the duty plaintiff claims the defendant owed." Id. (quoting Tommy L. Griffin Plumbing , 463 S.E.2d at 88 ). Specifically, if the duty arises under a contract between the parties, a tort action will not lie from a breach of that duty. However, if the duty arises independently of any contractual duties between the parties, then a breach of that duty may support a tort action. Id.

As stated above, the Bilt-Rite Court took this approach from the Supreme Court of South Carolina in the case of Tommy L. Griffin Plumbing. Notably, in Tommy L. Griffin Plumbing , the Supreme Court of South Carolina observed that "some states use the 'economic loss' rule to prohibit all recovery of purely economic damages in tort." Tommy L. Griffin Plumbing , 463 S.E.2d at 88. The South Carolina Supreme Court, however, rejected that approach in light of the fact that "[t]he law in South Carolina ... has long recognized tort actions when the damages are purely economic." Id. at 88 & n.2 (citing cases involving tort actions for purely economic damages, including architect liability, legal malpractice, accountant malpractice, and libel and defamation). In recognizing that Pennsylvania similarly "has long recognized that purely economic losses are recoverable in variety of tort actions," Bilt-Rite , 866 A.2d at 288, and accepting South Carolina's annunciation of the economic loss doctrine, this Court likewise rejected that approach.

As for UPMC's argument that Bilt-Rite merely created a narrow exception to the otherwise broad economic loss doctrine for negligent misrepresentation claims falling under Section 552 of the Restatement, we find that argument unpersuasive. The Bilt-Rite Court set forth the general approach to the economic loss doctrine as gleaned from the South Carolina Supreme Court above and noted that Pennsylvania permits recovery of purely economic losses in a variety of tort actions. The Bilt-Rite Court concluded that, because Bilt-Rite had stated a viable claim for negligent misrepresentation under Section 552 of the Restatement, the economic loss doctrine did not bar its claim. In other words, Bilt-Rite held that a negligent misrepresentation claim made under Section 552 of the Restatement is one among many tort claims in Pennsylvania for which the economic loss doctrine does not act as a bar for recovery of purely economic losses.

Our reading of Excavation Technologies does not compel a different conclusion. As noted, the issue in that case was whether, under a theory of negligent misrepresentation pursuant to Section 552 of the Restatement (Second) of Torts, a utility is liable to a contractor for economic losses sustained when the utility fails to mark or improperly marks the location of gas lines pursuant to the One Call Act. In deciding that issue in the negative, the Court held that the contractor's claim did not fall under Section 552(1) and (2) of the Restatement (Second) of Torts and declined to impose liability under Section 552(3) of the Restatement. Thus, the Excavation Technologies Court did not hold that the economic loss doctrine barred Excavation Technologies' claim. Rather, it held that Excavation Technologies failed to state a viable claim for negligent misrepresentation under Section 552 of the Restatement in the first instance.

We acknowledge that the Excavation Technologies Court concluded that there was no statutory basis to impose liability on utility companies for economic losses under the One Call Act and, in so doing, included a broad definition and brief discussion of the economic loss doctrine. However, we find these observations to be ancillary not only to the Court's conclusion that the One Call Act did not provide for recovery of economic losses, but also to the Court's central holding that, in contrast to Bilt-Rite , the contractor failed to state a claim for negligent misrepresentation under Section 552 under the Restatement. Further, the Court supported its comments on the economic loss doctrine by citing nonbinding cases from the Superior Court that pre-date this Court's approach to the doctrine in Bilt-Rite . See Excavation Technologies , 985 A.2d at 841-43 & n.3 (quoting Adams , 816 A.2d at 305, and citing Aikens , 501 A.2d at 278-79 ).²² Indeed, the Excavation Technologies Court did not discuss Bilt-Rite 's approach to the doctrine, set forth above, at all. Thus, to the extent Excavation Technologies can be interpreted as having any impact on the Court's expression of the rule under Bilt-Rite as we have now reaffirmed, we reject that interpretation.

Here, Employees have asserted that UPMC breached its common law duty to act with reasonable care in collecting and storing their personal and financial information on its computer systems. As this legal duty exists independently from any contractual obligations between the parties, the economic loss doctrine does not bar Employees' claim.

C. Conclusion

Based on the foregoing, we conclude that the courts below erred in determining that UPMC did not owe a duty to Employees to use reasonable care to safeguard their sensitive personal data in collecting and storing it on an internet-accessible computer system. We further hold that the lower courts erred in concluding that Pennsylvania's economic loss doctrine bars Employees' negligence claim. Accordingly, we vacate the judgment of the Superior Court, reverse the order of the trial court, and remand the matter to the trial court for further proceedings consistent with this opinion.

Justices Dougherty, Wecht and Mundy join the opinion.

Chief Justice Saylor files a concurring and dissenting opinion in which Justice Todd joins.

Justice Donohue did not participate in the consideration or decision of this matter.

I agree with the majority that Employees' negligence claim should not have been dismissed upon a demurrer, at the preliminary objection stage, contesting the legal sufficiency of the complaint. I respectfully differ, however, with material aspects of the majority's reasoning.

From my point of view, the claim in issue sounds in both contract and tort, thus presenting a hybrid scenario. In this regard, Employees' claim is expressly premised on the discrete relationship between employers and employees relative to confidential personal and financial information provided as a condition of employment . See Second Amended Class Action Complaint at ¶ 56. This suggests that the claim should be viewed through a contract lens. Nevertheless, Section 302B of the Second Restatement -- addressing the risk of intentional or criminal acts -- recognizes that duties arising out of contractual relationships may form the basis for tort liabilities. See Restatement (Second) § 302B, cmt. e (1965) ("There are ... situations in which the actor, as a reasonable man, is required to anticipate and guard against the intentional, or even criminal, misconduct of others[,] ... including "[w]here, by contract or otherwise, the actor has undertaken a duty to protect the other against such misconduct"). See generally Snoparsky v. Baer , 439 Pa. 140, 145-46, 266 A.2d 707, 710 (1970) (referencing Section 302B favorably).¹

Ultimately, I find that an employer who collects confidential personal and financial information from employees stands in such a special relationship to those employees with respect to that information, and I have no difficulty concluding that such a relationship should give rise to a duty of reasonable care to ensure the maintenance of appropriate confidentiality as against reasonably foreseeable criminal activity.²

This brings me to the economic loss doctrine. Initially, I respectfully differ with the majority's position that the doctrine should be essentially removed from the tort arena so long as the duty involved can be categorized as "existing independently from any contractual obligations between the parties." Majority Opinion, at 1056.³ In this regard, I note that the economic loss doctrine serves as a bulwark against uncontrolled liability. See, e.g. , Ultramares Corp. v. Touche , 255 N.Y. 170, 174 N.E. 441, 444 (1931) (Cardozo, C.J.) (warning against imposing liability "an indeterminate amount for an indeterminate time to an indeterminate class"). See generally Catherine M. Sharkey, Can Data Breach Claims Survive the Economic Loss Rule? , 66 DEPAUL L. REV. 339, 348-60 (2017) (depicting the application of the economic loss rule in the "stranger paradigm," where the actor has no preexisting contractual or special relationship with an injured victim). From my point of view, a proclamation negating the operation of the economic loss doctrine in the tort law arena is both unnecessary to the resolution of the present case and imprudent. Instead, particularly because of the hybrid nature of Employees' claim, I find that the applicability of the economic loss doctrine should be determined more by way of a discrete social policy assessment than as a matter of mere categorization.⁴

In this regard, I am sympathetic to UPMC's concerns about exposure to litigation and the scale of the potential liability involved. Nevertheless, I would also be reluctant to hold that employers should be absolutely immune from liability for any sort of economic damages occasioned by negligent conduct on their part relative to the safeguarding of confidential personal and financial data. Along these lines, I note that some other courts have applied the economic loss doctrine to impose limitations on the scope of damages without foreclosing economic damages entirely. See, e.g. , Anderson v. Hannaford Bros. Co. , 659 F.3d 151, 162 (1st Cir. 2011) (discussing the availability, in Maine, of recovery for economic losses in the form of "mitigation damages," i.e. , recovery for costs and harms incurred during a reasonable effort to mitigate losses occasioned by computer data breaches). Although any such limitations are not directly in issue here, I strike the balance here in favor of permitting recovery of at least mitigation damages -- in the data breach context -- in instances in which an employee or employees prove that the employer has violated the duty to exercise reasonable care in protecting confidential personal and financial data.⁵

Finally, I appreciate that this matter of substantive tort law is more properly the domain of the Legislature. Nevertheless, I agree with the majority -- in the broadest frame -- that a pre-existing, traditional tort framework can be applied to the claim involved, and, again, I find that the economic loss doctrine, and other rational constraints, can be assessed in terms of the damages calculation for proven, wrongful conduct on an employer's part.⁶

In summary, while I concur in the majority's determination that Count I of the complaint should be reinstated, I respectfully dissent concerning the legal principles by which the majority undertakes to curtail the economic loss doctrine.

Justice Todd joins this concurring and dissenting opinion.

1 Employees brought their claims on behalf of two separate but overlapping classes of similarly situated persons: (1) current and former UPMC employees whose personal and financial information was stolen and "used to file fraudulent tax returns or otherwise misused in a manner which resulted in financial harm," and (2) current and former UPMC employees whose personal and financial information was stolen and "who are at an increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse as a result of the [d]ata [b]reach." Second Amended Class Action Complaint, 6/25/2014, at ¶ 39.

2 In Althaus , this Court observed:

The determination of whether a duty exists in a particular case involves the weighing of several discrete factors which include: (1) the relationship between the parties; (2) the social utility of the actor's conduct; (3) the nature of the risk imposed and foreseeability of the harm incurred; (4) the consequences of imposing a duty upon the actor; and (5) the overall public interest in the proposed solution.

Althaus , 756 A.2d at 1169.

3 The court also dismissed Employees' breach of implied contract claim on preliminary objections. That claim is not at issue in this appeal.

4 As later discussed in detail, Bilt-Rite involved a contractor's claim for negligent misrepresentation under Section 552 of the Restatement (Second) of Torts, infra at pages ---- - ---- n.17, against an architectural firm that had provided plans to a school district for use in soliciting bids for a construction project. Bilt-Rite , 866 A.2d at 272-73. The contractor alleged that, due to misrepresentations in the plans, which it had ultimately incorporated into its construction contract with the school district upon winning the bid for the project, it incurred substantial extra costs in performing the work. Id. This Court concluded that the economic loss doctrine did not bar the contractor's claim. Id. at 288.

5 In this regard, the trial court found a decision from the Appellate Court of Illinois, Cooney v. Chicago Public Schools , 407 Ill.App.3d 358, 347 Ill.Dec. 733, 943 N.E.2d 23 (2010), to be persuasive. There, the personal information of more than 1,700 former Chicago Public School employees had been disclosed via a mailing that was sent to each of the former employees. The court rejected the argument that it "should recognize a 'new common law duty' to safeguard information" that had been disclosed. Id. , 347 Ill.Dec. 733, 943 N.E.2d at 28. The court explained that the plaintiffs failed to cite any Illinois case law to support their argument and that the legislature had already addressed the issue via statute, which imposed a duty to provide notice of the disclosure only. The court did not believe that creating "a new legal duty beyond legislative requirements already in place is part of [its] role on appellate review." Id. , 347 Ill.Dec. 733, 943 N.E.2d at 29.

6 In focusing on risk and foreseeability in a general sense, the Superior Court noted that Employees failed to allege that UPMC encountered a specific threat of a data breach. Dittman , 154 A.3d at 323-24 & n.4.

7 This agreement notwithstanding, the Superior Court relied upon Bilt-Rite to posit further that, for Employees to recover for economic loss alone, they must show that UPMC breached a duty imposed by law, but that no such duty existed here. Dittman , 154 A.3d at 325. The court explained that, "[w]ithout a duty imposed by law or a legally recognized special relationship, the economic loss doctrine bars [Employees'] claims." Id.

8 Judge Musmanno also criticized the majority's observation that there were statutes and safeguards in place to prevent employers from disclosing confidential information, presumably because this case did not involve the employer itself disclosing the information. Dittman , 154 A.3d at 328 (Musmanno, J., dissenting).

9 Employees also claim that common law duties can be limited in rare instances in light of public policy concerns, but those concerns are best addressed through legislative action. Employees' Brief at 18 (citing, inter alia , Alderwoods , 106 A.3d at 39-40 (explaining that determinations as to immunity from common law tort liability are better suited for the Legislature, which is "better positioned to make informed policymaking judgments").

10 Prior to reaching our analysis, we note that both parties also provide argument in their briefs as to whether a common law duty of care exists under the circumstances of this case in light of the Legislature's enactment of the Data Breach Act. Briefly, Employees argue that, in imposing only a duty of notification of a data breach, the Data Breach Act does not address, let alone preclude, the existence of a common law duty to act with reasonable care in collecting and storing data for the purpose of preventing a breach in the first place. In contrast, UPMC argues against the imposition of a common law duty on the basis that, through enactment of the Data Breach Act, the Legislature has conducted a comprehensive assessment of data breaches and determined that entities that suffer a data breach have a duty only to provide notice of the disclosure of personal information. Upon review of the act, we agree with Employees that, in requiring an entity to provide notification of a data breach, the act has no bearing on whether an entity has an initial duty under common law to exercise reasonable care to protect data prior to a breach. Thus, we find any further discussion of the Data Breach Act to be unnecessary with respect to the issue of duty before us.

11 See also Restatement (Second) of Torts Section 302 ("A negligent act or omission may be one which involves an unreasonable risk of harm to another through ... the foreseeable action of the other [or] a third person...."); Section 302B ("An act or an omission may be negligent if the actor realizes or should realize that it involves an unreasonable risk of harm to another through the conduct of the other or a third person which is intended to cause harm, even though such conduct is criminal."), and Comment E thereto (providing that situations exist "in which the actor, as a reasonable man, is required to anticipate and guard against the intentional, or even criminal, misconduct of others" and that, generally, these situations arise "where the actor is under a special responsibility toward the one who suffers the harm, which includes the duty to protect him against such intentional misconduct; or where the actor's own affirmative act has created or exposed the other to a recognizable high degree of risk of harm through such misconduct, which a reasonable man would take into account"). Comment E further sets forth a non-exhaustive list of these situations, including "[w]here the actor stands in such a relation to the other that he is under a duty to protect him against such misconduct ... [such as] employer and employee," and "[w]here property of which the actor has possession or control affords a peculiar temptation or opportunity for intentional interference likely to cause harm." Section 302B of the Restatement (Second) of Torts Cmt. e(B), (G).

12 In support of its position that it cannot be held liable for the criminal acts of third parties, UPMC also relies upon Feld v. Merriam , 506 Pa. 383, 485 A.2d 742 (1984), for the proposition that "absent agreement, a landlord has no general duty to protect tenants against third-party criminal conduct." UPMC's Brief at 51. Feld , however, did not involve the situation where the landlord's conduct created the risk of injury from the criminal acts of third parties. Feld , 485 A.2d at 746 (explaining that "the risk of injury from the criminal acts of third persons arises not from the conduct of the landlord but from the conduct of an unpredictable independent agent," and contrasting that circumstance from the risk of injury from a physical defect in the property, where "the landlord has effectively perpetuated the risk of injury by refusing to correct a known and verifiable defect").

13 The Pennsylvania Defense Institute, Chamber of Commerce of the United States of America, and Pennsylvania Chamber of Business and Industry have filed an amici curiae brief in support of UPMC, where they advance and expand upon the arguments set forth by UPMC regarding the economic loss doctrine as discussed infra . In so doing, amici add that a majority of jurisdictions apply the economic loss doctrine broadly to bar all negligence claims that cause only economic loss and that the Bilt-Rite "exception" is also widely followed.

14 UPMC also argues, apparently in the alternative, that Employees are improperly attempting to fit their cause of action within the narrow exception created by Bilt-Rite , which does not apply to this case, as the lower courts concluded. In their reply brief, Employees note that they are not attempting to fit this case into any alleged "Section 552 exception" and that they have never disputed that Bilt-Rite 's holding as it relates to Section 552 is inapplicable to this case. Employees' Reply Brief at 1-2.

15 In their reply brief, Employees argue that, inter alia , UPMC misconstrues various cases in support of its position, including Bilt-Rite and Excavation Technologies , and misapprehends the economic loss doctrine as well as the purpose behind it.

16 We further note that, as we similarly commented with respect to the issue of duty in footnote 10, supra at page 1046, the parties provide argument regarding the impact of the Legislature's enactment of the Data Breach Act on application of the economic loss doctrine in this case. UPMC claims that, because the Data Breach Act does not provide a private cause of action for economic losses, but instead established an enforcement action reserved exclusively for the Attorney General for violations of the notification requirement, applying the economic loss doctrine to bar this case is consistent with the actions of the Legislature in enacting the Data Breach Act. UPMC's Brief at 21-24 (relying upon Excavation Technologies , 985 A.2d at 842 (finding "it apparent our legislature did not intend utility companies to be liable for economic harm caused by an inaccurate response under the [One Call] Act, [see infra at page 1053 n.20,] because it did not provide a private cause of action for economic losses") ). In response, Employees distinguish Excavation Technologies by noting that the duty in that case was statutorily imposed and, thus, the Court properly looked to the One Call Act in analyzing whether an entity could be liable for economic losses. Employees' Reply Brief at 13-14. As we concluded with respect to the issue of duty above, we likewise conclude that the Data Breach Act's failure to provide for a private cause of action for economic damages based upon a violation of the statutory duty to provide notification has no impact on the issue of whether a plaintiff can recover solely economic damages under a common law negligence theory for a defendant's initial failure to protect information from a data breach. Thus, no further discussion of the Data Breach Act is necessary as it relates to application of the economic loss doctrine under the circumstances of this case.

17 Section 552, titled "Information Negligently Supplied for the Guidance of Others," provides:

(1) One who, in the course of his business, profession or employment, or in any other transaction in which he has a pecuniary interest, supplies false information for the guidance of others in their business transactions, is subject to liability for pecuniary loss caused to them by their justifiable reliance upon the information, if he fails to exercise reasonable care or competence in obtaining or communicating the information.

(2) Except as stated in Subsection (3), the liability stated in Subsection (1) is limited to loss suffered

(a) by the person or one of a limited group of persons for whose benefit and guidance he intends to supply the information or knows that the recipient intends to supply it; and

(b) through reliance upon it in a transaction that he intends the information to influence or knows that the recipient so intends or in a substantially similar transaction.

(3) The liability of one who is under a public duty to give the information extends to loss suffered by any of the class of persons for whose benefit the duty is created, in any of the transactions in which it is intended to protect them.

As discussed in further detail below, Section 552(3) was not at issue in Bilt-Rite .

18 The Court emphasized that, in adopting Section 552, it was not supplanting the common law tort of negligent misrepresentation, but rather "clarifying the contours of the tort as it applies to those in the business of providing information to others." Bilt-Rite , 866 A.2d at 287.

19 The Court additionally observed that application of the economic loss doctrine in the context of a claim arising under Section 552 would be "nonsensical," as it would allow a party to pursue a cause of action, but preclude recovery for its losses once the elements were demonstrated. Bilt-Rite Contractors , 866 A.2d at 288.

20 73 P.S. §§ 176 -86. The One Call Act requires facility owners to mark the position of underground lines upon request. Id. at § 177(5)(i).

21 On the last point, the Court noted that "if this is to be done, the legislature will say so specifically" and that "[u]ntil that day, we decline to afford heightened protection to the private interests of entities who are fully capable of protecting themselves, at the public's expense." Excavation Technologies , 985 A.2d at 844.

22 A brief discussion of Aikens and Adams is warranted. In Aikens , the Superior Court rejected a negligence claim made by employees of a manufacturing plant against a railroad company for lost wages resulting from the plant's curtailed production due to damage caused by a train derailment. The Superior Court adopted Section 776C of the Restatement (Second) of Torts, which bars recovery of purely economic damages for negligent interference with a contract or a prospective contractual relation, and concluded that recovery is only possible if the tortious interference is intentional or involved parties in a special relationship to one another. Aikens , 501 A.2d at 278-79. Exhibiting a clear concern with foreseeability and limitation of liability, the court supported its conclusion by reasoning that, inter alia , "the negligent actor has no knowledge of the contract or prospective relation and thus has no reason to foresee any harm to the plaintiff's interest" and that "[t]o allow a cause of action for negligent cause of purely economic loss would be to open the door to every person in the economic chain of the negligent person or business to bring a cause of action." Id. at 279.

Similarly, in Adams , the Superior Court rejected a claim for lost wages and benefits made under the Storm Water Management Act (SWMA), 32 P.S. §§ 680.1 -680.17, by employees of a manufacturing plant against entities that owned properties adjacent to the plant, based upon the plant's temporary closure due to storm water runoff from a neighboring property. The Superior Court held that lost wages and benefits did not fall within the scope of the term "injury" as used in the SWMA. Adams , 816 A.2d at 307. Though discussion of the economic loss doctrine was ancillary to its conclusion that the employees had no statutory basis for relief (as we similarly observed above with respect to Excavation Technologies ), the court relied upon Aikens to explain that the term " 'injury' as used by the SWMA is analogous to the 'physical injury or property damage' requirements" of the doctrine and concluded that the trial court "properly applied" the doctrine in dismissing the claim. Id.

Admittedly, both decisions state generally that "no cause of action exists for negligence" that causes only economic loss, and other language included in the opinions would appear, at first blush, to support that general notion. Aikens , 501 A.2d at 278-79 ; Adams , 816 A.2d at 305, 307. However, a closer examination reveals that, when read in context, the court's observations are made in reference to employees' attempt to bring negligence claims for damages arising out of the contract/relationship they had with their employer, of which the tortfeasor was unaware. Thus, those generalized pronouncements do not support the conclusion that all negligence claims for economic losses are barred under Pennsylvania law.

1 I agree with the majority's footnoted treatment of Section 302B, see Majority Opinion, at 1047-48 n.11, but my present emphasis is on the interplay between contract and tort in that particular context. I also have difficulty with the majority's framing of the duty in issue presented here in terms of a broader duty of care pertaining to affirmative conduct that runs to the public at large. See id. at 1046-47.

2 My conclusion, in this regard, is similar to that stated by the majority in Part A of its opinion, albeit that I view the present matter as entailing a special relationship arising, in the first instance, out of contractual undertakings.

3 Moreover, as noted above, I disagree with the majority's conclusion that a duty on the part of an employer to safeguard confidential personal and financial information provided by employees as a condition of their employment exists independently of a contractual employment relationship.

Parenthetically, Employees' complaint does not attempt to delineate the specific nature of the employment relationships involved among the 62,000 putative class members. Presumably, there are individual written contracts, collective bargaining agreements, and oral agreements involved. In all events -- and while realizing that the Court has referred to oral at-will employment relationships as "non-contractual," Weaver v. Harpster , 601 Pa. 488, 502, 975 A.2d 555, 563 (2009) -- I believe that a contract overlay is initially appropriate for present purposes in each of the above categories. Accord Howard C. Ellis, Employment-at-Will and Contract Principles: The Paradigm of Pennsylvania , 96 Dick. L. Rev. 595, 613 (1992) (explaining, that under the terms of at-will employment relationships, "[e]ach day is a new contract on these terms: a day's work for a day's pay").

4 The gist of the action doctrine serves as a means by which courts categorize claims to maintain the distinction between theories of breach of contract and tort. See generally Bruno v. Erie Ins. Co., 630 Pa. 79, 111-12, 106 A.3d 48, 68-69 (2014). Under that doctrine, I would ultimately view Employees' claims as properly couched in negligence, despite the hybrid character, in light of Section 302B of the Restatement.

5 This is not to say that certification of a class action is necessarily proper, particularly relative to damages issues. See generally Samuel-Bassett v. Kia Motors Am., Inc. , 613 Pa. 371, 472-77, 34 A.3d 1, 61-65 (2011) (Saylor, J., dissenting).

6 I also agree with the majority that the General Assembly's passage of an enactment requiring notification to affected persons of data breaches -- and even its consideration of potential civil causes of action in connection therewith -- does not control whether Employees' claims sufficiently comport with traditional common law principles to survive a demurrer. See Majority Opinion, at 1046 n.10. In other words, in light of the preexisting norms, the failure of the Legislature to pass affirmative legislation is inadequate, in my view, to signal an abrogation of those norms.

This assessment subsumes consideration of the economic loss doctrine -- in light of all of the uncertainties attending the doctrine, it seems to me to be unreasonable to assume that the Legislature would have deemed it sufficient to effectively extinguish potential common law causes of action regarding data breaches.