Court Imposes a Common Law Duty to Use Reasonable Security Measures on All Businesses That Retain Credit and Debit Card Information in Pennsylvania
On January 5, 2021, the U.S. District Court for the Middle District of Pennsylvania held in In re Rutter’s Data Security Breach Litigation, 1:20-cv-382 (M.D.Pa. Jan. 5, 2021) that a business that retained credit and debit card information has a common law duty to use reasonable security measures to protect such information. The case stemmed from a data breach suffered by Rutter’s, which operates 72 convenience stores in Central Pennsylvania, in which malware targeted the names, credit and debit card numbers, expiration dates, and internal verification codes of customers who paid at POS devices at approximately 10 of the company’s stores. A subsequent class action lawsuit alleged that the company negligently failed to properly safeguard customers’ credit and debit card information.
Although Rutter’s argued that it was not negligent since it owed no duty to its customers to use reasonable security measures to protect credit and debit card information, the Court held that such a duty existed because the “affirmative act of retaining credit and debit card information…created a risk of foreseeable harm from” hackers and such a duty exists regardless of whether any special relationship such as an agency or fiduciary relationship exists between the parties. This holding comes on the heels of the Pennsylvania Supreme Court’s 2018 holding in Dittman v. UMPC, 649 Pa. 496 (Pa. 2018) that employers that collect personal information from employees have a common law duty to use reasonable security measures to protect such measures.
Given the holding in Rutter’s, businesses that process credit and debit card payments in Pennsylvania must review their data security practices and procedures and implement practices including those that Rutter’s allegedly failed to implement such as regular maintenance and monitoring for weaknesses and intrusions, penetration testing, and outside vendor testing and evaluation of payment card processing systems. Businesses in other states that do not process such payments in Pennsylvania should also consider following suit both in other states to potentially provide a defense against litigation under state data security and privacy statutes such as the California Consumer Privacy Act (CCPA) and claims brought under theories such as consumer fraud and breach of contract in the event of a cybersecurity incident and in the event courts in other states follow the Rutter’s Court’s lead.