Collect Now, Pay Later: PA Federal Court Ruling Imposes Duty On Retailers Upon Collecting Payment Data


By: Justin Boron and Courtney Mazzio

The eye that retail businesses must thread to avoid data breach class actions just got a little narrower in Pennsylvania.

In a decision issued this month in In re Rutter’s Data Sec. Breach Litig., No. 1:20-cv-382 (M.D. Pa. Jan. 5, 2021), a Pennsylvania federal court judge denied a motion to dismiss and held—for the first time under Pennsylvania law—that retailers and other businesses who collect credit and debit card information owe a duty of care to protect their customers’ information from unauthorized access by hackers.

The district court’s decision expanded on the duty to protect employee privacy data that the Pennsylvania Supreme Court recognized in the employment context in Dittman v. UPMC, 196 A.3d 1036, 1038 (Pa. 2018).  Like in Dittman, the district court drew on traditional tort principles and reasoned that the retailer owed a duty because it took the affirmative step toward protecting consumer data—much like a rescuer has a duty of care by taking affirmative steps toward rescuing someone.

The decision also exemplifies the way in which courts have become more comfortable with the burgeoning area of law involving technology, electronically stored personal data, and the unique, and ever-expanding, threats from hackers.  In the recent past, courts struggled to fit data breaches into a cognizable claim, primarily because they involved some unknown, third party actor and lacked the clear physical or monetary injuries that exist in other legal contexts.

As a result, defense litigators could rely on a steady stream of decisions to cut off data breach class actions at the outset—well before the case reached costly discovery and class certification phases.  But the Rutter’s opinion sends the message that courts are tackling a difficult subject matter area by analogizing to traditional tort and contract principles and shaping the legal doctrines around the unique technology context.

How the duty will take shape—and what specific protective measures will be required to fulfill it—is not clear from the decision and will likely evolve as cases arise.  That puts businesses at a disadvantage because—absent legislative intervention—there is no clear standard for what a retailer can do to avoid liability as a result of third-party data breaches.

One silver lining to the Rutter’s decision, however, is that it re-affirmed Third Circuit precedent holding that the risk of future harm from a data breach is insufficient to make out Article III standing.  This requirement will continue to screen out many potential plaintiffs who have not suffered any injury or damages as a result of having their personal identifying information, protected health information, or account information compromised.

If you have questions or would like more information, please contact Justin Boron at and Courtney Mazzio at