The negligent failure to implement reasonable data security is now a viable claim according to Pennsylvania’s Supreme Court, which recently recognized a common law duty to protect personal information. The court did not see itself creating a new duty, but articulating one that already existed, Ed McAndrew, partner at Ballard Spahr, told the Cybersecurity Law Report. Because the decision “doesn’t place guardrails around the legal reasoning,” it could “certainly expand quickly beyond the employer-employee relationship.” In this article, we explore the potentially broad impact of this decision in both scope and geography. See also “Synthesizing New York and Colorado’s Trailblazing Data Security Regulations for Financial Firms” (Jul. 12, 2017); and “What to Expect From California’s Expansive Privacy Legislation” (Jul. 18, 2018).