Imagine the following:
In the height of tax season, an accounting clerk opens an email asking him: “Please send me W-2’s for employees in the marketing department. I need this information ASAP. Thanks very much.” The name on the email is the comptroller’s, so the clerk sends along the information. But the email was not from the comptroller—it was actually from a cybercriminal, and the W-2s are now for sale on the dark web.
The clerk fell victim to an increasingly common scam known as spoofing, or making an email appear it is coming from a legitimate source. It is an alarming trend that only seems to be increasing in its level of sophistication. Spoofing has especially grave implications for employers, who collect and retain significant amounts of employees’ personal information.
But who is to blame in this scenario? The cybercriminal, of course. But who else is at fault—the accounting clerk? The company? As strange as it may seem, the company might be liable for the identity theft suffered by the marketing department.
Just how and why an employer might be liable in this scenario is better explained by taking a look at a recent federal case.
Less than six months ago, the U.S. District Court for the Western District of North Carolina issued a stark ruling in Curry v. Schletter Inc. The case should be a cautionary tale and reminder to employers of the importance of training on how avoid cyber-scams. Failure to do so may be expensive.
In Curry, the plaintiffs were a group of former and current employees of Schletter Inc., a global manufacturer and distributor of solar mountings systems based in North Carolina. Schletter, as does every employer, maintains sensitive personal information about its employees, such as name, address, date of birth and social security number, as part of its ordinary course of business.
In April 2016, an employee responded to a cybercriminal she believed to be her company’s CEO by providing the personal information of over 200 employees. About one week after the disclosure, the company mailed a letter to all of its former and current employees, notifying them of what had happened.
Embarrassing as that was, Schletter’s story only gets worse. Evidence came to light that the company had already been warned about similar phishing e-mail scams. In August 2015, the FBI had issued an alert specifically warning of the lightning-like speed that these scams were occurring. Despite these warnings from the FBI, Schletter did not provide enough training to its employees on how to recognize and respond to spoofing. Indeed, the company failed to educate employees on even basic security measures that could have easily prevented the disclosure.
Unfortunately, that was not the only thing Schletter had failed to do. Even with the notice mailed out one week later, Schletter was found to not have timely disclosed to its employees the extent of the breach and failed to timely notify each affected employee. As a result, the employees were unable to protect themselves from the consequences of the data breach. Compounding matters, Schletter did not compensate to the victims or provide any assistance with the burdens caused by the errant disclosure. The victims took the company to court, asserting claims for monetary losses, lost time, anxiety and emotional distress.
The court found that Schletter had violated the North Carolina Identity Theft Protection Act (“NCITPA”). The NCITPA provides that a business may not intentionally communicate or make available to the general public an individual’s personal information. If the disclosure is intentional, the business may be liable for treble damages, meaning the court can triple the damages amount awarded to a plaintiff.
Schletter argued that the employee intended to communicate the information to the supervisor, not the general public. The court, however, rejected that argument and found that while the employee was “solicited under false pretenses,” her e-mail response was still “intentionally made.” This finding hinged on the distinction between a data breach and a data disclosure. A data breach typically involves a hacker infiltrating a computer system to steal information. A data disclosure, on the other hand, typically involves an individual who is already inside the system intentionally providing highly sensitive information.
The court allowed the employees to seek treble damages—triple the amount of actual damages—but Schletter filed for bankruptcy shortly after the decision, halting the lawsuit. As a result, it is unknown whether Schletter will be found liable for treble damages at this time.
It’s worth noting that treble damages are generally reserved for malicious conduct. For example, an employee that sells a company’s trade secrets to that company’s competitor has engaged in malicious conduct. Curry, however, illustrates that treble damages can come into play even when an employee had the purest of intentions (to comply with a supervisor’s instructions).
How Can Employers Protect Themselves?
North Carolina employers are not the only ones who should be nervous in the wake of Curry. The decision has broader implications for employers throughout the nation. Laws, local ordinances, and regulations are constantly being proposed, enacted, and revised to match the constantly evolving cybersecurity threats, leaving many employers baffled on the extent to which they can be held liable for breaches or disclosures that occur. The decision in Curry sheds light on how other courts may interpret cases with similar issues.
Thankfully, employers are not without recourse. The best defense to a data breach is to ensure one never happens in the first place. Businesses can protect against potential claims by implementing a training program for employees on data disclosure prevention. This training should include a review of (1) basic cyber security protocols and (2) how to recognize common phishing scams that lead to data disclosure. Employers should also have a response plan in place for when a disclosure does occur in order to mitigate possible exposure. For example, the plaintiffs in Curry argued that each passing day the company failed to notify employees of the disclosure increased the chances of their personal information being misused, and they increased their claimed damages accordingly. It also likely did not sit well with the court that Schletter did not offer to pay for identity protection or credit monitoring services for the employees.
It’s important to convey to your employees to never simply hit the reply button in an email. Recheck the email address and, with extremely sensitive information, consider calling the sender to verify that the e-mail is legitimately from that individual first.
And remember: if an employee falls victim to a phishing scam, the company can be on the hook for the damages arising from identity theft.
Peter Hall is a shareholder in the Employment and Labor practice at Chamberlain Hrdlicka (Atlanta). He counsels both large and small employers on a variety of labor and employment issues, including avoidance of discrimination claims, employee termination and union avoidance.
Kevin Langley is an associate in the Employment and Labor practice at Chamberlain Hrdlicka (Atlanta). He represents businesses in labor and employment litigation matters, including wage-and-hour class and collective actions and claims against former employees who have misappropriated trade secrets, unlawfully accessed protected computers and breached non-compete and non-solicit agreements.