By now, you’ve surely been warned of so-called “phishing” e-mails. The failure to heed such warnings may become more costly for North Carolina employers. According to a recent federal court decision, an employee who is tricked into sharing personal information in response to a phishing e-mail can be seen as committing an intentional disclosure under North Carolina’s Identity Theft Protection Act. As a result, the employer could face treble damages for the employee’s mistake.
Sophisticated Phishing Schemes
Phishing scams are becoming increasingly prevalent and sophisticated. Here’s how they typically operate: An employee in your accounting department receives an email requesting W-2 information for the company’s employees. The e-mail appears to come from a manager the employee knows—it may actually come from a legitimate account that’s been hijacked, or it might come from a deceptively similar account designed to spoof the manager. Often, these phishing emails are sent during tax season when employees are busy and the request seems ordinary and legitimate. The email might look something like this:
Your employee, acting with the best intentions, sends the requested information. Unfortunately, the request didn’t originate within your company—it came from a cybercriminal, who now has the personal information of all your employees.
Schletter Falls Victim to Phishing Scheme
This is precisely what happened to Schletter, Inc., a global manufacturer and distributor of solar mounting systems with its North American headquarters in Shelby, North Carolina.
In 2016, a Schletter employee received an email that appeared to be from a supervisor. The email requested W-2 tax information for the company’s employees for an apparent verification measure. The employee obliged, sending the supposed supervisor an unencrypted file containing the requested information. Unfortunately, the e-mail was a phishing scam. The employee was duped into sharing more than 200 employees’ personal information (including SSNs) with a cybercriminal.
Schletter notified its employees by form letter sent about six days after discovering the incident. Without providing much detail regarding the incident, the letter offered to pay for two years’ of credit monitoring and identity theft protection services for each of the affected employees. The employees, dissatisfied with Schletter’s offer, turned to the courts and filed a class-action lawsuit: Curry, et al. v. Schletter, Inc., No. 1:17-cv-0001-MR-DLH (WDNC).
Treble Damages Available in Employees’ Class Action
The employees’ lawsuit contained a claim under the North Carolina Identity Theft Protection Act (“NCITPA”). The NCITPA provides that a business may not “[i]ntentionally communicate or otherwise make available to the general public an individual’s social security number.” Importantly, if the disclosure was intentional, the business may be liable for treble damages.
Schletter moved to dismiss the NCITPA claim by arguing its employee didn’t intend to communicate the information to the general public. To be sure, the employee simply intended to communicate the information to their manager, but was instead duped into communicating it to the cybercriminal. According to Schletter, if the employee had no idea the information would end up in the hands of a cybercriminal, then surely the employee couldn’t have intended to do so.
The federal court rejected Schletter’s argument, finding that the e-mail response, “while solicited under false pretenses, was intentionally made.” The court’s reasoning turned on the distinction between a breach and a disclosure:
[T]his was not a case of a data breach, wherein a hacker infiltrated the Defendant’s computer systems and stole the Plaintiffs’ information, but rather was a case of data disclosure, wherein the Defendant intentionally responded to an email request with an unencrypted file containing highly sensitive information regarding its current and former employees.
Under that rationale, the court allowed the employees to seek treble damages from Schletter.
The court’s view of the NCITPA’s “intentional” requirement is notable. Typically, treble damages (or punitive damages) are reserved for cases involving some sort of malicious conduct. That is, for parties who intentionally cause harm. In the context of a data disclosure, an obvious example would be where an employee sells protected information to a cybercriminal for profit. Here, though, the intended recipient of the information was immaterial—all that mattered was that the employee intended to transmit the information. As a result, the court seemingly heightened the repercussions for falling victim to negligent insiders (like the well-intentioned Schletter employee) over criminal outsiders (like a hacker covertly stealing the information).
Protecting Employee Data and Limiting Exposure
While the court’s strict interpretation will give many employers pause, it is important to note that this was a single trial court’s decision. The Fourth Circuit hasn’t weighed in on this issue, nor have North Carolina’s appellate courts. Since the decision, Schletter has filed for bankruptcy and its employees’ lawsuit has been stayed. As a result, we won’t know whether Schletter is actually found liable for treble damages for quite some time, if ever.
Nonetheless, the court’s decision is a clear signal for North Carolina’s employers that the courts are taking information security seriously. Here are a few ways to limit your company’s exposure:
First and foremost, it is important to understand that your personnel can be either your greatest vulnerability to—or best defense against—cyber criminals. Therefore, it is critical that employers properly train their employees to recognize and avoid these risks. In this case, the employees claimed Schletter failed to provide “even the most basic of security measures” that could have prevented the disclosure. Employers can avoid being caught in the same predicament by implementing appropriate safeguards, such as cyber security training programs that educate and sensitize their employees to these issues. In our experience, an informative and consistent training program can give your personnel a real sense of “ownership” and responsibility for the company’s cyber security efforts.
Similarly, consider consulting with our Privacy and Information Security attorneys before a cyber crisis happens—we can advise on incident response planning and mitigation efforts that will help your company recover from a cyber security incident more quickly and with less disruption and liability exposure.
Next, it is imperative that employers move quickly when faced with a potential breach or disclosure. Schletter’s employees, for example, argued that every day Schletter delayed notifying its employees of the disclosure only increased the likelihood their information would be used to their detriment. Their claimed damages increased accordingly.
Finally, should you find your company’s data has been compromised, notify your attorneys at Poyner Spruill immediately. Our team is prepared to assist in an emergency and limit your company’s exposure.