By now I’m sure just about everyone has heard of the risks that can stem from being duped by phishing schemes. Unfortunately, some people are still taking the bait. Falling for these cyber attacks can not only lead to your personal data being compromised but in certain situations, it can lead to the demise of your entire company. Federal courts have taken notice and are starting to crack down. According to a recent federal court decision, an employee who is tricked into sharing personal information in response to a phishing e-mail can be seen as committing an “intentional disclosure” under North Carolina’s Identity Theft Protection Act. As a result, the employer could pay up to three times the amount of damages for the employee’s mistake.
While phishing scams have been around for quite some time, they have lately become harder to distinguish from authentic emails. Case in point: Schletter Inc. In 2016, a Schletter employee received an email appearing to be from a supervisor requesting W-2 tax info for the company’s employees. The employee obliged and replied with an unencrypted file containing the W-2 information. Lo and behold, the e-mail was a scam and more than 200 employees’ personal information (including SSNs) were sent directly to a cybercriminal. After discovering the incident, Schletter notified employees and offered two years of credit monitoring and identity theft services to all affected. However, the employees didn’t want credit monitoring; they wanted justice.
Off to court they go!
The employees filed a class action lawsuit with a claim under the North Carolina Identity Theft Protection Act (NCITPA) which states that a business may not “intentionally communicate or otherwise make available to the general public an individual’s social security number.”
Schletter argued that the employee didn’t intend to send the information to the public, but the court rejected the argument saying that the even though the email response was solicited under false pretenses, it was still intentionally made. This rejection ultimately led to the court’s distinction between whether this was a case of a data breach or a data disclosure.
Under the rationale that there was no hacker infiltrating the computer systems and the data was disclosed intentionally through email, the courts ruled in favor of the employees. Thus, leading to Schletter having to pay punitive damages. Since the decision, Schletter has filed for bankruptcy and its employees’ lawsuit has been stayed.
Whether you side with Schletter or the employees, this court’s decision is a clear signal for North Carolina and all state’s employers that the courts are taking information security seriously. This certainly won’t be the last case we see involving employee information being exposed by cyber negligence.