Employers Can be Liable if Employees get Phished

Security

I have been talking to the importance about Cybersecurity awareness for some time now, inducing proactive additional security layers such as Microsoft’s Safe links and Safe Attachments add-on to Office 365, and most importantly proactive training and training phishing attempts to test their real-world knowledge.  Unfortunately, the conversation usually ends with the person I am chatting with saying “that is good to know, but not right now.” Even more unfortunate is that 9 times out of 10 I will hear back from that person, now panicked, months or sometimes even weeks later when they had a data breach and it was tracked to an employee falling for a phishing attack.

Until now these types of CEO style phishing attacks, while targeted at businesses, have many times caused more harm to the employees than the business by exposing Social Security numbers, bank information and other personal data of other employees. With the latest case to make it through the courts, the time is now more than ever.

A recent federal court decision has changed the landscape on cybersecurity and awareness training overnight. They have ruled that an employee who is tricked into sharing personal information in response to a phishing email can be seen as committing an intentional disclosure under the North Carolina Identity Theft Protection Act (NCITPA), and as a result, the employer could face significant damages for the employee’s mistake.

Employees expose information commit an "intentional disclosure".

The failure to provide employees with cybersecurity awareness training may quickly become very costly to all employers, not just for North Carolina employers. This case decision has now set precedence and will be looked at by other courts who will most likely come to the same conclusion; that an employer that is not taking reasonable measures to defend against scams like this, such as cybersecurity awareness training provided by a reputable company,  exposed to sue for damages.

Here is a short extract from the Poyner Spruill post, which I strongly recommend you read in full:

Schletter Falls Victim to Phishing Scheme

This is precisely what happened to Schletter, Inc., a global manufacturer and distributor of solar mounting systems with its North American headquarters in Shelby, North Carolina.

In 2016, a Schletter employee received an email that appeared to be from a supervisor. The email requested W-2 tax information for the company’s employees for an apparent verification measure. The employee obliged, sending the supposed supervisor an unencrypted file containing the requested information. Unfortunately, the e-mail was a phishing scam. The employee was duped into sharing more than 200 employees’ personal information (including SSNs) with a cybercriminal.

Schletter notified its employees by form letter sent about six days after discovering the incident. Without providing much detail regarding the incident, the letter offered to pay for two years’ of credit monitoring and identity theft protection services for each of the affected employees. The employees, dissatisfied with Schletter’s offer, turned to the courts and filed a class-action lawsuit: Curry, et al. v. Schletter, Inc., No. 1:17-cv-0001-MR-DLH (WDNC).

Treble Damages Available in Employees’ Class Action

The employees’ lawsuit contained a claim under the North Carolina Identity Theft Protection Act (“NCITPA”). The NCITPA provides that a business may not “[i]ntentionally communicate or otherwise make available to the general public an individual’s social security number.” Importantly, if the disclosure was intentional, the business may be liable for treble damages.

Schletter moved to dismiss the NCITPA claim by arguing its employee didn’t intend to communicate the information to the general public. To be sure, the employee simply intended to communicate the information to their manager, but was instead duped into communicating it to the cybercriminal. According to Schletter, if the employee had no idea the information would end up in the hands of a cybercriminal, then surely the employee couldn’t have intended to do so.

The federal court rejected Schletter’s argument, finding that the e-mail response, “while solicited under false pretenses, was intentionally made.” The court’s reasoning turned on the distinction between a breach and a disclosure:

[T]his was not a case of a data breach, wherein a hacker infiltrated the Defendant’s computer systems and stole the Plaintiffs’ information, but rather was a case of data disclosure, wherein the Defendant intentionally responded to an email request with an unencrypted file containing highly sensitive information regarding its current and former employees.

Under that rationale, the court allowed the employees to seek treble damages from Schletter.

 

For anyone who has seen anything going on in the cyber world today, getting your users security awareness training has always been a no-brainier, but has many times simply fallen to the wayside and replaced with more unofficial measures, such as sending a “Don’t’ get phished” reminder email, or a here, go watch this video. This recent case raises the stakes significantly and shows that it is now critical to make sure you are taking appropriate and official measures to train your employees in cybersecurity awareness. The few dollars a month that cybersecurity awareness training costs per employee through a reputable IT firm such as LogicCloud IT is nothing compared to what triple damages could cost a company.

If a court decides that not training your employees against phishing scams like this is the equivalent to "intentional disclosure" resulting in punitive damages, it's time to get effective awareness training in place yesterday.

LogicCloud IT offers Cybersecurity Awareness training and one time, or ongoing simulated phishing training for businesses.

Contact us today to find out how to take steps to reduce your exposure and test and train your employees.