According to a recent federal court decision, an employee who is tricked into sharing personal information in response to a phishing email can be seen as committing an intentional disclosure under the North Carolina Identity Theft Protection Act (NCITPA).
As a result, the employer could face treble damages for the employee’s mistake, adding a new element to potential exposure for any organization.
Employees who fall for CEO fraud commit an "intentional disclosure".
Poyner Spruill's J.M Durnovich was right to highlight this development, which was also picked up by the nationwide Law360 site. The failure to train employees may quickly become more costly not only for North Carolina employers. This decision will be looked at by other courts who very well might come to the same conclusion that not taking reasonable measures to defend against scams like this merits treble (punitive) damages.
Here is a short extract from the Poyner Spruill post ...
Schletter Falls Victim to Phishing Scheme
"In 2016, a Schletter employee received an email that appeared to be from a supervisor. The email requested W-2 tax information for the company’s employees for an apparent verification measure. The employee obliged, sending the supposed supervisor an unencrypted file containing the 200 employees’ personal information.
"Schletter notified its employees by form letter sent about six days after discovering the incident. Without providing much detail regarding the incident, the letter offered to pay for two years’ of credit monitoring and identity theft protection services for each of the affected employees.
The employees, dissatisfied with Schletter’s offer, turned to the courts and filed a class-action lawsuit: Curry, et al. v. Schletter, Inc., No. 1:17-cv-0001-MR-DLH (WDNC).
Treble Damages Available in Employees’ Class Action
"The employees’ lawsuit contained a claim under the North Carolina Identity Theft Protection Act (“NCITPA”). The NCITPA provides that a business may not “intentionally communicate or otherwise make available to the general public an individual’s social security number.”
Importantly, if the disclosure was intentional, the business may be liable for treble damages.
"Schletter moved to dismiss the NCITPA claim by arguing its employee didn’t intend to communicate the information to the general public. The federal court rejected Schletter’s argument, finding that the e-mail response, “while solicited under false pretenses, was intentionally made.”
The court’s reasoning turned on the distinction between a breach and a disclosure:
"This was not a case of a data breach, but a case of data disclosure"
"This was not a case of a data breach, wherein a hacker infiltrated the Defendant’s computer systems and stole the Plaintiffs’ information, but rather was a case of data disclosure, wherein the Defendant intentionally responded to an email request with an unencrypted file containing highly sensitive information regarding its current and former employees.
Under that rationale, the court allowed the employees to seek treble damages from Schletter.
Providing new-school security awareness training for your employees has always been a no-brainer, simply because it pays back for itself in a month. However, this raises the stakes significantly.
If a court decides that not training your employees against phishing scams like this is tantamount to "intentional disclosure" resulting in punitive damages, it's time to get effective awareness training in place yesterday.