[Heads-up] Employees Sue Company For W-2 Phishing Scam. Federal Court Decides Triple Damages
Source KnowBe4 Blog. This is a real screen shot of CEO Fraud

[Heads-up] Employees Sue Company For W-2 Phishing Scam. Federal Court Decides Triple Damages

Imagine my surprise when I saw a picture of myself in the blog of large North Carolina Law firm Poyner Spruill. It was all good though.

They had picked up an example of a real W-2 phishing scam we received that I had posted on our own blog. The screenshot was a good illustration of the risks of W-2 CEO Fraud.

However, the article literally raised my eyebrows. Why?

Read this and then send this post to your CEO and your legal team right away.

According to a recent federal court decision, an employee who is tricked into sharing personal information in response to a phishing email can be seen as committing an intentional disclosure under the North Carolina Identity Theft Protection Act (NCITPA). As a result, the employer could face treble damages for the employee’s mistake, adding a new element to potential exposure for businesses.

Employees who fall for CEO Fraud commit an "intentional disclosure".

Poyner Spruill's J.M Durnovich was right to highlight this development, which was also picked up by the nationwide Law360 site.

The failure to train employees may quickly become more costly not only for for North Carolina employers. This decision will be looked at by other courts who very well might come to the same conclusion that not taking reasonable measures (whitepaper) to defend against scams like this merits treble (punitive) damages.

Here is a short extract from the Poyner Spruill post which I strongly recommend you read in full:

Schletter Falls Victim to Phishing Scheme

"In 2016, a Schletter employee received an email that appeared to be from a supervisor. The email requested W-2 tax information for the company’s employees for an apparent verification measure. The employee obliged, sending the supposed supervisor an unencrypted file containing the 200 employees’ personal information.

"Schletter notified its employees by form letter sent about six days after discovering the incident. Without providing much detail regarding the incident, the letter offered to pay for two years’ of credit monitoring and identity theft protection services for each of the affected employees. The employees, dissatisfied with Schletter’s offer, turned to the courts and filed a class-action lawsuit: Curry, et al. v. Schletter, Inc., No. 1:17-cv-0001-MR-DLH (WDNC).

Treble Damages Available in Employees’ Class Action

"The employees’ lawsuit contained a claim under the North Carolina Identity Theft Protection Act (“NCITPA”). The NCITPA provides that a business may not “[i]ntentionally communicate or otherwise make available to the general public an individual’s social security number.” Importantly, if the disclosure was intentional, the business may be liable for treble damages.

"Schletter moved to dismiss the NCITPA claim by arguing its employee didn’t intend to communicate the information to the general public. The federal court rejected Schletter’s argument, finding that the e-mail response, “while solicited under false pretenses, was intentionally made.” The court’s reasoning turned on the distinction between a breach and a disclosure:

"This was not a case of a data breach, but a case of data disclosure"

"This was not a case of a data breach, wherein a hacker infiltrated the Defendant’s computer systems and stole the Plaintiffs’ information, but rather was a case of data disclosure, wherein the Defendant intentionally responded to an email request with an unencrypted file containing highly sensitive information regarding its current and former employees. Under that rationale, the court allowed the employees to seek treble damages from Schletter.

The court’s view of the NCITPA’s “intentional” requirement is notable.

"Typically, treble damages (or punitive damages) are reserved for cases involving some sort of malicious conduct. That is, for parties who intentionally cause harm. In the context of a data disclosure, an obvious example would be where an employee sells protected information to a cybercriminal for profit. Here, though, the intended recipient of the information was immaterial—all that mattered was that the employee intended to transmit the information.

"As a result, the court seemingly heightened the repercussions for falling victim to negligent insiders (like the well-intentioned Schletter employee) over criminal outsiders (like a hacker covertly stealing the information).

Schletter has filed for bankruptcy

"While the court’s strict interpretation will give many employers pause, it is important to note that this was a single trial court’s decision. The Fourth Circuit hasn’t weighed in on this issue, nor have North Carolina’s appellate courts. Since the decision, Schletter has filed for bankruptcy and its employees’ lawsuit has been stayed. As a result, we won’t know whether Schletter is actually found liable for treble damages for quite some time, if ever."

The article continues with good suggestions to limit your organization's exposure.

I have never seen more powerful ammo for budget than this

Stepping your users through new-school security awareness training has always been a no-brainer, simply because it pays back for itself in a month. However, this raises the stakes significantly.

If a court decides that not training your employees against phishing scams like this is tantamount to "intentional disclosure" resulting in punitive damages, it's time to get effective awareness training in place yesterday.

I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP. If you don't, the bad guys will, because your filters never catch all of it. Get a quote now and you will be pleasantly surprised.

https://info.knowbe4.com/kmsat_get_a_quote_now

 Let's stay safe out there.

Warm regards,

Stu Sjouwerman,

Founder and CEO, KnowBe4, Inc



Brian Lourie, CISSP CDPSE

I help achieve business objectives ensuring the appropriate level of Cyber Security with a focus on M&A.

6 年

I would expect this to be challenged in other courts and as it mentions it was stayed so cant be sure of what the outcome would have been. But good to get your legal’s perspective now. But more fundamentally if enough states come up with their own cyber laws will the US government be forced to adopt/accept some of them also or will it create chaos trying to meet unique requirements in every state.

回复
Nick A.

Senior Cybersecurity Engineer | 23+ years in Offensive and Defensive Security | Adversarial Emulation, Resilience, Incident Response | Strategic Leader Securing Critical Infrastructure Against Evolving Threats

6 年
回复

要查看或添加评论,请登录

社区洞察

其他会员也浏览了