Employees May Sue Regarding Phishing Scam

Why is phishing email awareness and training so important for you and for your employees?

Because, in some circumstances, if an employee is tricked into revealing personal information in response to a phishing email, the employer may be on the hook for treble damages.

Curry, et al. v. Schletter, Inc.

From PoynerSpruill.com, a North Carolina law firm:

According to a recent federal court decision [in North Carolina], an employee who is tricked into sharing personal information in response to a phishing e-mail can be seen as committing an intentional disclosure under North Carolina’s Identity Theft Protection Act. As a result, the employer could face treble damages for the employee’s mistake.

The specific case discussed involved a phishing request made in 2016 to an employee of Schletter, Inc.. The request was for W-2s of about 200 employees which were emailed (unencrypted) to the cybercriminal.

When the breach was discovered, Schletter offered to pay for two years of credit monitoring and identity theft protection to the affected employees. However, the employees were unsatisfied with this offer and instead filed a class-action lawsuit against Schletter.

The court found that even though the employee who emailed the personal information didn’t intend to send it to the scammer (they thought they were emailing a Schletter manager), the fact that it was emailed meant that it was an intentional disclosure. From the court’s ruling:

[T]his was not a case of a data breach, wherein a hacker infiltrated the Defendant’s computer systems and stole the Plaintiffs’ information, but rather was a case of data disclosure, wherein the Defendant intentionally responded to an email request with an unencrypted file containing highly sensitive information regarding its current and former employees.

Since this decision, Schletter has filed for bankruptcy and the lawsuit has been stayed.

The good news (for now, at least), is that the specific ruling in this case may not have more far-reaching implications. The article goes on to say that this “was a single trial court’s decision. The Fourth Circuit hasn’t weighed in on this issue, nor have North Carolina’s appellate courts.”

What This Ruling Could Mean

This ruling is a sign, however, that courts are beginning to take information security much more seriously. It’s also clear that the knowledge, training, and actions of employees are an important part of a business’s information security. At least as important as strong passwords, regular backups, and the use of effective firewalls.

This means that in addition to time-wasting spam, employees also must be able to identify and delete phishing emails. Like spam, phishing email scammers are constantly changing their tactics to try and stay one step ahead of you.

Antespam’s Email Security Training service provides realistic looking, 100% safe, phishing email simulations that teach employees without time away from work, and you can try it out for free for one month right now.