Phishing emails, we’ve been pounding this topic religiously these past few weeks, covering this topic in our Webinar Recap: How To Avoid Falling Victim To An Email Phishing Scam.
If you’re just joining us around this whole Phishing epidemic, and you’re not entirely sure what Phishing means, to quote an earlier article What Your Staff needs To Know About Phishing:
Phishing is the security industry’s term for trick emails. Someone is wanting to trick you into giving them data, information or access to something they can exploit. Think of them as email con artists.
So we’ve read the “Beware” and “Don’t Take The Bait!” signs, and herein lies the point: failure to heed such warnings, protect yourself, educate your employees and create email protocol that protects your business can become especially costly for North Carolina employers.
According to a recent feral court decision around a recent case, Curry et al. v. Schletter Inc., an employee who is tricked into sharing personal information in response to a phishing e-mail can be seen as committing an intentional disclosure under North Carolina’s Identity Theft Protection Act. As a result, the employer could face triple damages for the employee’s mistake.
Wait what, say that again?
Three Times The Damage Charged For Your Employee’s Mistake
In the federal court’s eyes, for North Carolina employers if you have an employee that ACCIDENTALLY falls for a phishing e-mail scam and ultimately compromises a client’s personal information, you as the business owner may have to pay THREE times the damages charged for your employee’s mistake. A $1,000,000 mistake turns into a fine on you, the business owner for $3,000,000 under North Carolina’s Identity Theft Protection Act. Yikes.
Next Level Phishing Scams
So what kind of phishing trick got the Schletter Employee on the hook?
If you listened in on our Webinar: How To Avoid Falling Victim To Email Phishing Scam you’d see this was a classic BEC technique.
The hacker impersonated a manager within the company, requesting information for the company’s W2 employees, and in the case of Schletter, Inc., a global manufacturer and distributor of solar mounting systems based in Shelby, North Carolina — the phishing email went something like this:
“I want you to send me the list of W-2 Copy of employee wage and tax statements for 2016. I need them in a PDF file type; you can send it as an attachment. Kindly prepare the lists and email them to me ASAP.”
The employee, acting with the best intentions, sent the requested information. Unfortunately, the e-mail was a phishing scam. The employee was duped into sharing more than 200 employees’ personal information (including SSNs) with a cybercriminal.
Six days after discovering the incident, Schletter notified its employees by form letter. Without providing much detail regarding the incident, the letter offered to pay for two years’ of credit monitoring and identity theft protection services for each of the affected employees.
The employees, dissatisfied with Schletter’s offer, turned to the courts and filed a class-action lawsuit: Curry, et al. v. Schletter, Inc., No. 1:17-cv-0001-MR-DLH (WDNC).
Data Breach or Disclosure?
The case hinged on the court’s interpretation of the North Carolina Identity Theft Protection Act (NCITPA), stating that a business may not “[i]ntentionally communicate or otherwise make available to the general public an individual’s social security number.” Importantly, if the disclosure was intentional, the business may be liable for treble damages.”
Schletter moved to dismiss the NCITPA claim by arguing its employee didn’t intend to communicate the information to the general public.
The federal court rejected Schletter’s argument, finding that the e-mail response, “while solicited under false pretenses, was intentionally made.” The court’s reasoning turned on the distinction between a breach and a disclosure:
“[T]his was not a case of a data breach, wherein a hacker infiltrated the Defendant’s computer systems and stole the Plaintiffs’ information, but rather was a case of data disclosure, wherein the Defendant intentionally responded to an email request with an unencrypted file containing highly sensitive information regarding its current and former employees.”
Under that rationale, the court allowed the employees to seek treble damages from Schletter.
The court’s view of the NCITPA’s “intentional” requirement is notable.
Where The Case Is Today
This case as of today is still in process, and since the decision, Schletter has filed for bankruptcy, and its employees’ lawsuit has stayed. As a result, we won’t know whether Schletter is actually found liable for treble damages for quite some time, if ever.
Nonetheless, the court’s decision is a clear signal for North Carolina’s employers that the courts are taking information security seriously.
This sobering case is a reminder to all North Carolina business owners alike that protecting employee data and limiting exposure is more critical than ever. Having the right security processes and protocol in place is a non-negotiable when it comes to protecting your business when phishing is such a common occurrence today.
For related materials around Phishing Prevention, we recommend: