Court: W-2 phishing breaches can be seen as 'intentional disclosures'

July 10, 2018
Recent case highlights a new element of potential cybersecurity exposure for businesses

Editor’s note: This article originally appeared on the website of security awareness training and simulated phishing platform provider KnowBe4. Click here to learn more about the company or read additional posts from Stu Sjouwerman’s Security Training Awareness blog.

Imagine my surprise when I saw a picture of myself in the blog of large North Carolina Law firm Poyner Spruill. It was all good though.

They had picked up an example of a real W-2 phishing scam we received that I had posted on our own blog. The screenshot was a good illustration of the risks of W-2 CEO fraud.

However, the article literally raised my eyebrows. Why? Read this and then send this post to your CEO and your legal team right away.

According to a recent federal court decision, an employee who is tricked into sharing personal information in response to a phishing email can be seen as committing an intentional disclosure under the North Carolina Identity Theft Protection Act (NCITPA). As a result, the employer could face treble damages for the employee’s mistake, adding a new element to potential exposure for businesses.

Employees Who Fall for CEO Fraud Commit an "Intentional disclosure"

Poyner Spruill's J.M Durnovich was right to highlight this development, which was also picked up by the nationwide Law360 site.

The failure to train employees may quickly become more costly not only for North Carolina employers. This decision will be looked at by other courts that very well might come to the same conclusion that not taking reasonable measures (whitepaper) to defend against scams like this merits treble (punitive) damages.

Here is a short excerpt from the Poyner Spruill post which I strongly recommend you read in full:

"In 2016, a Schletter employee received an email that appeared to be from a supervisor. The email requested W-2 tax information for the company’s employees for an apparent verification measure. The employee obliged, sending the supposed supervisor an unencrypted file containing the 200 employees’ personal information.

“Schletter notified its employees by form letter sent about six days after discovering the incident. Without providing much detail regarding the incident, the letter offered to pay for two years’ of credit monitoring and identity theft protection services for each of the affected employees. The employees, dissatisfied with Schletter’s offer, turned to the courts and filed a class-action lawsuit: Curry, et al. v. Schletter, Inc., No. 1:17-cv-0001-MR-DLH (WDNC).

“The employees’ lawsuit contained a claim under the North Carolina Identity Theft Protection Act (“NCITPA”). The NCITPA provides that a business may not “[i]ntentionally communicate or otherwise make available to the general public an individual’s social security number.” Importantly, if the disclosure was intentional, the business may be liable for treble damages.

“Schletter moved to dismiss the NCITPA claim by arguing its employee didn’t intend to communicate the information to the general public. The federal court rejected Schletter’s argument, finding that the e-mail response, ‘while solicited under false pretenses, was intentionally made.’ The court’s reasoning turned on the distinction between a breach and a disclosure.”

In the time following the court’s decision, Schletter has filed for bankruptcy and the employees’ lawsuit has been stayed.

Case Highlights the Need for Training

I have never seen more powerful ammo for budget than this. Stepping your users through new-school security awareness training has always been a no-brainer, however; this raises the stakes significantly.

If a court decides that not training your employees against phishing scams like this is tantamount to "intentional disclosure" resulting in punitive damages, it's time to get effective awareness training in place yesterday.

You simply have got to start training and phishing your users ASAP. If you don't, the bad guys will, because your filters never catch all of it.

About the Author:

Stu Sjouwerman is the founder and CEO of KnowBe4, Inc. A serial entrepreneur and data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired 2010. Sjouwerman is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.”