Get Started Now! Get Your Credit Repair Do It Yourself!!

Court: W-2 phishing breaches can be seen as

New IdentityTheft Scam

Editor’s note: This article originally appeared on the website of security awareness training and simulated phishing platform provider KnowBe4. Click here to learn more about the company or read additional posts from Stu Sjouwerman’s Security Training Awareness blog.

Imagine my surprise when I saw a picture of myself in the blog of large North Carolina Law firm Poyner Spruill. It was all good though.

They had picked up an example of a real W-2 phishing scam we received that I had posted on our own blog. The screenshot was a good illustration of the risks of W-2 CEO fraud.

However, the article literally raised my eyebrows. Why? Read this and then send this post to your CEO and your legal team right away.

According to a recent federal court decision, an employee who is tricked into sharing personal information in response to a phishing email can be seen as committing an intentional disclosure under the North Carolina Identity Theft Protection Act (NCITPA). As a result, the employer could face treble damages for the employee’s mistake, adding a new element to potential exposure for businesses.

Employees Who Fall for CEO Fraud Commit an “Intentional disclosure”

Poyner Spruill’s J.M Durnovich was right to highlight this development, which was also picked up by the nationwide Law360 site.

The failure to train employees may quickly become more costly not only for North Carolina employers. This decision will be looked at by other courts that very well might come to the same conclusion that not taking reasonable measures (whitepaper) to defend against scams like this merits treble (punitive) damages.

Here is a short excerpt from the Poyner Spruill post which I strongly recommend you read in full:

“In 2016, a Schletter employee received an email that appeared to be from a supervisor. The email requested W-2 tax information for the company’s employees for an apparent verification measure. The employee obliged, sending the supposed supervisor an unencrypted file containing the 200 employees’ personal information.

“Schletter notified its employees by form letter sent about six days after discovering the incident. Without providing much detail regarding the incident, the letter offered to pay for two years’ of credit monitoring and identity theft protection services for each of the affected employees. The employees, dissatisfied with Schletter’s offer, turned to the courts and filed a class-action lawsuit: Curry, et al. v. Schletter, Inc., No. 1:17-cv-0001-MR-DLH (WDNC).

“The employees’ lawsuit contained a claim under the North Carolina Identity Theft Protection Act (“NCITPA”). The NCITPA provides that a business may not “[i]ntentionally communicate or otherwise make available to the general public an individual’s social security number.” Importantly, if the disclosure was intentional, the business may be liable for treble damages.

“Schletter moved to dismiss the NCITPA claim by arguing its employee didn’t intend to communicate the information to the general public. The federal court rejected Schletter’s argument, finding that the e-mail response, ‘while solicited under false pretenses, was intentionally made.’ The court’s reasoning turned on the distinction between a breach and a disclosure.”

In the time following the court’s decision, Schletter has filed for bankruptcy and the employees’ lawsuit has been stayed.

Case Highlights the Need for Training

Source: on 2018-07-10 14:33:45

Read More At Source Site

Add a Comment

Your email address will not be published. Required fields are marked *

28 − 27 =