Attorneys Zuckerman Spaeder noted on JDSUPRA: "When employers are caught off guard, they can face not only the loss of their own assets, but also liability to their employees.
For example, in a recent case, Curry v. Schletter Inc., No. 1:17-cv-0001-MR-DLH (W.D.N.C. Mar. 26, 2018), a federal district court permitted employees to proceed with their claims that their employer violated various duties when it was victimized by a phishing scam. In Curry, the employer mistakenly sent the employees’ W-2 forms to an unauthorized third party who pretended to be an executive at the company.
The employer told its employees what had happened, and offered identity theft protection and credit monitoring in an effort to regain employee trust. But a number of the employees weren’t satisfied and sued the company.
The employees alleged that the employer had warning of the phishing scam through FBI and IRS notices and a journalist’s blog.
They claimed that the employer provided “unreasonably deficient training on cybersecurity and information transfer protocols,” and that it had failed to encrypt data files containing personal identifying information, resulting in the disclosure. The employees also claimed that the employer had not agreed to pay them for the disclosure and that the offered credit monitoring was insufficient to protect against threats.
Based on these allegations, the employees brought claims for negligence, breach of implied contract, invasion of privacy, breach of fiduciary duty, and violation of trade practice laws. The employer moved to dismiss, but the court denied the motion as to every claim except the breach of fiduciary duty. The court ruled that the employees had adequately stated causes of action arising from the breach of duty to safeguard confidential information, allowing intrusion into the employees’ private affairs, and releasing their Social Security numbers without permission.
The court ruled that the breach of fiduciary duty claim failed because an employer does not have fiduciary duties to its employees in a typical employee-employer relationship.
The upshot of the Curry decision is that the employer will now face discovery into the phishing attack and the preventative measures that were taken, and potential liability for its error.
Thus, Curry provides yet another incentive for employers to pay attention to information security and take steps to protect against phishing scams. Advice about how to avoid these scams is not hard to find. But if companies and their employees don’t remain vigilant, all the advice in the world may not prevent a problematic disclosure."
KnowBe4 and Micheal R. Overly Esq have published a whitepaper about this topic:
Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), and Certified Risk and Information System Controls (CRISC) certifications. He is a partner at Foley & Lardner LLP.
This new whitepaper shows you the common threads in compliance laws and regulations. Did you know that "CIA" means Confidentiality, Integrity, and Availability, and how lawmakers incorporated that language in infosec regulations?
Are you familiar with the concept of Acting “Reasonably” or taking “Appropriate” or “Necessary” measures? Find out how this can keep you from violating compliance laws or regulations.
Know you are supposed to "scale security measures to reflect the threat"? We have some examples of the Massachusetts Data Security Law and HIPAA to explain what is required. Download this new whitepaper here: