[BreachExchange] Liability at the Stroke of a Computer Key: Cyberattackers Take Aim at Employees

Audrey McNeil audrey at riskbasedsecurity.com
Mon Feb 26 19:48:33 EST 2018


The Equifax incident was a game changer due to the volume and sensitivity
of the consumer information that was stolen, including names, Social
Security numbers, birth dates, addresses and, in some instances, driver's
license numbers.

In September 2017, Equifax announced that hackers had gained access to the
confidential information of more than 145 million consumers, almost half of
the U.S. population. The Equifax incident was a game changer due to the
volume and sensitivity of the consumer information that was stolen,
including names, Social Security numbers, birth dates, addresses and, in
some instances, driver’s license numbers.

Recent cases suggest that employers could be subject to liability when one
of their employees causes a data breach by either knowingly or negligently
revealing sensitive employee or customer data. In March 2016, for example,
Sprouts Farmers Markets became the victim of a cyberattack when an employee
in the payroll department responded to an email that appeared to come from
a Sprouts senior executive requesting Forms W2 for all employees. The
employee sent the forms, which contained employees’ names, Social Security
numbers, salaries, mailing addresses and other personal data. The affected
employees brought lawsuits in multiple districts, which were consolidated
and then stayed pending a decision in a U.S. Supreme Court case addressing
whether individual arbitration agreements signed by each of the employees
precluded a class action in In re Sprouts Farmers Market, Employee Data
Security Breach Litigation, No. 2:16-MD-02731 (May 24, 2017).

Even more recently, in October 2017, the U.S. District Court for the
Southern District of New York issued an opinion finding that employees had
standing to bring a putative class action against their employer when a
coworker’s negligence led to a data breach exposing all of the employees’
personal information to hackers in Sackin v. Transperfect Global, 17 Civ.
1469 (S.D.N.Y. Oct. 4, 2017). In that case, employees received a “phishing”
email, which appeared to come from the company’s chief executive officer,
but actually was sent by unidentified hackers. The email asked for Forms
W-2 and payroll information of all current and former employees. At least
one employee sent the information to the cybercriminals in an unencrypted
format. As a result, the hackers obtained employees’ names, addresses,
dates of birth, Social Security numbers, direct deposit bank account
numbers and routing numbers.

The court denied the company’s motion to dismiss for lack of standing,
finding that the company’s alleged providing of employee names, addresses,
dates of birth, Social Security numbers and bank account information
directly to cybercriminals created a risk of identity theft “sufficiently
acute so as to fall comfortably into the category of ‘certainly impending’”
such that standing was warranted. The court also concluded that the
complaint alleged an injury in fact in the form of identity theft
prevention services that the employees were forced to purchase.
Significantly, the court found that the plaintiffs stated a claim for
negligence in that the company did not train employees on data security;
did not erect digital firewalls; and did not maintain retention and
destruction protocols for personally identifiable information.

Employees have not always been successful on the argument of whether they
have standing to bring suit. In January 2017, for example, the Pennsylvania
Superior Court upheld a decision of the lower court finding that the
University of Pittsburgh Medical Center (UPMC) did not owe a duty to its
employees to prevent employees’ confidential information from being stolen
by third parties in a data breach. Dittman v. UPMC, 154 A.2d 381 (Pa. Sup.
Ct. 2017). The employees brought an action for negligence and breach of
contract against UPMC after hackers accessed UPMC’s computer systems and
stole the names, birth dates, Social Security numbers, tax information,
addresses, salaries and bank information of approximately 62,000 UPMC
employees and former employees. The employees asserted that UPMC owed a
legal duty to protect their personal and financial information and that
UPMC failed to keep their information safe and prevent vulnerabilities in
its computer system. The court disagreed, finding that there was no true
way to prevent data breaches and that the possibility of data breach did
not outweigh the social utility of electronically storing employee
information. The case is currently on appeal to the Pennsylvania Supreme

Likewise, in September 2017, the U.S. District Court for the District of
Columbia dismissed consolidated class actions brought on behalf of public
employees and applicants whose personal information, which was given to the
employer in connection with background checks, was compromised by a data
breach. See In re U.S. Office of Personnel Management Data Security Breach
Litigation, 266 F. Supp. 3d (D.D.C. 2017). The court found that the
plaintiffs lacked standing to bring suit.

While courts differ on whether victims of cyberattacks can seek relief from
the companies whose negligence allowed the breach to happen, cybercriminals
continue to dupe employees into revealing sensitive information about
coworkers via phishing attacks. In March 2016, for example, Snapchat
announced that someone posing as the company’s chief executive officer
obtained employee payroll data about 700 employees. More than seven other
companies were tricked by similar phishing attacks that same year.

Congress is currently considering whether to adopt a national data breach
notification law, in large part because Equifax failed to notify the public
immediately after discovering the attack. Additionally, in the absence of
federal action, state legislatures are starting to step in to put in place
standards for cybersecurity programs to protect both consumers and
employees. New York State, for example, enacted legislation, effective
March 2017, to require banks, insurance companies and other financial
services institutions regulated by the Department of Financial Services to
establish and maintain a cybersecurity program designed to protect
consumers’ private data.

Companies often are surprised to learn that their biggest security threats
come from their own employees. These risks range from the use of weak
passwords to clicking on corrupt internet links to theft of sensitive data.
Many companies allow employees to use their personal electronic device. As
a result there is risk of a cyberattack not only in the office, but on
mobile devices accessed from employees’ homes. Nonetheless, there are
several things that employers can do to tighten controls on their data:

- Draft comprehensive cybersecurity policies, making it clear to all
employees that they have obligations to safeguard sensitive data.
- Make sure that company policies address business use of personal devices,
as well as personal use of business devices.
- Train employees on how even inadvertent actions can compromise company
- Ensure that company IT departments keep up with developing technologies.
- Consider how applications used by employees with wearable technologies,
such as fitness and GPS apps, are able to capture information about
employee business travel or sales routes.
- Establish procedures so that IT can identify any devices that are not
configured properly, and single out those employees who are not following
security protocols.
- Discipline employees for violating company policies and procedures on
- Perform exit interviews that ensure employees are aware of their
continuing obligations to keep secrets secret, even after the end of the
employment relationship.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180226/eda131ba/attachment.html>

More information about the BreachExchange mailing list