[BreachExchange] Phishing for Trouble: One Manufacturer’s Mistakes, and How to Avoid Them

[Destry Winant]

https://www.industryweek.com/technology-and-iiot/phishing-trouble-one-manufacturer-s-mistakes-and-how-avoid-them

In the height of tax season, an accounting clerk opens an email asking
him: “Please send me W-2’s for employees in the marketing department.
I need this information ASAP. Thanks very much.” The name on the email
is the comptroller’s, so the clerk sends along the information. But
the email was not from the comptroller—it was actually from a
cybercriminal, and the W-2s are now for sale on the dark web.

The clerk fell victim to an increasingly common scam known as
spoofing, or making an email appear it is coming from a legitimate
source. It is an alarming trend that only seems to be increasing in
its level of sophistication. Spoofing has especially grave
implications for employers, who collect and retain significant amounts
of employees’ personal information.

But who is to blame in this scenario? The cybercriminal, of course.
But who else is at fault—the accounting clerk? The company? As strange
as it may seem, the company might be liable for the identity theft
suffered by the marketing department.

Just how and why an employer might be liable in this scenario is
better explained by taking a look at a recent federal case.

Less than six months ago, the U.S. District Court for the Western
District of North Carolina issued a stark ruling in Curry v. Schletter
Inc. The case should be a cautionary tale and reminder to employers of
the importance of training on how avoid cyber-scams. Failure to do so
may be expensive.

In Curry, the plaintiffs were a group of former and current employees
of Schletter Inc., a global manufacturer and distributor of solar
mountings systems based in North Carolina. Schletter, as does every
employer, maintains sensitive personal information about its
employees, such as name, address, date of birth and social security
number, as part of its ordinary course of business.

In April 2016, an employee responded to a cybercriminal she believed
to be her company’s CEO by providing the personal information of over
200 employees. About one week after the disclosure, the company mailed
a letter to all of its former and current employees, notifying them of
what had happened.

Embarrassing as that was, Schletter’s story only gets worse. Evidence
came to light that the company had already been warned about similar
phishing e-mail scams. In August 2015, the FBI had issued an alert
specifically warning of the lightning-like speed that these scams were
occurring. Despite these warnings from the FBI, Schletter did not
provide enough training to its employees on how to recognize and
respond to spoofing. Indeed, the company failed to educate employees
on even basic security measures that could have easily prevented the
disclosure.

Unfortunately, that was not the only thing Schletter had failed to do.
Even with the notice mailed out one week later, Schletter was found to
not have timely disclosed to its employees the extent of the breach
and failed to timely notify each affected employee. As a result, the
employees were unable to protect themselves from the consequences of
the data breach. Compounding matters, Schletter did not compensate to
the victims or provide any assistance with the burdens caused by the
errant disclosure. The victims took the company to court, asserting
claims for monetary losses, lost time, anxiety and emotional distress.

The court found that Schletter had violated the North Carolina
Identity Theft Protection Act (“NCITPA”). The NCITPA provides that a
business may not intentionally communicate or make available to the
general public an individual’s personal information. If the disclosure
is intentional, the business may be liable for treble damages, meaning
the court can triple the damages amount awarded to a plaintiff.

Schletter argued that the employee intended to communicate the
information to the supervisor, not the general public. The court,
however, rejected that argument and found that while the employee was
“solicited under false pretenses,” her e-mail response was still
“intentionally made.” This finding hinged on the distinction between a
data breach and a data disclosure. A data breach typically involves a
hacker infiltrating a computer system to steal information. A data
disclosure, on the other hand, typically involves an individual who is
already inside the system intentionally providing highly sensitive
information.

The court allowed the employees to seek treble damages—triple the
amount of actual damages—but  Schletter filed for bankruptcy shortly
after the decision, halting the lawsuit. As a result, it is unknown
whether Schletter will be found liable for treble damages at this
time.

It’s worth noting that treble damages are generally reserved for
malicious conduct. For example, an employee that sells a company’s
trade secrets to that company’s competitor has engaged in malicious
conduct. Curry, however, illustrates that treble damages can come into
play even when an employee had the purest of intentions (to comply
with a supervisor’s instructions).

How Can Employers Protect Themselves?

North Carolina employers are not the only ones who should be nervous
in the wake of Curry. The decision has broader implications for
employers throughout the nation. Laws, local ordinances, and
regulations are constantly being proposed, enacted, and revised to
match the constantly evolving cybersecurity threats, leaving many
employers baffled on the extent to which they can be held liable for
breaches or disclosures that occur. The decision in Curry sheds light
on how other courts may interpret cases with similar issues.

Thankfully, employers are not without recourse. The best defense to a
data breach is to ensure one never happens in the first place.
Businesses can protect against potential claims by implementing a
training program for employees on data disclosure prevention. This
training should include a review of (1) basic cyber security protocols
and (2) how to recognize common phishing scams that lead to data
disclosure. Employers should also have a response plan in place for
when a disclosure does occur in order to mitigate possible exposure.
For example, the plaintiffs in Curry argued that each passing day the
company failed to notify employees of the disclosure increased the
chances of their personal information being misused, and they
increased their claimed damages accordingly. It also likely did not
sit well with the court that Schletter did not offer to pay for
identity protection or credit monitoring services for the employees.

It’s important to convey to your employees to never simply hit the
reply button in an email. Recheck the email address and, with
extremely sensitive information, consider calling the sender to verify
that the e-mail is legitimately from that individual first.

And remember: if an employee falls victim to a phishing scam, the
company can be on the hook for the damages arising from identity
theft.