As we have explored before, a common scam known as “W-2 phishing” can put companies in the crosshairs for data-breach lawsuits brought by their employees.
In honor of Tax Day, today’s post examines an interesting recent decision from a North Carolina federal court in one of these cases.
In that decision, called Curry v. Schletter Inc., Judge Martin Reidinger of the United States District Court for the Western District of North Carolina handed the employees a big win: a favorable ruling on a treble damages claim brought under N.C. Gen. Stat. § 75-1.1.
Teach a man to phish…
Schletter manufactures solar mountings systems. The company has its headquarters in Shelby.
In 2016 a Schletter employee was reeled in by a phishing scam. The employee emailed criminals W-2 tax form information for all of the company’s then-current employees. That information included names, addresses, social security numbers, and wage information—all in an unencrypted file.
After discovering the incident, Schletter notified the affected employees and offered 24 months of credit monitoring and identity theft protection services. Unsatisfied with that response, the employees sued.
In their complaint, the employees noted that, by the time of the incident, W-2 phishing was a widely-known security risk for employers. The FBI, cybersecurity journalists, and the IRS had all warned of the scam. Even so, said the employees, Schletter failed to train its employees to recognize it or to use technical controls—such as secure file-transfer protocols—that could prevent criminals from accessing employees’ sensitive information.
The employees alleged that Schletter violated the North Carolina Identity Theft Protection Act’s requirements for protecting social security numbers, which appear in section 75-62. That statute makes it unlawful for a business to “intentionally communicate or otherwise make available to the general public an individual’s social security number.”
Section 75-62 also provides that violations of that statute automatically violate another section in chapter 75: section 75-1.1. The employees therefore asserted a 75-1.1 claim based on a per se theory that used section 75-62 for the predicate violation.
Who’s the real victim?
Schletter moved to dismiss under Rule 12(b)(6). That motion centered on three arguments.
First, Schletter said, it hadn’t “intentionally” communicated anything to the criminals. Instead, it argued, the employee who fell victim to the scam meant to transmit the information internally and for a legitimate purpose, and thus lacked the requisite intent.
Second, Schletter argued that it had not disclosed the employees’ information to the “general public,” but only to the cyber-criminal.
Third, Schletter pointed to the rule that section 75-1.1 does not generally apply to employer-employee disputes. According to Schletter the claim for treble damages—which arose only because of their employment relationship with Schletter—was barred by this so-called “employment exemption” to section 75-1.1.
Caught in the plaintiffs’ net
None of those arguments convinced Judge Reidinger.
First, Judge Reidinger explained that the test for whether a business “intentionally communicates” a social security number looks only to whether the defendant intentionally made a communication that included the number. To that end, the court distinguished between a data disclosure in a phishing scam, and a data breach involving infiltration of a defendant’s computer systems. A disclosure, Judge Reidinger concluded, could violate section 75-62, even if made in response to a fraudulent request.
Judge Reidinger also concluded the employees had alleged a disclosure to the “general public,” because it was unknown how many cybercriminals were involved, or whether they distributed the information to others. Under those circumstances, it was “not implausible” that the information was available to the general public for purposes of section 75-62. The employees’ claim thus met the “plausibility” standard for Rule 12(b)(6) motions under Bell Atlantic v. Twombly.
Finally, Judge Reindinger did not address the argument about the employment exemption. His decision simply concluded, based on the express language of 75-62, that a valid claim under that statute also states a plausible violation of section 75-1.1.
Per Se Theories Curry Favor
Curry presents yet another example of the power of per se theories under section 75-1.1. By interpreting section 75-62 to cover taking the bait in a phishing scam, the court relieved the employees of any need to show that Schletter’s conduct was otherwise unfair or deceptive for section 75-1.1 purposes. As a result, the employees now enjoy a substantial strategic advantage: increased prospects for a treble damages award and a chance to get attorneys fees.
If other courts adopt Curry’s interpretation of section 75-62 and similar statutes that govern disclosures of sensitive information, data-breach defendants in phishing cases may find it especially difficult to get off the hook.