Talk about adding insult to injury! After Schletter Group, a worldwide manufacturer with headquarters in North Carolina, fell for a phishing scam when it sent its employees’ W-2 information in response to a phony email, it was sued by its employees for invasion of privacy and other tort claims. The employees claimed the company ignored the risks identified in a 2015 FBI warning and a 2016 news article about the scam and did not take appropriate steps to protect its employees’ private data. While the company initially offered credit monitoring services, the employees sought additional remedies, including monetary damages. Although the company sought to dismiss the employees’ claims on the basis that the employer had no intent to make the disclosure, the company’s motion failed. The court ruled, at least at the early stages, that the company’s arguments that it did not intentionally disclose its employees’ data were not enough to toss the suit out of court. The court accepted the employees’ argument that this was a disclosure and not a breach and therefore, the element of intent was satisfied at the pleading stage.
Savvy employer takeaways: Encrypt employee data, place strict limits on who has the ability to disclose it, train employees on the risks of cyber scams, and pay attention to FBI and news media warnings.