Gone Phishing: Employer Faces Liability for Mistakenly Disclosing W-2 Forms to Scammer

| Jason M. Knott

fish hook

Phishing. Spoofing.

These words may sound silly, but for employers, they are anything but.

Phishing is the attempt to obtain sensitive electronic information—such as usernames, passwords, or financial information—under false pretenses. Often, when bad actors engage in phishing, they use email spoofing—sending emails that appear legitimate but are anything but. These emails can dupe users into disclosing confidential personal or company information.
 

In addition to consumers and political committees, employers can be victimized by these attacks. And when employers are caught off guard, they can face not only the loss of their own assets, but also liability to their employees.

For example, in a recent case, Curry v. Schletter Inc., No. 1:17-cv-0001-MR-DLH (W.D.N.C. Mar. 26, 2018), a federal district court permitted employees to proceed with their claims that their employer violated various duties when it was victimized by a phishing scam. In Curry, the employer mistakenly sent the employees’ W-2 forms to an unauthorized third party who pretended to be an executive at the company.

The employer told its employees what had happened, and offered identity theft protection and credit monitoring in an effort to regain employee trust. But a number of the employees weren’t satisfied and sued the company.

The employees alleged that the employer had warning of the phishing scam through FBI and IRS notices and a journalist’s blog. They claimed that the employer provided “unreasonably deficient training on cybersecurity and information transfer protocols,” and that it had failed to encrypt data files containing personal identifying information, resulting in the disclosure. The employees also claimed that the employer had not agreed to pay them for the disclosure and that the offered credit monitoring was insufficient to protect against threats.

Based on these allegations, the employees brought claims for negligence, breach of implied contract, invasion of privacy, breach of fiduciary duty, and violation of trade practice laws. The employer moved to dismiss, but the court denied the motion as to every claim except the breach of fiduciary duty. The court ruled that the employees had adequately stated causes of action arising from the breach of duty to safeguard confidential information, allowing intrusion into the employees’ private affairs, and releasing their Social Security numbers without permission.

The court ruled that the breach of fiduciary duty claim failed because an employer does not have fiduciary duties to its employees in a typical employee-employer relationship.

The upshot of the Curry decision is that the employer will now face discovery into the phishing attack and the preventative measures that were taken, and potential liability for its error.

Thus, Curry provides yet another incentive for employers to pay attention to information security and take steps to protect against phishing scams. Advice about how to avoid these scams is not hard to find. But if companies and their employees don’t remain vigilant, all the advice in the world may not prevent a problematic disclosure.