In the "What's Fair?" blog of Ellis & Winters LLP, there was an intriguing post about a North Carolina federal court decision in Curry v. Schletter, Inc. We've talked in this blog many times (including yesterday) about Business Email Compromises, including those which involve phishing for the W-2 information of a company's employees.
In this case, Judge Martin Reidinger of the United States District Court for the Western District of North Carolina handed Schletter's employees a big win: a favorable ruling on a treble damages claim brought under N.C. Gen. Stat. § 75-1.1.
Schletter manufactures solar mountings systems. In 2016 a Schletter employee was taken in by a phishing scam. The employee emailed criminals W-2 tax form information for all of the company's then-current employees. That information included names, addresses, social security numbers, and wage information—all in an unencrypted file. I shudder when I read the word "unencrypted" but that is all too common.
After discovering the incident, Schletter notified the affected employees and offered 24 months of credit monitoring and identity theft protection services. Not happy with that response, the employees sued.
In their complaint, the employees noted that, by the time of the incident, W-2 phishing was a widely-known security risk for employers. The employees said that Schletter failed to train its employees to recognize phishing or to use technical controls—such as secure file-transfer protocols—that could prevent criminals from accessing employees' sensitive information.
The employees alleged that Schletter violated the North Carolina Identity Theft Protection Act's requirements for protecting social security numbers, which appear in section 75-62. That statute makes it unlawful for a business to "intentionally communicate or otherwise make available to the general public an individual's social security number."
Section 75-62 also provides that violations of that statute automatically violate another section in chapter 75: section 75-1.1. The employees therefore asserted a 75-1.1 claim based on a per se theory that used section 75-62 for the predicate violation.
Schletter moved to dismiss under Rule 12(b)(6). That motion focused on three arguments.
First, Schletter said it hadn't "intentionally" communicated anything to the criminals. It argued that the employee who fell victim to the scam meant to transmit the information internally and for a legitimate purpose, and thus lacked the requisite intent.
Second, Schletter argued that it had not disclosed the employees' information to the "general public," but only to the cybercriminal.
Third, Schletter pointed to the rule that section 75-1.1 does not generally apply to employer-employee disputes. According to Schletter the claim for treble damages—which arose only because of their employment relationship with Schletter—was barred by this so-called "employment exemption" to section 75-1.1.
None of those arguments was persuasive to Judge Reidinger.
First, Judge Reidinger explained that the test for whether a business "intentionally communicates" a social security number looks only to whether the defendant intentionally made a communication that included the number. To that end, the court distinguished between a data disclosure in a phishing scam, and a data breach involving infiltration of a defendant's computer systems. A disclosure, Judge Reidinger concluded, could violate section 75-62, even if made in response to a fraudulent request.
Judge Reidinger also concluded the employees had alleged a disclosure to the "general public," because it was unknown how many cybercriminals were involved, or whether they distributed the information to others. Under those circumstances, it was "not implausible" that the information was available to the general public for purposes of section 75-62. The employees' claim thus met the "plausibility" standard for Rule 12(b)(6) motions under Bell Atlantic v. Twombly.
Finally, Judge Reindinger did not address the argument about the employment exemption. His decision simply concluded, based on the express language of 75-62, that a valid claim under that statute also states a plausible violation of section 75-1.1.
Curry presents yet another example of the power of per se theories under section 75-1.1. By interpreting section 75-62 to cover falling for a phishing scam, the court relieved the employees of any need to show that Schletter's conduct was otherwise unfair or deceptive for section 75-1.1 purposes. As a result, the employees now enjoy a substantial strategic advantage - increased prospects for a treble damages award and a chance to get attorney's fees.
If – and it is a very big if – other courts adopt Curry's interpretation of section 75-62 and similar statutes that govern disclosures of sensitive information, data-breach defendants in phishing cases may be at vastly increased risk.
I asked my frequent co-author and friend, Clark Hill attorney Dave Ries, about this case.
He said, “It’s ruling on a motion to dismiss, so it’s just finding that plaintiffs have plausible claims that they may be able to prove. A lot of judges are very lenient to plaintiffs at this stage of cases. A number of states have an economic loss doctrine that has defeated data breach claims at the motion to dismiss or summary judgment phase. It only applies to tort claims and not to contact or consumer protection claims.
The PA Supreme Court is currently considering whether claims by employees in a data breach are barred by PA’s economic loss doctrine. Lower PA courts and the Third Circuit, applying PA law, have held that tort claims in data breaches are barred by the economic loss doctrine. It basically provides that plaintiffs may generally not recover in tort for economic losses in absence of personal injury or property damage. There are limited exceptions like fraud and negligent misrepresentation by someone in the business of providing information.
Another issue is whether employees are ‘consumers’ under various state statutes.
That puts the NC decision on the "watch" list without overstating its importance. And the PA Supreme Court decision is also on the "watch" list. It looks like this area of law is evolving pretty quickly.
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology