Employers responsible for damages in phishing scams?

ALERT: Employers could be responsible for damages in phishing scams

August 8, 2018

An employer could face legal action and be forced to pay financial damages for an employee’s mistake.

With the ever increasing occurrence of “phishing” attacks, employers can no longer ignore the risk it bears for their employees and overall business. According to a recent federal court decision, an employer could face legal action and be forced to pay financial damages for an employee’s mistake.

This is precisely what happened to a North Carolina company when an employee received an email that appeared to be from a supervisor. The email requested W-2 tax information for the company’s employees for verification purposes. The employee sent the supposed supervisor an unencrypted file containing the requested information. Despite what was likely an employee acting with the best of intentions, the employee was fooled into sharing the personal information (including Social Security numbers) of more than 200 employees with a cybercriminal.

Several employees sued, and a federal court determined that the email response, despite being made under false pretenses, was intentionally made. The court’s reasoning noted the distinction between a breach and a disclosure indicating the following:

  • Data breach: “wherein a hacker infiltrated the defendant’s computer systems and stole the plaintiffs’ information”
  • Data disclosure: “wherein the defendant intentionally responded to an email request with an unencrypted file containing highly sensitive information regarding its current and former employees”

Under the rationale of intentional disclosure of confidential employee information, the court allowed the employees to seek treble damages.

How to protect your organization from phishing threats

In the North Carolina case, the Court noted that the company failed to provide “even the most basic of security measures” that could have prevented the disclosure.

Phishing exploits human weaknesses even more than technical vulnerabilities. If you want to effectively protect your network from phishing attacks, address the human source of the problem. This can be addressed first and foremost through educating and training your employees. Most employees are willing to help, but won’t be able to if they don’t know how.

At AGH, our technology professionals are equipped with the tools necessary to help educate your staff on the dangers of phishing and reduce their susceptibility to attacks, as well as how to improve their handling of sensitive information. Our training addresses your employees’ vulnerabilities and leaves them better prepared to protect your information assets.

Additionally, consider consulting with experts at AGH before a cyber crisis happens. An incident response plan and mitigation efforts can help your company recover more quickly and with less disruption should a cyber security incident occur. Finally, the AGH team is prepared to assist in emergency situations as well. Notify us immediately should you find your organization’s data has been compromised.

Don't wait to get started

AGH’s professionals have a proven record of helping organizations keep their information secure and can educate leaders on their organization’s information security by performing comprehensive risk assessments and system evaluations. To get started, contact Brian Johnson, senior vice president of technology services, using the information below.

Brian Johnson

Senior Vice President
Technology Services and Administration

Brian Johnson is an experienced technology executive and consultant with a proven track record of leadership in technology management. As a technology and business leader with more than 30 years of experience, Brian successfully leverages his technology background, business acumen, and people management skills to help organizations link innovative technology solutions to their strategy and mission. Brian’s technology experience and credentials are supplemented by his training as a certified public accountant.

Brian is a frequent speaker and advisor on technology developments and trends. A certified public accountant, he has extensive expertise in IT risk advisory services and has earned the Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified In the Governance of Enterprise IT (CGEIT), and Certified in Risk and Information Systems Control (CRISC), credentials as well as additional certifications in operations management, systems engineering, and solution development. Brian was named one of the Wichita Business Journal’s CIO of the Year honorees in 2015.

Information in this document has been obtained by Allen, Gibbs & Houlik, L.C. from sources believed to be reliable. However, AGH does not guarantee the accuracy nor completeness of any information. This communication does not and is not intended to provide legal, accounting or other professional advice or opinions on specific facts or matters, and accordingly, AGH assumes no liability whatsoever in connection with its use. Nothing in this communication can be used to avoid penalties that may be imposed by a governmental taxing authority or agency.

Your organization has unique vulnerabilities and security requirements.
See how our professionals can tailor an IT security plan for you.