Employers responsible for damages in phishing scams?

ALERT: Employers could be responsible for damages in phishing scams

August 8, 2018

An employer could face legal action and be forced to pay financial damages for an employee’s mistake.

With the ever increasing occurrence of “phishing” attacks, employers can no longer ignore the risk it bears for their employees and overall business. According to a recent federal court decision, an employer could face legal action and be forced to pay financial damages for an employee’s mistake.

This is precisely what happened to a North Carolina company when an employee received an email that appeared to be from a supervisor. The email requested W-2 tax information for the company’s employees for verification purposes. The employee sent the supposed supervisor an unencrypted file containing the requested information. Despite what was likely an employee acting with the best of intentions, the employee was fooled into sharing the personal information (including Social Security numbers) of more than 200 employees with a cybercriminal.

Several employees sued, and a federal court determined that the email response, despite being made under false pretenses, was intentionally made. The court’s reasoning noted the distinction between a breach and a disclosure indicating the following:

  • Data breach: “wherein a hacker infiltrated the defendant’s computer systems and stole the plaintiffs’ information”
  • Data disclosure: “wherein the defendant intentionally responded to an email request with an unencrypted file containing highly sensitive information regarding its current and former employees”

Under the rationale of intentional disclosure of confidential employee information, the court allowed the employees to seek treble damages.

How to protect your organization from phishing threats

In the North Carolina case, the Court noted that the company failed to provide “even the most basic of security measures” that could have prevented the disclosure.

Phishing exploits human weaknesses even more than technical vulnerabilities. If you want to effectively protect your network from phishing attacks, address the human source of the problem. This can be addressed first and foremost through educating and training your employees. Most employees are willing to help, but won’t be able to if they don’t know how.

At AGH, our technology professionals are equipped with the tools necessary to help educate your staff on the dangers of phishing and reduce their susceptibility to attacks, as well as how to improve their handling of sensitive information. Our training addresses your employees’ vulnerabilities and leaves them better prepared to protect your information assets.

Additionally, consider consulting with experts at AGH before a cyber crisis happens. An incident response plan and mitigation efforts can help your company recover more quickly and with less disruption should a cyber security incident occur. Finally, the AGH team is prepared to assist in emergency situations as well. Notify us immediately should you find your organization’s data has been compromised.

Don't wait to get started

AGH’s professionals have a proven record of helping organizations keep their information secure and can educate leaders on their organization’s information security by performing comprehensive risk assessments and system evaluations. To get started, contact Brian Johnson, senior vice president of technology services, using the information below.

Brian Johnson

Senior Vice President
Technology Services

Brian joined AGH in 1992. He leads the firm’s technology services practice where he helps clients achieve measurable performance improvements through the delivery of specialized, competency-based information systems management, assurance, and advisory services. He has extensive experience in information security, network engineering, and solution development, with recognized specializations in governance, risk, control, and related consulting services.

Brian is a member of ISACA (previously known as the Information Systems Audit and Control Association), the Kansas Society of Certified Public Accountants (KSCPA), the American Institute of Certified Public Accountants (AICPA), the AICPA’s Information Management and Technology Assurance (IMTA) Section, and the Association for Supply Chain Management (ASCM). He is a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), Certified in Risk and Information Systems Control (CRISC), Certified Data Privacy Solutions Engineer (CDPSE), and Certified in Production and Inventory Management (CPIM).

Brian is also a Certified Public Accountant (CPA) and a graduate of Wichita State University, where he earned Master of Accountancy and Bachelor of Business Administration degrees.

Information in this document has been obtained by Allen, Gibbs & Houlik, L.C. from sources believed to be reliable. However, AGH does not guarantee the accuracy nor completeness of any information. This communication does not and is not intended to provide legal, accounting or other professional advice or opinions on specific facts or matters, and accordingly, AGH assumes no liability whatsoever in connection with its use. Nothing in this communication can be used to avoid penalties that may be imposed by a governmental taxing authority or agency.

Your organization has unique vulnerabilities and security requirements.
See how our professionals can tailor an IT security plan for you.