As the global focus on data protection increases, so expands the liability exposure for data holders following a breach. Employers collect significant amounts of sensitive personal information about their employees over the course of the employment relationship. Following a breach of an employer’s computer systems, employees are more frequently seeking damages from their employer under a number of theories, including negligence, or through an actual or implied contractual obligation to keep sensitive information safe.
Last month the U.S. District Court for the Western District of North Carolina allowed an employee treble damage claim against an employer to proceed under North Carolina’s Unfair and Deceptive Trade Practices Act. The underlying facts of Curry v. Schletter Inc. are all too familiar to many companies; following receipt of a phishing scam email, a Schletter employee emailed all then-current employees’ W-2s to a criminal posing as another internal employee. Certain affected employees sued, arguing that Schletter failed to effectively train its employees to recognize phishing scams or employ internal technical controls to prevent or mitigate these scams.
The employees also argued that disclosure of their social security numbers was a violation of the North Carolina Identity Theft Protection Act. The Identity Theft Protection Act prohibits businesses from intentionally communicating to the general public or otherwise improperly disclosing an individual’s social security number, and a violation of the Identity Theft Protection Act will serve as a violation of the North Carolina Unfair and Deceptive Trade Practices Act.
Schletter attempted to dismiss the complaint by arguing, in part, that the communication was unintentional and not disclosed to the general public. The Western District of North Carolina rejected these arguments, finding that the communication – an affirmative data disclosure – was intentional, as compared to a breach of Schletter’s data systems. The disclosure was made to the general public because the number of initial and subsequent recipients of the W-2 information was unknown and it was “not implausible” that the information was available to the general public. Without detailed explanation, the court rejected Schletter’s other dismissal arguments, including that the Unfair and Deceptive Trade Practices Act typically does not apply to employer-employee disputes.
This decision has the potential to further expand breach claims and resulting liability in North Carolina for employers and businesses. Companies should review their common law, statutory, and contractual data protection obligations and employ safeguards, including technical solutions, training, testing, and other loss mitigation efforts.