W.D.N.C.: Data Breaches May Be Unintentional, but Data Disclosures Can Be Intentional
On March 26, 2018, Judge Martin Reidinger issued a decision in Curry v. Schletter, 1:17-cv-0001-MR-DLH, 2018 U.S. Dist. LEXIS 49442 (W.D.N.C.). This case concerned a suit brought against a business by its former employees. The business required its employees to disclose personal identifying information as a condition of employment. The defendant was the victim of a scam it had notice of - the Business Email Compromise. The employees' 2015 W-2 tax information was sent to an authorized party in a phishing email attack.
Judge Reidinger noted Schletter, Inc.'s failure to provide its employees with training in cyber security and information transfer protocols. It did not follow best practices and industry standards concerning computer security. The plaintiffs were not informed of the data disclosure in a prompt manner or told the extent of the breach.
The court did not grant a motion to dismiss the plaintiffs' negligence and breach of implied contract, finding that both causes of action had been adequately stated. "At the heart of both causes of action is the Plaintiffs' assertion that the Defendant, as their employer, had a duty to safeguard and protect the confidential information provided by their employees. Whether such duty arose from the parties' employment contract or from other source remains to be determined from the facts and evidence to be presented." Id. at 10-11. It also declined to dismiss an invasion of privacy claim. "The Plaintiffs have sufficiently pled allegations to plausibly allege that the Defendant's actions would be highly offensive to the reasonable person, thus constituting an 'intrusion' necessary to sustain a claim for invasion of privacy under North Carolina law." Id. at 12-13.
The plaintiffs' breach of fiduciary claim was dismissed, because under North Carolina law such a duty does not arise in an employer/employee relationship.
The plaintiffs also brought causes of action under The Uniform Deceptive Trade Practice Act and the North Carolina Identity Theft Protection Act which bar the intentional disclosure by a business of social security numbers to the general public. The decision states that, "it is not implausible that the Defendant's actions in responding to this phishing scam effectively made the Plaintiffs' Social Security numbers 'available to the general public.'" Id. at 15-16.
Crucially Judge Reidinger declined to dismiss the UDTPA and NCITPA claims on the basis of the defendant's argument that its actions were not intentional. He drew a distinction between unintentional data breaches, and data disclosures:
"As the Plaintiffs cogently set out in their brief, this was not a case of a data breach, wherein a hacker infiltrated the Defendant's computer systems and stole the Plaintiffs' information, but rather was a case of data disclosure,wherein the Defendant intentionally responded to anemail request with an unencrypted file containing highly sensitive information regarding its current and formeremployees. Based on these allegations, the Plaintiffs have sufficiently alleged that the Defendant acted with the requisite intent in communicating this information." Id. at 16.