N.C. Federal Court Allows Treble Damages Claim Based on Theft of Employee Personal Information

Sarah Fulton Hutchins
Parker Poe Adams & Bernstein LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Parker Poe Adams & Bernstein LLP

As the global focus on data protection increases, so expands the liability exposure for data holders following a breach. Employers collect significant amounts of sensitive personal information about their employees over the course of the employment relationship. Following a breach of an employer’s computer systems, employees are more frequently seeking damages from their employer under a number of theories, including negligence, or through an actual or implied contractual obligation to keep sensitive information safe.

Last month the U.S. District Court for the Western District of North Carolina allowed an employee treble damage claim against an employer to proceed under North Carolina’s Unfair and Deceptive Trade Practices Act. The underlying facts of Curry v. Schletter Inc. are all too familiar to many companies; following receipt of a phishing scam email, a Schletter employee emailed all then-current employees’ W-2s to a criminal posing as another internal employee. Certain affected employees sued, arguing that Schletter failed to effectively train its employees to recognize phishing scams or employ internal technical controls to prevent or mitigate these scams.

The employees also argued that disclosure of their social security numbers was a violation of the North Carolina Identity Theft Protection Act. The Identity Theft Protection Act prohibits businesses from intentionally communicating to the general public or otherwise improperly disclosing an individual’s social security number, and a violation of the Identity Theft Protection Act will serve as a violation of the North Carolina Unfair and Deceptive Trade Practices Act.

Schletter attempted to dismiss the complaint by arguing, in part, that the communication was unintentional and not disclosed to the general public. The Western District of North Carolina rejected these arguments, finding that the communication – an affirmative data disclosure – was intentional, as compared to a breach of Schletter’s data systems. The disclosure was made to the general public because the number of initial and subsequent recipients of the W-2 information was unknown and it was “not implausible” that the information was available to the general public. Without detailed explanation, the court rejected Schletter’s other dismissal arguments, including that the Unfair and Deceptive Trade Practices Act typically does not apply to employer-employee disputes.

This decision has the potential to further expand breach claims and resulting liability in North Carolina for employers and businesses. Companies should review their common law, statutory, and contractual data protection obligations and employ safeguards, including technical solutions, training, testing, and other loss mitigation efforts.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Parker Poe Adams & Bernstein LLP | Attorney Advertising

Written by:

Parker Poe Adams & Bernstein LLP
Parker Poe Adams & Bernstein LLP
Contact
more
less

Parker Poe Adams & Bernstein LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide