A North Carolina Federal Court Allows a Treble Damages Claim in Employee Data-Breach Lawsuit

In honor of Tax Day, today’s post examines an interesting recent decision from a North Carolina federal court in one of these cases.

In that decision, called Curry v. Schletter Inc., Judge Martin Reidinger of the United States District Court for the Western District of North Carolina handed the employees a big win: a favorable ruling on a treble damages claim brought under N.C. Gen. Stat. § 75-1.1.

Teach a man to phish…

Schletter manufactures solar mountings systems. The company has its headquarters in Shelby.

In 2016 a Schletter employee was reeled in by a phishing scam. The employee emailed criminals W-2 tax form information for all of the company’s then-current employees. That information included names, addresses, social security numbers, and wage information—all in an unencrypted file.

After discovering the incident, Schletter notified the affected employees and offered 24 months of credit monitoring and identity theft protection services. Unsatisfied with that response, the employees sued.

In their complaint, the employees noted that, by the time of the incident, W-2 phishing was a widely-known security risk for employers. The FBI, cybersecurity journalists, and the IRS had all warned of the scam. Even so, said the employees, Schletter failed to train its employees to recognize it or to use technical controls—such as secure file-transfer protocols—that could prevent criminals from accessing employees’ sensitive information.