May 20, 2016

The serious risk of employer liability for breaches of employee data

Posted in Cybersecurity by Gene Killian |

HUB International, an insurance brokerage, has an interesting tool on its website, called a “Data Breach Cost Calculator.”  Answer a few questions and the calculator tells you the anticipated cost of a data breach at your company.  You can access it by clicking here.  I was fooling around with it a bit, and the projections were fairly staggering.  But if you’re in business or law, you already knew that.  Seems like every business or legal publication you pick up these days has an article about the terrors of cyber-crime.  (I recently sent the link to such an article to a general counsel friend.  He chastised me – justifiably - for even asking him to click on a link, because of the risks involved!)

The obvious problem is that, no matter how hard you try to control access, the points of entry to your company’s data are infinite.  (Hey, if the NSA can be hacked, what chance do YOU have?)  We’ve recently been working on an insurance coverage case, for example, involving “phishing.”  Phishing takes place when a criminal masquerades as a legitimate business contact in an effort to obtain sensitive information, such as credit card data or social security numbers.   Sometimes this is accomplished by ever-so-slightly changing an e-mail address, so that unless the recipient is looking very closely, he or she can easily be fooled into transmitting confidential information, and boom, you have a big problem on your hands. Our case involved an overseas hacker who sent an e-mail to an accounting employee of our corporate client, in which one letter of the e-mail address was changed, requesting verification of certain financial information.  The result was a loss of several hundred thousand dollars.

Obviously, data breaches can happen to anyone.  A large law firm whose offices are near mine got nailed by a ransomware attack just a few weeks ago. All of their data was encrypted and their system was completely shut down for several days. In short, a mess. This particular attack seems to have happened when one of the assistants clicked on an attachment from another law firm that the firm is doing business with. That firm had also been attacked.

Most of the big cases in the news (Target, Sony) involve the loss of customer data (like credit card information) by business-to-consumer companies.  But a huge source of liability arises from your company’s own employees, regardless of your type of business.  Hackers can get access to employee social security numbers or direct deposit bank account numbers, for example, and wreak havoc. We wrote on this topic about a year ago, in a post you can access by clicking here.

With that background, let’s consider a class action filed about a month ago as I write this, against Advance Auto Parts.  The Complaint contains the following instructive (and typical) allegations:

  • “On March 7, 2016, a third party obtained unauthorized access to employee information. This access was through a phishing-type attack in which an outside party posing as an Advance employee convinced an employee to provide a file containing information about certain individuals who worked for Advance during 2015. The employee believed the email request for this file was a legitimate internal data request.”  
  • “The information Advance was duped into producing included Advance employee names, Social Security numbers, 2015 gross wages, and the states in which such employee pays income taxes.”  
  • “Merriam-Webster defines phishing as: ‘a scam by which an email user is duped into revealing personal or confidential information which the scammer can use illicitly.’”  
  • “The information scammed from Advance can, and likely already has been used by the thieves, or third parties to whom such information is transferred and/or sold, to file tax returns, open revolving credit accounts, purchase vehicles and even apply for and procure a job. In short, the damage caused to Class Members is common to all Class Members and is egregious…Plaintiff was one of Advance’s nearly 75,000 employees at the time of the conduct complained of herein.”

The Complaint sets forth claims for relief for negligence, gross negligence, breach of fiduciary duty, and invasion of privacy (creating, for you insurance aficionados, a potential coverage issue under Coverage B of Advance’s standard general liability policy, if Advance maintains such coverage, in addition to potential coverage under cyberliability policies.)

Advance, which has been the target of other hacking incidents in the past, did all the right things in response to the breach. The company began investigating the matter immediately upon learning of the problem, notified federal law enforcement, communicated with all current and former employees, and offered free identity protection services and hotline support. That, of course, wasn’t enough to prevent a lawsuit, even though the only winners in the lawsuit (if the plaintiffs prevail) will likely be the class-action lawyers.

So what can you do to minimize the chances of an employee-generated data breach?  It’s a very difficult question, since it’s so simple for an overworked employee to make a mistake and click on a malicious link, or transmit information to someone who appears to be from “your bank.”  Here are a few simple suggestions, though:

  1. The importance of securing sensitive information, and of being on guard against scams such as “phishing” attacks, needs to be stressed by management and included in your employee manual. A breakfast meeting every now and then to discuss the threats isn’t a bad idea.  At the very least, when you read about a cyber-breach in the news, circulate the article within your company or department.  
  1. Hack yourself.   Test your employees by setting up a phishing-type “attack” intentionally.  Have your IT person send a fake e-mail, through a secure account, from a fake contact at your “bank” requesting information such as your firm’s Tax ID number.  See what happens.  You might create a teachable moment.  Figure out a way to reward employees who respond appropriately.  If your people know how seriously you’re taking this problem, it can only help.  
  1. Many security breaches happen when third-party vendors – benefits providers, for example – handle employee information. A good contract with your vendor is good protection against liability. Specify that the vendor should limit the number of people who have access to the data, should ensure that it’s encrypted, should maintain the data in a secure location, and should make sure that any transmission is done in a controlled, protected manner. Include notification requirements should a security breach occur, and cite the specific state and federal notification laws that the vendor must follow. The contract should also state that the vendor is legally responsible for any data breach that occurs during its engagement, and that the vendor will indemnify you and your employees for any actions resulting from such a breach. Vendors hate that type of language, but if you never ask, you’ll never get. In a perfect world, the contract should also obligate the vendor to pay any damages resulting from the data loss, no matter when it occurs. And you should negotiate contract language requiring the vendor to obtain your approval before moving work offshore.  
  1. Talk with your broker or risk manager about cyberliability coverage if you don’t already have it.