Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Curry v. Schletter Inc.

United States District Court, W.D. North Carolina, Asheville Division

March 26, 2018

BRYAN CURRY, TERRAN BROOKS, JERMAINE WILLIS, and BRIAN HOPPER, on behalf of themselves and all others similarly situated, Plaintiffs,
v.
SCHLETTER INC., Defendant.

          MEMORANDUM OF DECISION AND ORDER

          Martin Reidinger United States District Judge.

         THIS MATTER is before the Court on the Defendant's Motion to Dismiss [Doc. 24].

         I. PROCEDURAL BACKGROUND

         The Plaintiffs, who consist of both former and current employees of the Defendant Schletter Inc., initiated this action on January 3, 2017, asserting claims for negligence, invasion of privacy, breach of implied contract, breach of fiduciary duty, and violations of the North Carolina Identity Theft Protection Act, N.C. Gen. Stat. §§ 75-60, et seq. (“NCITPA”), and the North Carolina Unfair and Deceptive Trade Practices Act, N.C. Gen. Stat. §§ 75-1.1, et seq. (“UDTPA”). [Doc. 1]. After being served with a Summons and a copy of the Complaint, the Defendant filed a Motion to Dismiss. [Doc. 10].

         On May 15, 2017, the Plaintiffs filed an Amended Complaint [Doc. 23], thereby rendering the Defendant's Motion to Dismiss moot. On May 25, 2017, the Defendant filed its second Motion to Dismiss. [Doc. 24]. On June 8, 2017, the Plaintiffs filed their Response in Opposition. [Doc. 26]. On June 15, 2017, the Defendant filed its Reply to the Plaintiffs' Response. [Doc. 27]. Having been fully briefed, this matter is ripe for disposition.

         II. FACTUAL BACKGROUND

         Taking the well-pled allegations of the Amended Complaint as true, the following is a summary of the relevant facts.

         The Defendant is a part of Schletter Group, a worldwide manufacturer and distributor of solar mountings systems. [Doc. 23 at ¶ 1]. The Defendant's North American headquarters is in Shelby, North Carolina. [Id.]. The named Plaintiffs are proposed class representatives for a putative class consisting of both current and former employees of the Defendant.[1] [Id. at ¶ 87].

         As a condition of employment, the Defendant requires that employees entrust it with certain personal information. In its ordinary course of business, the Defendant maintains personal and tax information, including name, address, zip code, date of birth, wage and withholding information, and Social Security number, of its current and former employees (hereinafter, “personal identifying information” or “PII”). The Plaintiffs, as current and former employers, relied on the Defendant to keep this information confidential and securely maintained. [Id. at ¶ 49].

         On or about April 19, 2016, the Defendant mailed a form letter to all current and former employees throughout the United States, advising that the employees' 2015 W-2 tax form information had been sent to an unauthorized third party in response to a W-2 phishing email scam (hereinafter “the Data Disclosure”). [Id. at ¶ 50]. The letter indicated that the Defendant had learned of this incident on or about April 13, 2016, but gave no information as to the actual date when the tax data had been disclosed. [Id. at ¶ 51]. An attachment to the April 19, 2016 letter indicated that the Defendant would be offering credit monitoring and identity theft protection services to those affected for a one-year period. [Id.].

         The Defendant sent additional correspondence to its former and current employees on or about April 25, 2016, advising that the Defendant would extend the identity theft protection and credit monitoring coverage to a period of 24 months. [Id. at ¶ 53].

         The Defendant was not without warning of this phishing email scam. On August 27, 2015, the Federal Bureau of Investigation (“FBI”) had issued a report warning of the increasingly common scam, known as Business Email Compromise, in which companies fall victim to phishing emails. Significantly, this report called attention to the significant spike in scams, also referred to as “spoofing, ” in which cyber criminals send emails that appear to have initiated from the CEO or other top level executive at the target company. [Id. at ¶ 57]. On February 24, 2016, cybersecurity journalist Brian Krebs warned of the precise scam which snared the Defendant in a blog entitled: “Phishers Spoof CEO, Request W2 Forms.” Krebs warned that cybercriminals were attempting to scam companies by sending false emails, purportedly from the company's chief executive officer, to individuals in the human resources or accounting department asking for copies of W-2 data for all employees. Krebs even provided an example of such an email that had been sent to another company. [Id. at ¶ 63]. Further, on March 1, 2016, the IRS issued an alert to payroll and human resources professionals warning of the same scheme. [Id. at ¶ 64].

         Despite the widespread prevalence of spoofing aimed at obtaining confidential information from employers and despite the warnings of the 2016 tax season W-2 email scam, the Defendant provided its employees with unreasonably deficient training on cybersecurity and information transfer protocols prior to the Data Disclosure. [Id. at ¶ 65]. Specifically, the Defendant failed to adequately train its employees on even the most basic of cybersecurity protocols, including: (a) how to detect phishing and spoofing emails and other scams including providing employees examples of these scams and guidance on how to verify if emails are legitimate; (b) effective password management and encryption protocols for internal and external emails; (c) avoidance of responding to emails that are suspicious or from unknown sources; (d) locking, encrypting and limiting access to computers and files containing sensitive information; (e) implementing guidelines for maintaining and communicating sensitive data; and (f) protecting sensitive employee information, including personal and financial information, by implementing protocols on how to request and respond to requests for the transfer of such information and how to securely send such information through a secure file transfer system to only known recipients. [Id. at ¶ 66].

         The Data Disclosure was caused by the Defendant's failure to abide by best practices and industry standards concerning the security of its computer and payroll processing systems. The Defendant failed to comply with security standards and allowed its employees' PII to be compromised by failing to implement security measures that could have prevented or mitigated the Data Disclosure. The Defendant failed to implement even the most basic of security measures to require encryption of any data file containing PII sent electronically, even within the company. [Id. at ¶ 69].

         The Defendant failed to ensure that all personnel in its human resources and accounting departments were made aware of this well-known and well-publicized phishing email scam. [Id. at ¶ 70]. The Defendant also failed to timely disclose the extent of the Data Disclosure, failed to individually notify each of the affected individuals in a timely manner, and failed to take other reasonable steps to clearly and conspicuously inform Plaintiffs of the nature and extent of the Data Disclosure. By failing to provide adequate and timely notice, the Defendant prevented the Plaintiffs from protecting themselves from the consequences of the Data Disclosure. [Id. at ¶ 71].

         The Defendant has not provided compensation to the employees victimized in this Data Disclosure. The Defendant has not offered to provide any assistance or compensation for the costs and burdens, both current and future, associated with the identity theft and fraud resulting from the Data Disclosure. The Defendant has not offered employees any assistance in dealing with the IRS or state tax agencies. The Defendant has not offered to ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.