United States District Court, W.D. North Carolina, Asheville Division
BRYAN CURRY, TERRAN BROOKS, JERMAINE WILLIS, and BRIAN HOPPER, on behalf of themselves and all others similarly situated, Plaintiffs,
SCHLETTER INC., Defendant.
MEMORANDUM OF DECISION AND ORDER
Reidinger United States District Judge.
MATTER is before the Court on the Defendant's
Motion to Dismiss [Doc. 24].
Plaintiffs, who consist of both former and current employees
of the Defendant Schletter Inc., initiated this action on
January 3, 2017, asserting claims for negligence, invasion of
privacy, breach of implied contract, breach of fiduciary
duty, and violations of the North Carolina Identity Theft
Protection Act, N.C. Gen. Stat. §§ 75-60, et
seq. (“NCITPA”), and the North Carolina
Unfair and Deceptive Trade Practices Act, N.C. Gen. Stat.
§§ 75-1.1, et seq. (“UDTPA”).
[Doc. 1]. After being served with a Summons and a copy of the
Complaint, the Defendant filed a Motion to Dismiss. [Doc.
15, 2017, the Plaintiffs filed an Amended Complaint [Doc.
23], thereby rendering the Defendant's Motion to Dismiss
moot. On May 25, 2017, the Defendant filed its second Motion
to Dismiss. [Doc. 24]. On June 8, 2017, the Plaintiffs filed
their Response in Opposition. [Doc. 26]. On June 15, 2017,
the Defendant filed its Reply to the Plaintiffs'
Response. [Doc. 27]. Having been fully briefed, this matter
is ripe for disposition.
the well-pled allegations of the Amended Complaint as true,
the following is a summary of the relevant facts.
Defendant is a part of Schletter Group, a worldwide
manufacturer and distributor of solar mountings systems.
[Doc. 23 at ¶ 1]. The Defendant's North American
headquarters is in Shelby, North Carolina. [Id.].
The named Plaintiffs are proposed class representatives for a
putative class consisting of both current and former
employees of the Defendant. [Id. at ¶ 87].
condition of employment, the Defendant requires that
employees entrust it with certain personal information. In
its ordinary course of business, the Defendant maintains
personal and tax information, including name, address, zip
code, date of birth, wage and withholding information, and
Social Security number, of its current and former employees
(hereinafter, “personal identifying information”
or “PII”). The Plaintiffs, as current and former
employers, relied on the Defendant to keep this information
confidential and securely maintained. [Id. at ¶
about April 19, 2016, the Defendant mailed a form letter to
all current and former employees throughout the United
States, advising that the employees' 2015 W-2 tax form
information had been sent to an unauthorized third party in
response to a W-2 phishing email scam (hereinafter “the
Data Disclosure”). [Id. at ¶ 50]. The
letter indicated that the Defendant had learned of this
incident on or about April 13, 2016, but gave no information
as to the actual date when the tax data had been disclosed.
[Id. at ¶ 51]. An attachment to the April 19,
2016 letter indicated that the Defendant would be offering
credit monitoring and identity theft protection services to
those affected for a one-year period. [Id.].
Defendant sent additional correspondence to its former and
current employees on or about April 25, 2016, advising that
the Defendant would extend the identity theft protection and
credit monitoring coverage to a period of 24 months.
[Id. at ¶ 53].
Defendant was not without warning of this phishing email
scam. On August 27, 2015, the Federal Bureau of Investigation
(“FBI”) had issued a report warning of the
increasingly common scam, known as Business Email Compromise,
in which companies fall victim to phishing emails.
Significantly, this report called attention to the
significant spike in scams, also referred to as
“spoofing, ” in which cyber criminals send emails
that appear to have initiated from the CEO or other top level
executive at the target company. [Id. at ¶ 57].
On February 24, 2016, cybersecurity journalist Brian Krebs
warned of the precise scam which snared the Defendant in a
blog entitled: “Phishers Spoof CEO, Request W2
Forms.” Krebs warned that cybercriminals were
attempting to scam companies by sending false emails,
purportedly from the company's chief executive officer,
to individuals in the human resources or accounting
department asking for copies of W-2 data for all employees.
Krebs even provided an example of such an email that had been
sent to another company. [Id. at ¶ 63].
Further, on March 1, 2016, the IRS issued an alert to payroll
and human resources professionals warning of the same scheme.
[Id. at ¶ 64].
the widespread prevalence of spoofing aimed at obtaining
confidential information from employers and despite the
warnings of the 2016 tax season W-2 email scam, the Defendant
provided its employees with unreasonably deficient training
on cybersecurity and information transfer protocols prior to
the Data Disclosure. [Id. at ¶ 65].
Specifically, the Defendant failed to adequately train its
employees on even the most basic of cybersecurity protocols,
including: (a) how to detect phishing and spoofing emails and
other scams including providing employees examples of these
scams and guidance on how to verify if emails are legitimate;
(b) effective password management and encryption protocols
for internal and external emails; (c) avoidance of responding
to emails that are suspicious or from unknown sources; (d)
locking, encrypting and limiting access to computers and
files containing sensitive information; (e) implementing
guidelines for maintaining and communicating sensitive data;
and (f) protecting sensitive employee information, including
personal and financial information, by implementing protocols
on how to request and respond to requests for the transfer of
such information and how to securely send such information
through a secure file transfer system to only known
recipients. [Id. at ¶ 66].
Data Disclosure was caused by the Defendant's failure to
abide by best practices and industry standards concerning the
security of its computer and payroll processing systems. The
Defendant failed to comply with security standards and
allowed its employees' PII to be compromised by failing
to implement security measures that could have prevented or
mitigated the Data Disclosure. The Defendant failed to
implement even the most basic of security measures to require
encryption of any data file containing PII sent
electronically, even within the company. [Id. at
Defendant failed to ensure that all personnel in its human
resources and accounting departments were made aware of this
well-known and well-publicized phishing email scam.
[Id. at ¶ 70]. The Defendant also failed to
timely disclose the extent of the Data Disclosure, failed to
individually notify each of the affected individuals in a
timely manner, and failed to take other reasonable steps to
clearly and conspicuously inform Plaintiffs of the nature and
extent of the Data Disclosure. By failing to provide adequate
and timely notice, the Defendant prevented the Plaintiffs
from protecting themselves from the consequences of the Data
Disclosure. [Id. at ¶ 71].
Defendant has not provided compensation to the employees
victimized in this Data Disclosure. The Defendant has not
offered to provide any assistance or compensation for the
costs and burdens, both current and future, associated with
the identity theft and fraud resulting from the Data
Disclosure. The Defendant has not offered employees any
assistance in dealing with the IRS or state tax agencies. The
Defendant has not offered to ...