Employers Held Responsible for Phishing Attacks | New England IT PartnersBREAKING NEWS: Hackers are attempting to gain control of your company's most important data and systems. I know, I know. This isn't something that is completely new or even groundbreaking to those who have paid attention to the news in the last handful of years. Hackers are no longer the stereotypical 35-year old guy in his reclining chair, located in his mother's basement looking to get you to pay a Nigerian Prince that needs help escaping persecution. In fact, hackers have become sophisticated and pernicious, that now they are built as everyday organizations with people at workstations, with a lot of funding and workforce behind them.

As of recent, Phishing Hacks have been more commonplace than any other type of cyber attack due to the cunning ability that these hackers have grown into. For those who may not know, Phishing is a type of cyber attack that impersonates a legitimate person and/or organization in an attempt to get the user to click on a virus-filled link, divulge financial information, or provide critical information such as company usernames and passwords.

With Phishing attacks on the rise, companies find themselves at more and more risk. Hackers find that phishing is one of the more successful hacking attempts due to the uncertain nature of human behavior. According to an anonymous source posted on a hacking forum, people tend to NEVER check the email that was sent to them as long as the Display Name comes in as someone that they trust. For example, if you were to receive an email from John in accounting, the email would just say "John" and not his entire email address. With the advent of adaptive technology, users must go out of their way to make themselves aware of things like proper email addresses and other like examples.

According to a top cyber security firm, more than 76% of organizations have been hit with a Phishing attack in 2017. Now, this may come as no shock, but what a federal district court ruling said about matters such as these definitely will.

In a recent case, Curry v. Schletter Inc., the federal district court in North Carolina ruled that Schletter Inc. was responsible for the loss of company information that led to employee W-2's being compromised. Due to the negligence portrayed on the part of the organization by not properly addressing cyber risks, the court ruled that their inaction led to the breach of important data. In the ruling the court mentioned that the employer violated various duties when they mistakenly divulged employees W-2's to a third party who was posing as a company executive.

Upon recognition of what had transpired the company made their employees aware of the situation and offered identity theft protection and credit monitoring to make up for the situation. Unfortunately for Schletter Inc., many of their employees were not pleased with the solution to the major issue that they had created and decided to sue the company in a landmark case that would define company liability as far as cyber attacks are concerned. The employees brought claims for negligence, breach of implied contract, invasion of privacy, breach of fiduciary duty, and violation of trade practice laws.

In an effort to protect themselves from litigation and negative publicity, the company tried to have all of the claims dismissed. In the pre-trial motions hearing the court found that all but one of the charges were found to be legitimate. The judge ruled that the breach of fiduciary duty was voided because employers do not have a fiduciary responsible in a typical employee-employer relationship. The case proceeded with the remaining charges. At the culmination of the trial the judge's ruling mentioned that the employer provided "unreasonably deficient training on cyber security and information transfer protocols" to their employees which was ultimately responsible for the mishandling of corporate files.

The ruling has provided an upside however, because employers are now being forced to train employees and make sure that they have the proper tools and systems in place to make sure that a breach of this kind can never happen. Employers need to know the risks that they can incur when they choose not to properly educate and train their employees in the ever-changing world of cyber security.