Phishing Scheme and Identity Theft: Not Kentucky Derby Horses, but Perhaps Per Se Violations of North Carolina’s Unfair and Deceptive Trade Practices Act
While this blog generally discusses cases decided in North Carolina, we occasionally venture out of state to see how judges in other parts of the country interpret our statutes, particularly section 75-1.1. Today is one of those trips, so put on your jaunty suits and fancy hats, fix yourself a mint julep, and meet me at the Run for the Roses.
Our voyage today discusses Savidge v. Pharm-Save Inc., a case decided last month by Judge Claria Horn Boom in the United States District Court of the Western District of Kentucky, Louisville Division (home of Churchill Downs). The plaintiffs are two women, Andrea Savidge and Beth Lynch, who call My Old Kentucky Home. They used to work for the defendant, a North Carolina company called Pharm-Save, Inc.
After they left Pharm-Save, the company fell victim to a phishing scheme and released the plaintiffs’ W-2 forms (including their social security numbers) to cybercriminals. One of Pharm-Save’s employees sent the W-2s by email to an individual posing as Pharm-Save’s treasurer. She testified that she believed she was doing so for “account reconciliation.” Discretion and caution were not Pharm-Save’s Forte that day.
Although Pharm-Save promptly notified the authorities, the IRS later wrote to Ms. Savidge to advise her that someone had filed a fraudulent tax return using her name and social security number.
Identity Theft Is a Per Se Violation of Section 75-1.1
In their second amended complaint, plaintiffs asserted for the first time a claim for violation of section 75-1.1. They supported that claim by alleging a per se violation of a provision of the North Carolina Identity Theft Protection Act. Section 75-62, “Social Security number protection,” prohibits businesses from disclosing individuals’ social security numbers. And section 75-62(d) states that a “violation of this section is a violation of G.S. 75-1.1.”
Section 75-62(a) contains six different ways in which a business can be held liable for releasing someone’s social security number. Plaintiffs primarily cited section 75-62(a)(6) to support their claim. Businesses violate that section when they, among other things, intentionally disclose someone’s social security number to a third party without that person’s written consent. To be liable, the business must have known or should have known that the third party had no legitimate purpose to obtain the social security number.
Out of the Gates, Pharm-Save Pointed to Plaintiffs’ Out-of-State Residence
After the starting gun, Pharm-Save slipped behind the leaders. It argued that because plaintiffs were not North Carolina citizens, they were not entitled to the protections of section 75-1.1. But this argument ignored the fact that the year Seattle Slew won the Derby (and the Triple Crown), our General Assembly deleted the restrictive words “within this state” from section 75-1.1. Numerous cases since then have allowed claims by out-of-state plaintiffs when they are injured by an in-state defendant and its in-state activities.
Pharm-Save Caught Plaintiffs at the Quarter Pole
The court then addressed plaintiffs’ argument that because the magistrate judge had allowed them to assert a new claim under section 75-1.1, that was the law of the case, and they should survive summary judgment as well. This argument was flawed because it had been expressly rejected by the Sixth Circuit and because there was no actual motion to dismiss the section 75-1.1 claims—only an opposition to a motion for leave to amend. What plaintiffs may have thought was a Practical Move failed to win, place, or show.
The Statute Required an Intentional Disclosure, and Plaintiffs Failed to Prove One
Next, Pharm-Save argued that it could not be liable under section 75-62(a)(6) because it did not intentionally disclose plaintiffs’ social security numbers. The court then looked at the language of the statute to determine whether intent is required. Navigating from second-to-last all the way through the field to the victory, the court’s Street Sense concluded that plaintiffs could not write the word “intentionally” out of the statute. Section 75-62(a)(6) has two necessary pieces—the first, an intentional disclosure of a social security number, and the second, that the disclosing party knew or should have known that the third party receiving the disclosure lacked a legitimate purpose for obtaining the social security number.
The plaintiffs could not Justify their assertion that Pharm-Save had that intent, because the disclosing employee thought she was sending the W-2s to the company’s treasurer, even though the actual recipient was the cybercriminal perpetrating the phishing scheme.
Down the Stretch, Plaintiffs Also Failed to Prove a Section 75-62(a)(1) Violation
Even though plaintiffs primarily sought recovery under section 75-62(a)(6), in the true spirit of I’ll Have Another, Judge Horn also briefly addressed subsection (a)(1), which prohibits a business from “intentionally communicat[ing] or otherwise mak[ing] available to the general public an individual’s social security number.” This discussion cited a 2018 case from the United States District Court for the Western District of North Carolina, Curry v. Schletter. In Curry, the court distinguished between (1) a data breach where a hacker infiltrated the company’s computer systems, and (2) a data disclosure where the company intentionally responded to an email phishing request. The Curry court concluded that the plaintiffs plausibly alleged that when the company intentionally responded to a phishing email, that was sufficient to meet the “available to the general public” prong of (a)(1). At least at the 12(b)(6) stage, plaintiffs had pleaded that there was a Genuine Risk of disclosure.
Judge Horn declined to apply this logic, in part because the parties had already completed discovery, and she found that plaintiffs had forecast no evidence that any employee’s social security number had been made available to the general public. Thus, even if she adopted the Curry position that Pharm-Save intended to disclose the social security numbers, there was no evidence that they had been shared with the general public.
Pharm-Save Hit the Trifecta with a Statutory Defense
Pharm-Save also relied on the statutory defense in section 75-62(b)(2): “the collection, use, or release of a social security number for internal verification or administrative purposes.” Although Pharm-Save had not pleaded that defense in its answer, the court addressed it because it found that there would be no prejudice to plaintiffs by doing so.
The parties disagreed about whether the defense applied. Pharm-Save said that because the employee who responded to the phishing email intended to release the social security numbers for accounting reconciliation, that was an administrative purpose that allowed it to avail itself of the safe harbor. Plaintiffs countered that a mistaken belief that there was an administrative purpose was insufficient.
Finding no case law on this question, Judge Horn concluded that Pharm-Save had the Winning Colors and was entitled to the defense based on the use of the word “purposes” in the statute. That led the court to Determine that since a “purpose” is defined as an intention or an aim, Pharm-Save was still acting for an administrative purpose, even if the intention was based on a mistaken belief.
While some believe that a fast start is essential, and others think that jockeys should bide their time, one thing is for sure: threats from cybercriminals are not going away; they are all still looking for their next Rich Strike. Companies should be constantly training their employees to make sure that requests for sensitive information are Authentic. But this decision gives companies potential cover for civil liability when their employees get tricked into disclosing social security numbers to cybercriminals.
Because the case has other moving parts, it remains to be seen if plaintiffs will appeal this ruling. But the thorough analysis of the statute leads this blogger to suspect that the opinion would be Affirmed.