In 2016, employers face many risks and challenges in keeping employee information private and secure. As business owners are a particularly lucrative target, dealing with phishing attacks and maintaining absolute privacy are current daily challenges faced by employers. Employers must be constantly vigilant and aware of this type of fraud, especially since scammers and hackers use email, text messages, phone calls, and social media to steal data.

In April of this year, former employees of Sprouts initiated a class action lawsuit in the United States District Court, Southern District of California against Sprouts Farmers Market, Inc. (“Sprouts”). Because of a data breach, the employees W-2 forms were allegedly disclosed as part of a phishing scam in March, 2016, after it was reported that Sprouts’ employees had their federal tax refunds stolen.

A phishing scam is an internet scheme that occurs when a targeted individual is sent a seemingly legitimate but fake request for sensitive or confidential information. It’s often a fake email from a financial institution, such as a bank, requesting the recipient to click on a link to confirm a user password on a web page branded to look like a genuine representation of the institution, with actual company logos and colors.

In the Sprouts case, the allegations consist of an email that appeared to be sent by a Sprouts executive to a payroll department employee requesting W-2s of every Sprouts employee. In response, the payroll employee sent W-2s of well over 20,000 Sprouts employees to the return email address. Sprouts later discovered, albeit too late, that the original email was a fake and notified authorities.

Employers must be aware of the potential liability for such a data breach. The class action lawsuit in the Sprouts case is seeking actual and statutory damages, restitution, and disgorgement, and the complaint alleges the following:

• Sprouts was negligent in protecting private employee information;
• Sprouts violated California Civil Code sections 1798.80et seq., which includes California’s data breach law, the California Data Protection Act;
• Sprouts violated California Business and Professions Code section 17200 by engaging in unfair business practices;
• while Sprouts offered credit monitoring services for 12 months for the impacted employees, the service chosen did not protect against identity theft, and only notifies the consumer after identify theft or other fraudulent activity has occurred;
• Sprouts had “lax” security procedures for its employee data, and concealed that fact from its employees.

Some victims of data breaches may be at risk for identity theft for the rest of their lives, as in the case of Anthem, Inc., an insurance company. In that case, messages under the auspices of a company email offered free credit monitoring to policyholders, a service that Anthem had actually promised to provide. The Anthem and Sprouts cases highlight the necessity for established employer procedures and protocols to protect employee information, and the inherent risks associated with any failure.

Businesses regardless of their size must address the privacy and security of their information, whether related to the business itself or employees. Many steps may be implemented by a company to protect against phishing scams. If you are an employer in California, it is important to obtain sound legal guidance to protect all of your company’s data, trade secrets, or personal information. DeAnn Flores Chase and her team of experienced attorneys can advise you on all your business needs. Contact Chase Law Group, P.C. at (310) 545-7700 or visit www.chaselawmb.com to schedule a consultation.