Employers Beware of Phishing Scams
On April 20, 2016, a class action lawsuit was filed in the United States District Court, Southern District of California against Sprouts Farmers Market, Inc. The lawsuit was initiated by a former employee whose W-2 was allegedly disclosed as part of a phishing scam that occurred in late March 2016 amid reports that Sprouts’ employees had their IRS tax refunds stolen. According to the complaint, the W-2s of Sprouts’ employees were disclosed to a third party as a result of the phishing scam.
This sort of internet scam, referred to as “phishing,” occurs when someone attempts to acquire sensitive or confidential information under the guise of a legitimate request. For the average internet user, phishing scams often come in the form of a fake email from a bank or other financial institution asking you to click on a link to confirm your password on a web site that looks like a legitimate web site for the business. The fake web site often uses the actual logos and branding from a legitimate site to trick the user.
Payroll Masters goes into detail in our recent blog post:
“Warning California Businesses be Aware of Phishing Scams Targeting the Workplace”
In this case, the complaint alleges an email was sent to an employee in the payroll department asking for the W-2s of all Sprouts’ workers by a Sprouts executive. The employee responded to the email sending the W-2s of approximately 21,000 Sprouts employees. Unfortunately, Sprouts later discovered that the original email requesting the information was not legitimate, and notified the authorities.
The class action complaint alleges that Sprouts was negligent in its protection of private employee information, violated California Civil Code sections 1798.80 et seq. (including California’s data breach law), and engaged in unfair business practices in violation of California Business and Professions Code section 17200. The complaint alleges that while Sprouts offered credit monitoring services for 12 months for the impacted employees, the service chosen did not protect against identity theft, and only notifies the consumer afteridentify theft or other fraudulent activity has occurred. The complaint also alleges that Sprouts had “lax” security procedures for its employee data, and concealed that fact from its employees.
This case highlights the necessity that employers have protocols in place to protect employee information, and the risks associated with not having such protocols in place.
Source: Jackson | Lewis Blog | 2016 © Copyright Payroll Masters
Payroll Masters is not a licensed insurance broker or agent and does not provide professional or legal advice. This document has been provided for informational purposes only and is not intended and should not be construed to constitute legal advice. Please contact your employment attorney in connection with any fact-specific situation in which you intend to take significant employment action. Readers agree that they will hold Payroll Masters in indemnity and Payroll Masters assumes no liability. Payroll Masters is not engaged in rendering legal or accounting services. Therefore, Payroll Masters assumes no responsibility for claims arising from the use or implementation of the above information.