Employment Law

Adventures in Cybersecurity: How to Respond When Workers Are Duped by Cyberattackers

One of the most exciting aspects of employment law is the inexhaustible list of ways that employees find to get themselves—and their employers—into trouble. Recently, we’ve observed an uptick in electronic security breaches, which makes the close of 2018 a perfect time to refresh ourselves on the “do’s” and “don’ts” of cybersecurity.

Source: MF3d / iStock / Getty

Why Do They Do That?!

Some of the cybersecurity problems employees get themselves into can leave their bosses scratching their heads and wondering, “Why did they do that?!” A great example: spoofing attacks. In the context of information security, spoofing occurs when an individual (or a group) disguises himself as someone else to gain access to information. One scenario that occurs with shocking frequency is when a cyberattacker sends an e-mail purporting to be someone important within the organization.

For example, an employee (especially a new or a low-level employee) receives an e-mail from an address that shows up as Bob Smith, CEO of XYZ Corporation. The employee, eager to please, takes one look at the “From” line and immediately jumps to complete the action requested in the e-mail. Often, the request involves using company resources to send money or gift cards to the recipient. The sums at issue are generally small enough that they don’t trigger fraud alerts, and no one realizes that the request is fraudulent until days or weeks later when the employee follows up with the manager who requested the money or someone in accounting sees a questionable charge.

Look for Real Solutions, Not Easy Ones

When you’re investigating a cyberattack, it’s easy to blame the subject of the attack. Frequently, with a small bit of due diligence, the employee could have avoided the problem. In a spoofing attack, the actual e-mail address is often undisguised. So, while the e-mail says it’s from Bob Smith, CEO of XYZ Corporation, the e-mail account is actually randomassortmentofletters@shadydomain.com. When confronted with this scenario, rather than blaming the victim, a good first step is to analyze the company’s own practices.

Cybersecurity problems don’t arise in a vacuum. Does your company have a cybersecurity program? Have you trained your employees to check the e-mail address before responding to internal inquiries or opening document attachments? Do you have a defined protocol for what to do with suspicious e-mails so they can be investigated? The easy solution is to blame the victim; it’s much harder to conduct an internal inventory and find out that your company bears some of the blame.

Be Careful What You Say

Another common reaction to cybersecurity problems is to make generalizations—frequently involving age—about the types of people who are susceptible to cyberattacks. The common refrain “His generation just doesn’t understand the risk associated with [fill in the blank]” is unfortunately common. While HR professionals are often attentive to these issues, front-line managers are not.

If you hear that type of stereotyping while investigating security breaches, be sure to nip it in the bud. Statements about a person’s age, generation, or inability to learn and adapt to new technology—especially when coupled with disciplinary action—are a recipe for discrimination claims. Don’t compound your problem by creating grounds for a lawsuit when you attempt to fix a cybersecurity breach.

Be Kind, Even if Kindness Isn’t Required

When cyberattacks result in employees losing their own money, one of the first questions from management is, “Do we have to reimburse her?” That can be a complex question, but in most cases, the answer is no. An employee who falls for a cyberscam, such as the spoofing attack described above, is a victim of fraud. Your company didn’t perpetrate the fraud or benefit from it, so you aren’t on the hook for the loss.

The first thing you should advise your employee to do is stop payment and report the fraud if a credit card was involved. Often, the credit card company has resources at its disposal that can limit or reverse the damage that’s been done. But any loss that remains should be the subject of careful consideration. It’s often new, low-earning, and low-level employees who are targeted by sophisticated attackers. The sums at issue sound small, maybe a few hundred dollars all the way up to a couple thousand. But for an employee earning $40,000 per year, that type of loss can be enough to cause serious financial issues.

While employees need to understand the significance of falling prey to a cyberattack and feel the sting of their careless behavior, that goal may be better achieved through progressive discipline.

Remember Your Duties to Report

Finally, if a cyberattack results in a data breach, be aware of your state’s requirements to disclose the breach to customers and clients. Delaware law imposes some requirements for what employers must do when they discover that employees’ personal information may have been compromised. The law defines “personal information” as a Delaware resident’s first name or initial and last name, in combination with his:

  1. Social Security number;
  2. Driver’s license number; or
  3. Bank account, credit, or debit card number.

To qualify as personal information under the third option, the account or card number must be combined with a security code or password that permits access to the individual’s financial account. An employer that learns the security of its employees’ personal information has been breached must conduct a prompt, reasonable investigation to determine the likelihood that the personal information has been or will be misused. If the employer determines that the misuse of information has occurred or is likely to occur, it must notify the affected employees.

Bottom Line

The best plan is one that you make in advance. There’s no better time than now to review your internal response procedures to ensure you’re prepared to respond to a cyberattack and address data breaches. Delaware law doesn’t impose significant compliance obligations, but it does require employers to investigate any potential security breach and notify all affected employees immediately if their personal information might have been compromised. So be ready, and make sure your employees are well trained on basic safety measures for operating in today’s online world.

Lauren E. M. Russell is an employment law attorney with Young Conaway Stargatt & Taylor, LLP, practicing in the firm’s Wilmington, Delaware, office. She is a member of the Employers Counsel Network as well as Editor of and frequent contributor to Delaware Employment Law Letter. She may be contacted at lrussell@ycst.com.