Employees can also intentionally cause cybersecurity incidents
Posted on 06/07/2017 at 09:23 AM by John Lande
This blog has recently covered the ways that employee conduct can lead to cybersecurity incidents. In many cases, employees play an unwitting role in fraudsters’ schemes. Fraudsters use spoofed, or ghosted, emails that appear to come from legitimate senders to trick employees into sharing confidential information or sending money.
However, employees are not always unwitting pawns in fraudsters’ schemes. In some cases, employees may decide to take advantage of an organization’s trust, and use their access to aid fraudsters. The recent case of USAA Federal Sav. Bank v. PLS Financial Services, Inc. illustrates what can happen when an employee decides to help fraudsters.
The plaintiff, USAA Federal Savings Bank (“USAA”), provides banking services to military veterans and their families. The defendant, PLS Financial Services, Inc. (“PLS”), provides check cashing and payday lending services. In the course of its business, PLS cashed checks drawn on USAA as well as other financial institutions. When PLS cashes checks, it creates electronic images of the checks.
A PLS employee started providing fraudsters with access to PLS’s computer systems. Fraudsters used the access to copy electronic check images to create counterfeit checks. Fraudsters copied 2,000 checks with values ranging from $5 to $10,000. Fraudsters then created and cashed counterfeit checks at PLS locations in California, Texas, and Arizona worth over $3 million.
Institutions identified most of the checks as counterfeit after fraudsters cashed them. Since the checks were counterfeit, institutions that honored the checks, including USAA, could not debit funds from individual depositor accounts. As a result, institutions like USAA suffered losses resulting from paying the counterfeit checks.
USAA sued PLS claiming PLS (1) was negligent and (2) violated the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”). PLS moved to dismiss USAA’s claims. The Court agreed with PLS and dismissed USAA’s lawsuit.
First, USAA argued that PLS owed USAA a duty to put in place certain minimum safeguards to prevent this kind of loss. However, the Court disagreed and found that PLS did not owe USAA a duty, even though PLS was cashing USAA checks.
Second, the Court rejected USAA’s argument under the ICFA. The Court found that USAA had not alleged that PLS’s data breach affected Illinois residents. In addition, USAA did not allege what, if any, fraudulent conduct actually occurred in Illinois. It appears that fraudsters cashed most of the counterfeit checks in Texas, Arizona, and California. Therefore, the Court found that the ICFA did not provide a remedy.
The Court dismissed the entirety of USAA’s lawsuit against PLS. USAA may try again to sue PLS, or USAA may look to insurance coverage. Regardless, this case illustrates two important points: First, employees may intentionally jeopardize an organization’s cybersecurity. Second, if employees give fraudsters access there may not be any clear way to recover for losses. Organizations need to take steps to make sure that employees do not intentionally, or unintentionally, allow fraudsters to cause harm.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
- John Lande
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Law is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Law blog postings does NOT create an attorney-client relationship between you and Dickinson, Mackaman, Tyler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.