A Rockhurst University employee is suing the school after private information belonging to herself and another 1,200 of the school's employees was provided to criminals by one of her colleagues who fell prey to CEO fraud-type spear phishing last month.

One April 4th, a criminal impersonating an administrator of the Kansas City liberal arts college sent an email to an employee handling human resources materials asking that the worker send him (or her) W-2 information (which, naturally, included Social Security Numbers and income figures) for the school's employees. The email address provided by the criminal was external to the school, but the targeted employee apparently was not alarmed, and sent the materials.

The  lawsuit filed last week in Jackson County Circuit Court by Alexandria Stobbe claims that Rockhurst was reckless because it failed to establish and implement appropriate data protection for employees' personal information - that the school demonstrated "flagrant disregard" for the employees' rights to privacy and put them at "an imminent, immediate and continuing increased risk of identity theft, identity fraud and medical fraud." The filing by Stobbe also asks the court to create a class-action suit on behalf of all impacted Rockhurst employees, and claims that the university's alleged failure to practice what might be termed "Due Care" harmed its workers' peace of mind, and forced them to spend time and money protecting themselves against potential fraud and identity theft.

While the case is yet to be tried, it seems clear that Rockhurst will incur significant expense to either defend the case or to settle it - and, if it does choose to fight, it may also suffer the cost of an adverse judgment. Businesses should take note, as many organizations today rely on little more than basic employee training to protect against spear phishing - and, if a leak were to occur, such minimal steps may not offer adequate defense in court. In fact, as several high-profile CEO fraud and related cases recently received significant media coverage, now might be a good time to think about better protecting your organization against this type of crime. For my recommendations, please see my article, This Email Scam Just Caused $100 Million in Fraud.