On April 20, 2016, a class action lawsuit was filed in the United States District Court, Southern District of California against Sprouts Farmers Market, Inc. The lawsuit was initiated by a former employee whose W-2 was allegedly disclosed as part of a phishing scam that occurred in late March 2016 amid reports that Sprouts’ employees had their IRS tax refunds stolen. According to the complaint, the W-2s of Sprouts’ employees were disclosed to a third party as a result of the phishing scam.
This sort of internet scam, referred to as “phishing,” occurs when someone attempts to acquire sensitive or confidential information under the guise of a legitimate request. For the average internet user, phishing scams often come in the form of a fake email from a bank or other financial institution asking you to click on a link to confirm your password on a web site that looks like a legitimate web site for the business. The fake web site often uses the actual logos and branding from a legitimate site to trick the user.
In this case, the complaint alleges an email was sent to an employee in the payroll department asking for the W-2s of all Sprouts’ workers by a Sprouts executive. The employee responded to the email sending the W-2s of approximately 21,000 Sprouts employees. Unfortunately, Sprouts later discovered that the original email requesting the information was not legitimate, and notified the authorities.
The class action complaint alleges that Sprouts was negligent in its protection of private employee information, violated California Civil Code sections 1798.80 et seq. (including California’s data breach law), and engaged in unfair business practices in violation of California Business and Professions Code section 17200. The complaint alleges that while Sprouts offered credit monitoring services for 12 months for the impacted employees, the service chosen did not protect against identity theft, and only notifies the consumer after identify theft or other fraudulent activity has occurred. The complaint also alleges that Sprouts had “lax” security procedures for its employee data, and concealed that fact from its employees.
This case highlights the necessity that employers have protocols in place to protect employee information, and the risks associated with not having such protocols in place.