Malware is a malicious type of software code that plays a significant role in data security breaches. Malware is typically deployed through a phishing email message scam. This involves an unsuspecting victim receiving an email message from a fraudulent source, a victim clicks on a nefarious link or opens an attachment of the email that contains the malware. Malware can cause all kinds of problems. For instance:

• Malware can be used to expose and exploit vulnerabilities in a system. It can create a back door allowing hackers access to the compromised system. A back door enables a hacker to circumvent normal authentication mechanisms when accessing a computer system.
• It can be used to log a user’s keystrokes, which reveals personal or sensitive information. This might include a user’s login information, passwords, and personal identifying information.
• Malware can be used to steal financial, banking, and credit and debit card account information.
• Malware can eat up space in a computer’s memory, slowing down the system’s processing speed.

Some of the most massive data breaches to date were the result of a phishing email scam. In the Target data security breach that occurred in 2013, thousands of Target customers had their credit card information exposed. A third-party vendor was compromised by a phishing scam that granted hackers access to Target’s credit card processing network. When Sony Pictures Entertainment’s computer systems were compromised in 2014, the cybersecurity breach was a result of an employee falling victim to a phishing email attack.

Phishing Scams and the Dissemination of Malware

In 2016, phishing scam emails were the leading way that computers were infected with malware, according to Verizon’s 2016 Data Breach Investigation Report. Remarkably, 30% of phishing emails were opened. The victims in 13% of cases opened an attachment to the phishing email or clicked on a link contained in the phishing email. Doing either of these actions allows the malware to gain access to the victim’s computer.

Why Do People Fall for Phishing Email Scams?

Why do so many people open phishing emails despite an ever-growing increase in awareness? Sometimes it is difficult for a victim to know whether an email they receive is legitimate or not. Some phishing emails are clearly scams, which recipients can detect straight away because they do not recognize the sender, the email is littered with misspelled words and incorrect grammar, or the subject line is a dead giveaway. On the other hand, some phishing emails might look very legitimate. They are complete with convincing logos, signature blocks, and authentic looking sender email addresses.

When phishing scam emails appear to be from a person or business that the victim knows, it is referred to as spear phishing due to the targeted nature of the attack. Phishing scams are most successful when the email looks so good or legitimate to the recipient that he or she is tricked into opening it. Spear phishing emails seem personal or familiar, and that is why people open them thinking that the message was sent from a trusted source.

Legal Liability When Phishing and Malware Cause Data Breaches

A successful phishing attack does not insulate a business from legal liability for the resulting breach. The legal question courts and regulators ask is not whether the attacker committed a crime — it is whether the business took reasonable steps to prevent the attack from succeeding. That analysis focuses on the business’s security practices, employee training programs, and technical controls, not on the sophistication of the attacker.

The FTC’s Reasonable Security Standard Applied to Phishing

The FTC’s enforcement authority under Section 5 of the FTC Act, 15 U.S.C. § 45, covers any company that collects consumer data. In its enforcement actions, the FTC has treated the following failures as contributing to unreasonable security practices in the context of phishing attacks: failure to provide anti-phishing training to employees with access to sensitive systems, failure to implement email filtering that detects phishing indicators, failure to require multi-factor authentication so that a phished credential alone is insufficient to access the system, and failure to monitor for anomalous login behavior that would indicate credential compromise.

The FTC’s enforcement record makes clear that businesses cannot defend themselves solely on the basis that an employee “should have known better.” Regulators expect businesses to implement technical controls that limit the damage caused even when an employee does fall for a phishing attack.

State Notification Obligations After a Phishing-Caused Breach

When a phishing attack results in unauthorized access to personal information, state data breach notification statutes are triggered. The obligation to notify arises from the unauthorized access itself, not from a specific finding of misuse of the exposed data. All 50 states require notification under these circumstances, though the specifics — the definition of personal information covered, the notification timeline, and the required content of the notice — vary by state.

Several states have enacted notification requirements with very short timelines. Florida requires notification within 30 days of determining that a breach occurred. Colorado requires notification within 30 days of discovery. New York requires notification in the “most expedient time possible and without unreasonable delay” and concurrent notification to state authorities when 500 or more New York residents are affected. A phishing attack that compromises an employee’s email account containing customer data may trigger notification obligations to dozens of states depending on where those customers reside.

Business Email Compromise: A Particularly Costly Phishing Variant

Business Email Compromise (BEC) is a sophisticated form of phishing attack in which attackers compromise or impersonate a business email account to trick employees, typically in accounts payable or finance roles, into transferring funds to fraudulent bank accounts. The FBI’s Internet Crime Complaint Center (IC3) has consistently identified BEC as one of the costliest cybercrime categories by total financial losses — losses regularly exceed $2 billion per year in the United States alone.

BEC attacks raise distinct legal issues from data breach cases. While the primary harm is financial rather than a privacy breach, the same negligence principles apply. A business that lacks financial controls to verify unusual wire transfer requests — such as requiring voice confirmation for wire transfers above a threshold, or implementing dual approval for large transactions — may face civil claims from shareholders or owners for the failure to implement basic fraud prevention controls. Banks that process fraudulent wire transfers without adequate verification may also face liability under UCC Article 4A governing funds transfers, though the standards for bank liability in BEC cases are complex and fact-specific.

What Businesses Should Do After a Phishing-Caused Breach

• Engage legal counsel immediately. Attorney-client privilege protects forensic investigation findings and internal communications when conducted under counsel’s direction.
• Conduct a forensic investigation. Determine the scope of the compromise: which accounts were accessed, what data was exposed, and over what time period. Notification obligations depend on this analysis.
• Reset compromised credentials. Immediately invalidate compromised credentials and require password resets across any systems to which the compromised credentials had access. Deploy MFA before restoring access.
• Map notification obligations. Based on the forensic findings, identify every state and federal notification obligation that applies, including contractual obligations to payment card processors and business partners.
• Review your security controls. After the immediate response is complete, conduct a thorough review of the controls that failed to prevent or limit the impact of the attack. Remediation is both operationally necessary and legally important — regulators will scrutinize what steps were taken to prevent recurrence.

Talk to a Data Breach Lawyer

If your business has been involved in a data security breach because one of your employees opened a phishing email, you will need to take steps to manage the aftermath of your company’s exposure according to notification laws. Contact the data breach experts from Revision Legal today using the form on this page or call us at 855-473-8474.