The cyberattack against human resource company Ultimate Kronos Group has triggered a wave of wage-and-hour lawsuits against employers, highlighting the scope of potential liability associated with relying on third-party software for payroll functions.
Workers have filed nearly 20 proposed collective actions alleging violations of the Fair Labor Standards Act since the Kronos hack was disclosed in December, including lawsuits against
U.S. government officials have warned of potential Russian cyberattacks against private companies, adding to the hacking hazards that firms face.
Lawsuits alleging privacy violations, breach of contract, and negligence are common following data breaches. Plus, the wage claims filed in the wake of the Kronos ransomware attack show that software disruptions can carry their own risk.
“While employers can outsource the payroll function, they cannot outsource liability for violations of the FLSA or state or local laws,” said Jonathan Segal, an attorney at Duane Morris LLP who represents companies. “Unfortunately, ransomware and other forms of cyberattacks are becoming more frequent. The question is: How does an employer mitigate the risk that such attacks may cause?”
Tactics to protect against legal liability related to hacks of third-party payroll outfits include setting up backup systems, carefully vetting vendors, and obtaining indemnity clauses, management-side lawyers said.
When they face wage claims, companies may also have a good-faith defense against enhanced damages that come from willful violations, provided they can show their efforts to swiftly address any problems from hack-driven payroll software outages, attorneys said.
Kronos announced Dec. 13 that it had suffered a ransomware attack and warned that it could force its systems offline for weeks. Kronos restored core functions like employee time, scheduling, and payroll capabilities by Jan. 22, the company said in an emailed statement.
“The security and privacy of customer information is of the utmost importance to us and we have been taking measures to protect against this type of incident in the future,” Kronos said. “Leading privacy and security firms have also been working with us to test and continually harden our environment.”
Lawsuits alleging FLSA violations began rolling in after the hack was disclosed, with six arriving in January, five in February, and eight in March, according to a Bloomberg Law analysis of cases. The deadline for workers to file FLSA claims is two years from the alleged violation, which gets extended to three years for alleged willful violations.
Workers suing in connection with the Kronos hack have sought double damages—back pay and “liquidated damages” for willful violations. Specific allegations varied, including underpayment of regular wages, failure to pay overtime, and not compensating workers for the time to manually track their hours.
Most of the lawsuits added proposed class claims under state wage laws. A pair of the lawsuits also included privacy-related claims against Kronos.
Attorneys for PepsiCo and Olin didn’t respond to requests for comment about the lawsuits, nor did a representative for Marriott. Kronos declined to comment on the litigation.
Preventing disruptions to payroll by setting up their own systems—either going totally in-house or as a backup in case of a vendor hack—is a direct method for protecting against liability under the FLSA, lawyers said.
But it’s expensive and difficult for many non-technology companies to create and maintain software in-house, said Jennifer Ruehr, a Northeast Ohio-based attorney at Hintze Law PLLC.
“If you’re a retail company, your specialty is making clothes, not a timekeeping system,” Ruehr said. “Many companies don’t have the expertise or the time, so they’re looking outward for services that can handle data and keep their services up to date.”
Maintaining precise timekeeping can be a big challenge for establishing secondary payroll systems, especially if an employer uses manual time sheets, said Eric Su, an employment attorney with Crowell & Moring LLP. Inaccurate wage statements can invite lawsuits, he said.
Employers should thoroughly vet vendors’ cybersecurity protocols before signing them on as payroll masters, attorneys said.
Companies should look at a vendor’s track record on breaches and assess whether it’s compliant with relevant sectoral laws, such as the Health Insurance Portability and Accountability Act for medical data, said Dmitry Shifrin, a privacy and health care attorney at Polsinelli PC.
In negotiating contracts with a vendor, companies need to think about clauses of indemnity so that if a breach does occur, some of the costs and legal risks are shifted away from the business, Shifrin said.
Due diligence isn’t a full-proof way of stopping hacks, but it’s certainly a step in the right direction, said David Oberly, a privacy attorney with Squire Patton Boggs.
“You can’t predict every breach that’s going to happen, and it’s not a matter of ‘if’—it’s a matter of ‘when,’” Oberly added. “But you can definitely mitigate that risk, and that’s what makes due diligence and regular auditing and testing so important.”