Cyber-attacks are becoming more common as employers depend on new technology. Without the proper protections in place, employers could be faced with massive lawsuits. On December 11, 2021, Ultimate Kronos Group (UKG), a Florida-based HR management software company, discovered a ransomware attack on one of their cloud-based time and attendance systems. The hack resulted in outages across the system for weeks, affecting over 2000 companies, from hospitals to government agencies. The data breach forced employers to manually track employee time and caused difficulties managing end-of-year vacations and payroll and bonus calculations.
Although UKG restored most system capabilities within about six weeks, concerns remained over whether the breach left employee information exposed and whether some employers
had violated the Fair Labor Standards Act (FLSA). Since January 19, 2022 lawsuits have been filed against employers in connection with the security breach. The employees’ claims vary from recouping back wages and overtime pay (due to unrecorded working hours during the breach and the additional time employees spent tracking their hours) to security-based claims over the employer’s failure to adequately protect employees’ private information, such as their social security numbers.
What can employers do to protect themselves in the event their third-party vendor is hacked?
Employers faced with potential claims arising out of their third–party vendors security breach may have a good–faith defense if they take certain measures to ensure the security of third–
party vendors. To help minimize risk, employers should:
- Ask their third–party vendors whether they conduct regular security assessments. Security assessments should, at minimum, identify potential risks, estimate the likelihood and potential impact of those risks, and implement specific protections against those risks.
- Make sure their third–party vendors have written security policies and procedures in place in the event of a data breach. Employers may even want to go a step further and evaluate whether the vendor’s policies and procedures align with their own security standards.
- Choose vendors with high–level security certifications. Selecting companies that have earned recognized security standards or attestations of compliance, such as Service Organization Controls (SOC) 2 Certification, or Payment Card Industry Data Security Standard (PCI–DSS) Compliance can help reduce risks of data breaches and potential fallout for your company.
If you have questions or concerns about employer obligations under the FLSA or would like to have a policy or procedure reviewed, please do not hesitate to reach out to any member of Gardner Skelton’s employment team.