Prepare NOW to manage your workforce through a cyberattack | Akerman LLP – HR Defense
It’s every employer’s worst nightmare: an unsuspecting employee receives an early morning email from someone claiming to be their supervisor. The email asks her to follow up on an urgent work assignment that requires her immediate attention. With several deadlines fast approaching, he doesn’t think twice. He opens the e-mail and the attached file, and prepares to work. Within minutes, the entire system, including all confidential and proprietary data, time and attendance records and payroll records stored therein, becomes unusable and shuts down. The attacker delivers a single message to the employer: pay the ransom in exchange for the data or risk losing all the files.
Ransomware attacks are on the rise and employers are increasingly targeted. By some estimates, in the first seven months of last year alone, reports of ransomware attacks showed a staggering 62% year-over-year increase. Ransomware is a form of malicious software that can infect and lock down a target’s network. While some malicious actors demand a ransom in exchange for decryption software, others simply steal company data whether or not a ransom is paid, often leaving victims with no way of knowing what was going on. attacker consulted or took. Needless to say, ransomware attacks can disrupt business operations and result in the loss of trade secrets, sensitive business information, personal data, and even medical documents.
More than ever, it is imperative for employers to remain vigilant, understand the applicable laws and implement both preventive measures and emergency plans.
Federal and State Laws Counsel Vigilance
Ransomware attacks can instantly cripple a company’s ability to manage operations (payroll, timekeeping, and document retention) and the consequences can be costly. In most states, payroll and timekeeping procedures are governed by federal and state law. The Fair Labor Standards Act (FLSA) is the primary federal law governing wage and hour standards for most workers in public and private employment. The FLSA does not require wages to be paid weekly or on a particular day of the month. However, once the employer has designated specific pay dates, they are obligated to stick to their schedule. Failure to do so may expose the company to claims for unpaid wages and, in some cases, damages.
Many states have stricter requirements. For example, in New York, manual workers generally must be paid on a weekly basis, while office workers must be paid at least twice a month. In California, employers are required to pay most non-exempt employees at least once a month on designated paydays each month.
Employers are also required to implement compliant timing practices. Although neither state nor federal law generally requires employers to use any particular method of timekeeping, companies should ensure that their system accurately and reliably records all hours worked and that time records are under-reported. underlyings are retained.
All employers are required to keep payroll records for at least three years under federal law. But some states may require companies to keep records for a longer period. In fact, in most states, the best practice for employers is to keep payroll records for at least four years (up to six years in New York) and benefits-related records for up to six years.
It is important to note that penalties for not keeping accurate time and payroll records fall on the employer, not the employee. In the event of a dispute, an employee may prove unpaid wages through testimony, including his own interested testimony. It is then up to the employer to establish the exact number of hours worked or to deny the proof of the employee. If an employer fails to produce the worker’s payroll or clocking records, the case may very well be decided on the employee’s own evidence.
Develop a crisis management plan
In today’s digitalized world, workforce management software and cloud-based services are becoming the new normal in both public and private markets. Therefore, employers are well advised to implement both a contingency plan and preventive measures to respond to cyberattacks. Consider the following:
- Develop and test an incident response plan. Time is running out in the minutes following a cyberattack. Make sure your organization has developed a plan to respond to cybersecurity incidents and test the plan regularly. Among other things, the incident response plan should identify the employees who will be part of the incident response team and assign at least one person responsibility for helping management through the process. incident and, where possible, to mitigate any data loss as quickly as possible. as possible. Your plan should also define the payroll and timekeeping procedures that will be followed in the moments following a cyberattack. Most employers will need to temporarily switch their employees to manual timing or another offline system. Discuss this system with your team, review it with all new employees as part of their onboarding process, and review it periodically with your staff.
- Train and test your staff on phishing. Phishing refers to the fraudulent practice of sending emails to trick the recipient into revealing sensitive information or deploying malicious software on a network. Many companies implement “mock phishing” in the form of internal emails or urgent requests to provide targeted security awareness training. This can be a useful way to educate and train new and current employees on the latest cyber threats.
- Review your service contract. Many employers use third-party companies to process, manage, and store all of their time and payroll records. If this is the case for your company, review the service agreement with your payroll provider and clarify the extent of your company’s and the provider’s responsibility for recording and storing personal information. If you are not satisfied with these arrangements, suggest changes and negotiate an agreement that works for your organization.
- Build redundancy into your payroll system. Understanding that cloud-based systems (or any electronic system for that matter) are not perfect, employers should implement at least one or more record backup systems. Consider backing up all personnel records to an alternate, encrypted, offline system.
- Review and revise employee handbooks/handbooks to deal with emergencies. To the extent you haven’t already, review your employee handbooks to outline how your organization will handle payroll and timekeeping, as well as any other personnel issues, in response to a cyberattack. If you are in a state that does not require payroll to be paid at legally defined intervals, include a disclaimer in your manuals/guides explaining that pay dates are subject to change in the event of emergency, and that in such cases payroll will be made on the next practically available day.
Ultimately, the effectiveness of a company’s response will largely depend on its readiness and dexterity to switch between different workforce management systems, as well as its understanding of its own limitations. In light of the increasing rate of cyberattacks, you need to ensure that these plans have been thoroughly reviewed and discussed with all decision makers, HR and IT staff.