Employment Law Report
KRONOS Payroll Ransomware Attack Implicates Potential Data Breach Notification Obligations
By: Kathie McDonald-McClure
UKG, Inc., a company that provides payroll support services known as KRONOS for many U.S. companies, began notifying its customers on December 12, 2021, that the KRONOS Private Cloud (KPC) had been attacked by ransomware. The KPC products include Workforce Central, TeleStaff, Healthcare Extensions and Banking Scheduling Solutions. UKG reports that the KPC solutions may be unavailable for “several weeks.” Affected companies are diligently working to find alternative solutions to process their payrolls in the interim. UKG has created a KPC Incident Resource Hub to assist customers impacted by the KPC disruption in services.
The American Hospital Association (AHA) reported that the ransomware attack has impacted many hospitals and health systems that rely on KRONOS for timekeeping, scheduling and payroll. John Riggi, AHA’s Senior Advisor for Cybersecurity and Risk, said, “A lack of the availability of those services could be quite disruptive for health care providers, many of whom are experiencing surges of COVID-19 and flu patients. … This attack once again highlights the need for robust third-party risk management programs that identify mission-critical dependencies and downtime preparedness. … [W]e urge all third-party providers that serve the health care community to examine their cyber readiness, response and resiliency capabilities.”
In addition to the immediate payroll issues, if the ransomware attack compromises employee personal information, then it may trigger a data breach notification for these employers under state breach notification laws.
Individual Data Breach Notification Burden is on Data Owner. If there is any personal information of employees on a compromised third-party vendor’s server, such as the KRONOS Private Cloud, and such information includes identifiers that are protected under applicable state data breach law (see below), then there may be an obligation for data breach notification to affected employees. Such data breach notification obligation usually falls to the company that owns the employee data, i.e., the employer, rather than on the vendor. Even if the burden was shifted to the vendor contractually, this usually does not eliminate the owner of the information’s ultimate responsibility under applicable data breach laws.
Only Certain Personal Information is Protected. Most state data breach laws define the personal information that is protected to include the first name or initial and last name combined with one of the following: a) Social Security number, b) Driver’s License number; c) state identification card number, or d) a financial account or credit or debit card number in combination with any security code, access code or password that would permit access to the financial account. More and more state legislatures, however, have been expanding their state’s definition of protected personal information to include other information such as medical and insurance information, biometric information, and even email addresses and user names when the unauthorized access also includes passwords or security questions and answers for the email account. The types of personal information that are still not protected under most state data breach notification laws include: date of birth, home address, phone number and email address alone. This information is most often readily available from public sources, not the least of which is often the individual’s own social media account.
Law in State of Residence Governs. Another key point to remember is that the state where individuals reside will govern a company’s data breach notification obligation, if any, for individuals impacted by a data security incident. For example, for an employee who lives in Mississippi, but works in a company’s operations just across the Tennessee state line, the company would look to the Mississippi data breach law to determine whether it has an obligation to notify that employee of a vendor’s data security incident that resulted in unauthorized access to the employee’s personal information. All fifty states have enacted data breach notification laws that require businesses or the government to notify individuals if their data has been breached; however, each state’s law is slightly different. Thus, it is important to look closely at the state law to determine how it may apply.
Responsive Action Tip. Companies impacted by a payroll vendor’s data security incident should quickly assess the types of personal identifiers stored on the vendor’s impacted servers, and also pull together a list of states in which its employees reside. With a list of the types of personal information and the states where employees reside, Wyatt lawyers with experience in data privacy and security matters can readily assist in assessing the company’s potential notification obligation.
KRONOS Incident Illustrates Cyber Risk. As of its December 16, 2021 update, UKG said it was still investigating whether the attack was linked to the Log4j vulnerability that is estimated to impact 47% of corporate networks worldwide (read more about Log4j in this Wyatt blog post here). The KRONOS incident together with the critical Log4j vulnerability is illustrative of a cyber-threat environment that risks the exposure of any personal information held in company networks. The Wyatt Data Privacy and Security Services Team regularly assists clients with the development or review of their Data Incident Response plans.
If you need additional information, please contact: