Written by: Peyton Smith
Shareholder, Litigation Section, Labor & Employment Practice Group at Munsch Hardt Kopf & Harr PC
I was contacted this week by the Director of Human Resources for a technology client with a request for immediate assistance tied to a data breach that has unfortunately, becoming alarmingly too frequent during the first three months of 2016. She had received an email from the President of her company at the end of her workday, noting that their senior leadership was working on salary, bonus and budget forecasting for their company and requesting that she send to him the W-2’s for key company personnel via PDF. The email was written in his typical conversational style and was signed in the manner in which he signed all his internal emails. Further, his reply email listed a return email address to his direct email account. Before she sent the information or replied, she confirmed the email and signature block and verified with a Vice-President that she could forward the requested information. Upon review of the email and messaging, the Vice-President authorized the production of the requested information and employee W-2’s. Feeling well protected, the HR Director sent the email and W-2’s requested.
The email was unfortunately a scam with a hacker who had copied the President’s email signature block, matched his communication and signature style, word-for-word, including creating a “ghost” over his correct email address to cloak the email address to appear to be for the intended recipient. My client was fortunate since they caught the data breach quickly but the information was now in the hands of someone outside the company who clearly had less than honorable ideas with what to do with the information they had gathered. Furthermore, hundreds of employees now had their W-2 information, including their name, address, social security numbers and other confidential information, taken by a skilled hacker.
In addressing this issue with my client in recent days, we learned that this current phishing scam is incredibly popular right now. The FBI and local law enforcement advised us that there have been more than 700 reported similar cases of hackers fraudulently securing employee W-2 information in the month of March 2016 alone. The hackers appear to be targeting companies with less than 3,000 employees and the email requesting W-2 and similar employee information is nearly always directed to the human resources contact at the targeted company. The IRS has recently released an alert warning employers of this scam and to alert them to be increasingly vigilant in protecting company and employee information. (See the following link as to the latest alert: https://www.irs.gov/uac/Newsroom/IRS-Alerts-Payroll-and-HR-Professionals-to-Phishing-Scheme-Involving-W2s) “This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”
If you have not yet done so, employers are strongly encouraged to implement a proactive plan to decrease the risk of unauthorized disclosure of such information. Each state has different requirements for employee protection and penalties which might be levied against employers for failing to implement appropriate safeguards for protecting employee confidential information, as well as the notice requirements in the event a data breach occurs. In the event that a data breach occurs and confidential employee information has been accessed by unauthorized parties, employers should immediately address the issue with more aggressive internal safeguards, contact legal counsel regarding how best to strategically address internal and external legal ramifications of the breach, notify law enforcement (local and the FBI’s Cyber Crimes Division), and inform the IRS of the fraudulent access to employee social security numbers. Simultaneously, employers have a duty to promptly inform employees of the breach and what increased protections have been put in place to decrease the risk of future data breaches.
In light of these concerns and the increased risk of hacking personal information, employers are also encouraged to review current insurance policies and to consider whether to purchase cyber insurance coverage. Additional security software for utilization by the human resources and accounting department might be a wise and worthy investment to consider as a deterrent to hacking vulnerability. With the increased efforts of hackers seeking W-2 and other personal employee information, prudent employers will partner with their legal counsel to address such concerns prior to being a hacking victim. When considering best practices in protecting employee information, employers should follow the adage “the best defense is a good offense”.
Peyton N. Smith is a Shareholder in the Labor & Employment and Business Litigation practice groups at Munsch Hardt Kopf & Harr, P.C. and is based in the firm’s Austin office.
