Employers often collect confidential personal information concerning their employees. Employers have access to employee names, social security numbers, addresses, dates of birth, state driver license numbers and personal bank account information. Many employers hire third party payroll firms to process their payroll. These payroll firms in turn receive and store employees' confidential personal and financial data on their computer or cyber-systems.
What happens if your employer, or the payroll firm that your employer retains, is victim to a cyber-attack or a data breach? Unfortunately, a data breach can lead to employee payroll loss and personal identity theft. Theft through a payroll breach can arise in different ways.
Cyber criminals have targeted payroll processing firms by breaching their systems and changing employees’ direct deposit bank account information so that the employees’ paychecks are direct deposited into a non-authorized and fraudulently opened bank account. The cyber-criminal then promptly withdraws the direct deposited payroll monies and closes the fraudulently opened account. The employee only discovers that she did not receive her direct deposit paycheck after her payroll check has already been diverted and direct deposited into another fraudulently opened bank account. By that time, the money is gone.
In other cases, the cyber-criminal simply steals the employee’s confidential personal data and uses it to commit identity theft by opening credit card or other financial accounts in the employee’s name and running up huge debts before disappearing.
The Michigan Identity Theft Protection Act
A hack of employee confidential personal and financial data causes more than a headache – it can cause devastating financial loss. An employer must act if its employee data is breached. The Michigan Identity Theft Protection Act addresses breaches of personal identifying information stored by entities like employers and payroll processing firms. If an employer determines that a security breach has occurred and that it is likely to cause substantial loss or injury to or result in identity theft, the employer is required to provide notice to any resident whose unencrypted and un-redacted personal information was accessed by an unauthorized person or to any resident whose personal information was accessed and acquired in an encrypted form by any person with unauthorized access to the encryption key. The employer must provide notice without “unreasonable delay”. The notice to the employees should clearly describe the security breach, identify the information stolen, and provide information to the employee about what is being done to protect them from data breaches and to remind them to remain vigilant to potential identity theft. An employer who fails to provide the required notice could be subject to substantial civil fines, up to $750,000, in addition to lawsuits that may be filed by affected persons.
You have rights as an employee if your personal information was hacked
Employees have rights if their personal information was stolen in a data breach. Not only must the employer provide their employees notice under the Michigan Identity Theft Protection Act, the employees may be able to recover lost wages and additional damages caused by the breach. Employers must adequately protect and store confidential personal information relating to their employees. Failure to do so could subject them to significant legal exposure. A data hack of employee confidential personal information can have serious consequences. If your employer’s data system is hacked, it is prudent to consult with a lawyer to make sure that you understand your rights and ensure that you are protected.
The lawyers at Kalniz, Iorio & Reardon provide legal counsel to individuals, businesses and other entities that have been harmed by hackers who have stolen employees’ personal and financial information. If you are interested in learning more, do not hesitate to contact us.