February 21, 2019

How should a company respond to a breach of employee tax data?

Hypothetical:  

Tax season is one of the most active times for scammers using spoofing, phishing, or other types of attacks to gain access to personal information that hackers can use for illicit profit.  Hackers know that employees in Human Resources and other administrative functions are under significant pressure to provide appropriate reports and information in a timely manner.  One day, HR Manager at US-based Hotel receives an email that looks and feels as if it came from Company President, asking for W-2 information for all the companies’ employees.  HR Manager, aiming to get a relatively simple request off his plate quickly, responds with the requested documents before he notices that the email address is just slightly off.  By the time the IT department is involved, the email—and the W-2 information for all the companies’ employees—has traveled across the world to the scammer’s inbox.

Key Considerations:

  • Where are the impacted employees from?  Any reporting obligations or requirements likely will attach based on the residence of the employees whose data was implicated.  This includes timing (i.e., Hotel has 72 hours if any employees are in the EU), as well as the content of any notifications (e.g., some states have very specific requirements as to what can and cannot be said in the notification).  Hotel will also need to determine whether there are any regulators that must be notified and how quickly they must be notified. 
  • Will Hotel offer credit monitoring services?  Depending on the number of individuals whose data was implicated in the breach, Hotel may need to offer credit monitoring services.  Even if Hotel is not required to offer such services, regulators will ask if it is doing so.
  • What steps has Hotel taken to remediate?  The data is out the door and likely not going to be recoverable, but Hotel can take steps to prevent the next scammer from getting access to its data.  Regulators will want to know that Hotel understands how the breach occurred and that it is taking reasonable steps to prevent such a breach from recurring.
  • Is Hotel working with counsel?  In the immediate aftermath of a data breach, the likelihood of litigation is material.  Impacted individuals, regulators, or shareholders may seek some recovery for alleged statutory violations or damages.  Working with outside counsel to prepare for that likelihood will be critical to putting Hotel in the best position to address any threats of litigation.
  • Does Hotel have cyber insurance?  More and more, companies are purchasing cyber insurance policies to cover the costs associated with response and remediation to a breach or other security incidents.  If Hotel has such a policy, it must make it known what the policy requires, including things like (i) whether Hotel is required to select certain counsel, vendors to perform forensic services, credit monitoring services, etc.; (ii) at what point Hotel must notify its carrier; and (iii) what costs the carrier will cover.