An ongoing service outage at HR vendor UKG that affected timekeeping and payroll software has some employers scrambling, and others viewing business continuity plans in a new light.
The company reported last week that a ransomware incident took several of its Kronos-branded services offline and that "it may take up to several weeks to restore system availability." In a statement, UKG's CEO recommended clients implement alternative business continuity protocols.
"It's going to be a big deal for some companies," Elizabeth Chilcoat, an associate at Sherman & Howard, told HR Dive. Employers must have a rapid response: "This is all hands on deck to identify what the problems are and solve them."
HR departments that typically rely on automation for the affected tasks may need to bring in temporary help, Chilcoat said; "It's a horrible thing to happen this close to the end of the year when people are wanting to take time off [or] winding down a little bit."
At the same time, the outage is "a sober reminder" of the importance of backup plans for automated HR functions, Kevin Jackson, an associate at Foley & Lardner LLP, wrote in a blog post for the firm.
The disruption involved Kronos scheduling, timekeeping and payroll products. It sent some employers scrambling to ensure employees are paid properly and on time, NPR reported — both for employee needs and for compliance with wage and hour laws.
New York's Metropolitan Transportation Authority, for example, said in a statement that it was working with payroll and timekeeping experts to identify alternatives and ensure employees still receive their pay, The New York Post reported.
Others seemed to have a continuity plan ready to go: A Texas hospital told local media that it was activating existing procedures.
And then there are those focused on stop-gap fixes. The University of Utah, for example, told workers that while paychecks will be issued on schedule, "there may be adjustments at a later date to reflect corrections as needed," perhaps an indication that it will opt for a route Jackson highlighted: calculating wages owed based on posted schedules, past payroll cycles or badge swipes, and adjusting payments as soon as the correct work hours can be determined.
Others might attempt to migrate data to a new platform, if they have the relevant information available. Kronos competitor Deputy, for example, announced it would offer its services free to Kronos clients for the duration of the outage.
Regardless of the path chosen, affected employers should immediately ask employees to report hours worked, if that information was lost, Chilcoat said. People's memories will degrade as time goes on, so it's best to act quickly, she explained. And employers should maintain a backup reporting method until the outage is resolved. Paper time sheets are just fine; what's of utmost importance is accuracy, she said.
Employers also must immediately prepare to survive multiple payroll cycles on their own, Chilcoat said, citing Kronos' projected timeline for getting back online. Some companies will be able to continue running direct deposit, she said, while others may have to turn to conventional checks. While federal authorities only require "timely" pay, many states have hard deadlines, she pointed out; "You don't have a lot of time to figure out how you're going to pay employees."
After that, it's important to ensure open enrollment efforts weren't affected, Chilcoat noted. For any companies still in that process, it will be crucial to check that employee elections weren't lost and that those who have not yet completed the process have a way to do so. Leaves of absence and any certifications tracked through the vendor also must be addressed, she continued, recommending that HR acknowledge that there will be mistakes and plan to "treat employees with some grace," with regard to all of these issues. "That will help prevent claims of discrimination and retaliation from arising," she said.
Finally, HR may have to take steps to address the data breach. While ransomware can restrict system entry, there are cases in which malicious actors gain access to data. Employers are governed by a patchwork of state laws in this area so, if affected, "I would be calling a lawyer who specializes in data breaches," Chilcoat said. Some laws require entities to report breaches to victims or authorities and there can be penalties for failing to do so in a timely manner, she continued. "Even if you're not legally required to, you engender goodwill" by providing notices, she said, even if you don't yet know what data, if any, was involved.
Workplace experts have long extolled the benefits of business continuity planning, often focusing on weather events that close facilities or, these days, a pandemic that affects the availability of labor. But with cybersecurity events increasing in severity, according to a January report, such issues may need to be considered in scenario planning.
The good news is that HR pros may have support for such efforts, as cybersecurity risk has become a priority for many in the C-suite, according to Cybersecurity Dive reporting. The difficulty, however, lies in predicting the unpredictable, a partner at consulting firm Mercer recently wrote for HR Dive.
Among other things, Chilcoat predicted that employers will increasingly seek to negotiate into software contracts indemnification for cybersecurity attacks. That may be an uphill battle, she noted, but HR should at least work to understand who will own the data involved in such partnerships. It's key, for example, that HR be able to download data and maintain a local copy. "That's a best practice whether or not there's been a data outage," she said, as it's useful to have when switching vendors or during litigation.
It's a lesson learned today that Chilcoat predicted will reshape future HR functions: "I think we're going to see an increasing number of companies saying storing data in the cloud is all well and good but I want [backup in case] there's another software outage."