Hack of Payroll Company Reveals Employer Liability

While payroll companies offer services attractive to employers looking for relief from the burdensome administrative tasks associated with timekeeping and payroll, the use of such companies is not without risk. Recent collective actions alleging wage and hour violations by companies using a payroll provider who was hacked offer a stark warning to companies that use payroll providers and a good reminder that the obligation to pay employees remains the employer’s responsibility.

In December of last year, a nationwide timekeeping and payroll provider – Ultimate Kronos Group (Kronos) – suffered a ransomware attack which caused disruptions in its services for more than a month.  Kronos provided timekeeping and payroll services to national employers, among them PepsiCo, Olin Company, Marriott International, Inc., and Mercedes Benz.

Although payroll services were only down for a few weeks, Kronos’ clients scrambled to move payroll back in-house.  Despite their efforts, the disruption caused missed paychecks, inaccurate payments, and other issues.  To date, approximately 20 lawsuits have been filed by employees against their employer companies.

But wait – you may be asking – shouldn’t Kronos be responsible for these payroll problems?  Although Kronos may indeed be liable to its clients (Pepsi, Olin, Marriott, etc.) the lawsuits brought by employees are against their employers.  This is because the Fair Labor Standards Act and its state-law equivalents almost uniformly place the obligations to track time and pay accurate, timely wages on “employers” – not their third-party payroll processors.

What does this obligation look like in the context of the Kronos ransomware attack?  Take the case of James Click v. Mercedes Benz USA, LLC.  Following the Kronos hack, Mercedes-Benz experienced significant problems with its payroll and timekeeping systems. Once these systems experienced difficulty, one of Mercedes’ employees – James Click – brought a lawsuit in federal court in Georgia alleging Mercedes-Benz failed to implement a functional alternative system while the hacking-related issues were resolved. Instead, Click claims, Mercedes-Benz relied on payroll estimates or simply referred to prior pay periods when calculating the amount of overtime pay owed in a given pay period to employees. The result, alleges Click: Mercedes-Benz failed to pay wages, including overtime, for all hours worked, which Click’s suit states is in violation of the Fair Labor Standards Act (FLSA). 29 U.S.C.A. § 201. In essence, Click’s suit claims that Mercedes-Benz “pushed the cost” of the damage caused by the Kronos hack onto Mercedes-Benz employees. Conspicuously, Kronos is not a named defendant in Click’s lawsuit.

Employees like Click who have sued their employers following the Kronos hack have routinely sought double damages on the grounds that their employers’ failures were the result of a “willful violation” of the FLSA.  These employers are also liable for the (not insignificant) attorneys’ fees of employees in bringing and prosecuting these lawsuits.

In an effort to be better prepared for a payroll company hack or disruptions to payroll systems, employers can take various steps before a hack occurs. Prudence requires an employer seeking the services of a payroll company to thoroughly research the payroll company prior to retention. The research should include examining the payroll company’s procedures when a hack or disruption occurs and reviewing whether the company has a history of network intrusions.

Employers would also be well-served to put in place backup systems in the event of a hack or system failure. Relatedly, employers with the resources to do so can consider having payroll services performed in-house. In-house payroll can be in lieu of using a payroll company or act as a backup in the event of a payroll company hack.

Once a hack is detected by the employer, or the employer is made aware of a hack through the payroll company, it is wise for the employer to act without delay to take steps to mitigate the damage caused by the hack. When the employer acts promptly to mitigate the damage, its attempts may be offered as evidence of good faith to counter allegations that any violation was willful.

Although it is tempting to “farm out” the tedious and time-consuming task of employee timekeeping and payroll processing, employers should always remember the obligation to properly pay employees is theirs alone. When a lawsuit for wage and hour violations occurs, the payroll provider is often nowhere to be found.

Click v. Mercedes-Benz USA, LLC, No. 1:22-CV-01422-SDG, 2022 (N.D. Ga. April 12, 2022)


The St. Louis employment attorneys at McMahon Berger have been representing employers across the country in labor and employment matters for over sixty years and are available to discuss these issues and others. As always, the foregoing is for informational purposes only and does not constitute legal advice regarding any particular situation as every situation must be evaluated on its own facts. The choice of a lawyer is an important decision and should not be based solely on advertisements.