Payroll After a Security Breach


While payroll professionals are well-schooled in how to recover from the effects of hurricanes, floods, fires, power failures and other disasters, little has been taught about what to do with computer systems after a breach or other event compromises the integrity of pay systems.

Different types of plans need to be developed and new kinds of risks should be assessed, depending on the type of compromise. How quickly payroll can get back up and running after an event depends on the type of incident, a corporate-developed decision tree and the service provider that is to investigate and remedy the problem.

Two general categories of data and system compromise emerge as most likely to occur.

First, there are those looking to mine data, often for personal-identifying information. This can occur through phishing schemes and by staff members who fail to follow security protocols and lose laptop computers or leave systems open to hacking into otherwise secure environments.

The other category includes attempts to compromise the integrity of a network and irreparably harm the organization.

In both situations, instigators could be from within the organization that is under attack, or at least    were able to obtain password or systems information from someone within the company. Infiltrators also may have had more secure access to systems.

Regardless of how the breach occurred, the risk protocol for addressing a payroll-systems issue is basically the same as for other data-compromise situations, said David Meyer, vice president of products at OneLogin, a California company that specializes in identity and access management solutions.

Data-security experts interviewed by Bloomberg BNA agreed that each situation is different, and there is no one-size-fits-all solution for remedying data-security incidents.

Some general guidelines, however, may be considered and applied, and payroll professionals should know what actions need to be taken after a security breach.

“Every company should have someone responsible for security incident response,” Meyer said, adding that the payroll department should know how to contact that person. 

The organization also should have an incident-response plan, similar to a disaster-response and business-continuity plan, but tailored to critical systems issues.

To help assess risks and make determinations as part of the incident-response plan, employers often rely on third-party security firms that have the resources to perform thorough examinations. The role of these groups is included in an organization's incident-response plan, and large employers have arrangements set up to quickly bring in these experts.

Payroll professionals may ask: What can we do to get payroll running again after an incident? The answer depends on the severity of the compromise and the assessment from the team involved in the incident-response plan.

A “data spill” situation does not necessarily mean payroll needs to scrap the pay system, or even halt or delay the next pay cycle, Bloomberg BNA was told.  A default mechanism for preventing additional leaks is to “get bad people out” of the system by resetting passwords and adding authentication protocols, Meyer said. After a full system review, the response team may provide the go-ahead to payroll that processing may proceed.

When data are corrupted or modified, or the system has been infiltrated, such as if wage deposits have been misdirected, the response team should identify all modified user records, determine the scope of the liability and assess the damage, Meyer said. A proper examination of the systems with identity controls should be able to inform the team who accessed what records and when, he said.

Depending on existing capabilities and backups, the ability to restore payroll data from backed-up files after a systems problem has been patched is one scenario of recovery for these breaches.  Those in payroll would have to be a part of the process to remediate and recover, involved with the incident response team.

In the end, the cure to responding to an incident can run the gamut of a password reset to applying for a cyber insurance claim for victims of attacks. This is why it is important that leadership and personnel, including payroll, create and execute an effective remediation plan.

For more information:  To learn more about payroll’s response to data security incidents, see the strategic white paper, “System Breaches and Payroll,” that recently was published for subscribers to Bloomberg BNA’s Payroll Decision Support Network.

Take a free trial of Bloomberg BNA’s Payroll Decision Support Network, your one-stop resource for reliable, up-to-date guidance and analysis in every area of payroll administration and compliance.

Follow Michael Baer on Twitter @MichaelTBaer  and join the Bloomberg BNA U.S. and Global Payroll group on LinkedIn.