Workforce management company Ultimate Kronos Group faces a proposed class action after its ubiquitous Kronos timekeeping system got whacked by ransomware last December. The aggrieved customers dragged the firm into court as scheduling and payroll were hindered at thousands of organizations including Tesla, PepsiCo, Whole Foods.
Due to the network outage, many major firms were unable to pay workers on time for all of their wages, including overtime wages, and shift differentials, as they rely on Kronos products for timekeeping and prompt pay policies.
Employees at Tesla and PepsiCo filed a class-action lawsuit against UKG in the U.S. District Court in the Northern District Court of California seeking damages due to alleged negligence in data security procedures and practices. New York MTA employees filed a separate suit in the U.S. District Court for the Southern District of New York against the MTA, alleging it failed to pay overtime wages due to the Kronos outage.
According to John Bambenek, principal threat hunter at security firm Netenrich, the response and recovery from the ransomware attack is UKG's responsibility, but failure to make payroll, a potential violation of the federal Fair Labor Standards Act (FLSA) and any applicable state and local laws, is the fault of the employer.
The federal Fair Labor Standards Act (FLSA) requires organizations to accurately track the hours worked by employees and pay workers accordingly. Failure to comply with these requirements could entitle workers to compensation of up to double their unpaid wages.
"The employers are responsible for making payroll. If they're using a third-party provider, and it doesn't get the job done, they're responsible for making payroll,” said John Bambenek. “That doesn't leave Kronos off the hook, however. Kronos offers service and couldn't provide it, so now the company may be liable to its customers, Bambenek said. Employers can sue UKG too.”
However, the key question is whether the contracts that UKG negotiated with its customers define who might be responsible in the wake of an incident like this. In many cases, commercial contracts between a provider and a customer contain an indemnification clause, which protects the provider from legal action or damage for certain events.
"Every vendor, especially at the level of Kronos," is going to seek an indemnification clause that benefits them in their contracts, Matthew Warner, CTO, and co-founder at detection and response provider Blumira, told Cybersecurity Dive. "They're going to do as much as they can to make sure that if something goes wrong, and if there is any sort of interruption associated with it, they're indemnified for it."