“All hands on deck” for HR teams while the failure of Kronos drags on
An ongoing downtime at HR provider UKG affecting time and attendance and payroll software is upsetting some employers and others seeing business continuity plans in a new light.
The company reported last week that a ransomware incident took several of its Kronos branded services offline and that “it can take up to several weeks to get system up and running”. In a statementUKG’s CEO recommended that customers implement alternative business continuity protocols.
“It’s going to be a big deal for some companies,” Elizabeth Chilcoat, a Sherman & Howard employee, told HR Dive. Employers have to be able to react quickly: “Everyone’s hands on deck here to identify and solve problems.”
HR departments that typically rely on automation for the tasks involved may need to provide temporary assistance, Chilcoat said. “It’s a terrible thing to happen so close to the end of the year when people want to take time off [or] slacken off a bit. “
At the same time, the failure is “a sober reminder” of the importance of backup plans for automated HR functions, says Kevin Jackson, Associate at Foley & Lardner LLP, wrote in a blog post for the company.
The disruption affected Kronos’ planning, time recording and payroll products. It has led some employers to ensure that employees are paid properly and on time, NPR reported – for both employee needs and compliance with wage and working time laws.
The New York Metropolitan Transportation Authority, for example, said in a statement that it is working with payroll and time attendance experts to find alternatives and ensure employees continue to receive their wages. The New York Post reported.
Others seemed to have a continuity plan: a hospital in Texas said local media that it activates existing procedures.
And then there are those who focus on stopgap solutions. The University of Utah, for example, told workers that while paychecks are issued on schedule, “there may be adjustments at a later date to reflect corrections if needed,” perhaps an indication that they are in favor of one Jackson highlighted The way to decide: the calculation of wages based on booked rosters, past payroll cycles or badge swipe owed and payments adjusted as soon as the correct working hours can be determined.
Others may try to migrate data to a new platform when they have the appropriate information. Kronos competitor deputy, for example, announced that it would offer its services for Kronos customers free of charge for the duration of the failure.
Regardless of the route chosen, affected employers should immediately ask workers to report hours worked if that information is lost, Chilcoat said. People’s memories will deteriorate over time, so it’s best to act quickly, she explained. And employers should maintain a backup reporting method until the outage is resolved. Paper timesheets are fine; the most important thing is accuracy, She said.
Employers must also prepare immediately to weather multiple payroll cycles on their own, Chilcoat said, citing Kronos’ projected schedule to get back online. Some companies will still be able to make direct deposits, she said, while others may have to resort to conventional checks. While federal agencies only require “timely” payment, many states have tough deadlines, she pointed out; “You don’t have a lot of time to figure out how to pay employees.”
After that, it’s important to make sure that open registry efforts aren’t compromised, noted Chilcoat. It is vital for any organization still in this process to verify that the employee elections have not been lost and that those who have not yet completed the process have the opportunity to do so. Leave of absence and any certifications tracked by the vendor also need to be addressed, she continued, recommending that HR recognize that there will be bugs and plan to address all of these issues with “employees with some decency treat”. “This will help prevent discrimination and retaliation from emerging,” she said.
Finally, HR may need to take steps to resolve the data breach. While ransomware can restrict system access, there are cases where malicious actors gain access to data. Employers in this area are subject to a patchwork of state laws, so if they were concerned, “I would call an attorney who specializes in data breaches,” Chilcoat said. Some laws require companies to report violations to victims or authorities, and penalties can be imposed if not done in a timely manner, she continued. “Even if you are not legally obliged to do so, you generate goodwill,” she said with hints, even if you do not yet know what data may be involved.
Employment professionals have long extolled the benefits of business continuity planning, often focusing on weather events closing facilities or, now, a pandemic affecting labor availability. But as cybersecurity events become more severe, according to a January report, such aspects may need to be considered when planning the scenario.
The good news is that HR professionals may support such efforts as cybersecurity risks have become a priority for many in the C-suite, so Cybersecurity dive reports. The difficulty, however, lies in predicting the unpredictable, recently partnered with consulting firm Mercer wrote for HR Dive.
Chilcoat predicted, among other things, that employers will increasingly seek to negotiate compensation for cybersecurity attacks in software contracts. It may be an uphill battle, she noted, but HR should at least work to understand who the data belongs to in such partnerships. For example, it is important that the HR department is able to download data and maintain a local copy. “This is a best practice whether or not there has been a data failure,” she said, as it is useful when switching providers or during a legal dispute.
It’s a lesson Chilcoat predicted today to reshape future HR functions: “I think we’re going to see more and more companies saying that storing data in the cloud is all well and good, but I want to [backup in case] there is another software failure. “