Just as the year is winding down and many HR professionals are looking forward to well-deserved breaks away from work, Kronos announced that it was the victim of ransomware and that UKC Workforce Central, UKG TeleStaff, Banking Scheduling Solutions, and UKG Healthcare Extensions may be out of service for several weeks. This unwelcome news brings a heap of extra work for the HR teams at companies using the affected services. Here are five things that employers who rely on those services should do right away to deal with the Kronos outage.
- Direct nonexempt employees to use paper timecards. One of Kronos’s most common usages is to track the hours worked by employees. Federal and state wage-and-hour laws require employers to compensate nonexempt employees at a rate equal to at least minimum wage for every hour worked and to pay them overtime at a rate of at least 1.5 times the regular rate of pay for overtime hours. An employer’s ability to do this depends on accurate timekeeping for hourly employees. With Kronos out of service, potentially for weeks, employers need to rapidly pivot to an alternative system. Whether your company ultimately devises a different method for electronic timekeeping, in the interim, you should instruct all nonexempt employees to write down their arrival, departure, and meal period times daily. The easiest option might be to implement whatever system you used before transitioning to electronic timekeeping. For many companies, this will be a paper timecard. Remind employees to record their time accurately: few people arrive at work at precisely 8:00 am every day and leave at exactly 5:00 pm every day. All employees, including exempt employees, should report their use of paid time off and paid sick leave manually, as well. Employers should retain these manual time and attendance records for at least three years.
- Reconstruct lost timecards and attendance records from the current pay period. There is a chance that employers will not be able to access timekeeping records already inputted into Kronos in time for their next paydays. Employers should ask nonexempt employees to reconstruct, the best they can, their hours worked and their time away from work. Exempt employees need to report their use of paid time off or paid sick leave so that their banks can be properly adjusted. Memories are better when fresh, so savvy employers will ask employees to reconstruct their hours worked and time away sooner rather than later. Once employers regain access to Kronos, they may need to make payroll corrections, particularly if an employee underreported time worked. Make any necessary corrections promptly. Consider giving employees the benefit of the doubt in reconstructing lost timecards to ensure employees receive appropriate compensation for all time worked.
- Figure out how to issue paychecks before the upcoming pay day. Despite the Kronos outage, paychecks still need to be issued on time. Employers need to develop a plan for how they will do so. Whether a company runs payroll in-house or uses a third-party administrator, if payroll is run based on the data from Kronos, a plan for manually inputting time and attendance information needs to be developed quickly. For employers that have relied on Kronos to calculate amounts owed, this task will be more difficult because the employer needs to identify an alternative method for calculating net pay, determining withholdings, and running payroll. Depending on the employer’s processes, it may be necessary for the employer to provide physical checks even to employees who have previously elected to be paid via direct deposit or on a paycard. Implementing a system that you can manage for several weeks, the predicted duration of the outage, is advisable.
- Address open enrollment. Depending on what open enrollment period your company selected this year, you may still be in the open enrollment period. If that is the case, the employer needs to form a plan for how employees can complete their benefits elections. The employer should also determine whether it has access to elections already made by employees and, if not, ask employees to re-do their elections.
- Determine whether employee data was compromised. Depending on how a company uses Kronos, the system could contain sensitive information about employees. If you have a data breach response plan, now is the time to activate it. All 50 states and the District of Columbia have adopted some sort of data breach laws that govern data breach reporting. Colorado requires employers to notify employees and the Colorado Attorney General of security breaches affecting “personal information” in a timely manner. “Personal information” includes, but is not limited to, social security numbers, identification document numbers (e.g., passport number, driver’s license number, etc.), biometric data, and information that would permit access to an on-line account (generally some combination of username, email address, password, security question answers).
These five “to-dos” are only the beginning of the work facing HR to deal with the Kronos outage. Companies that are highly regulated and have a licensed workforce will need also to develop an alternative method for tracking license and credential expiration and renewal; companies that use Kronos to track approved leaves of absence, such as those under the Family and Medical Leave Act, will need to reconstruct the data sufficiently to manage their leave programs; employers that rely on Kronos to track applicants will need to develop a plan for how to move forward in the coming weeks; and companies that rely on Kronos to schedule their workforce will be faced with developing a temporary approach to scheduling. As employers work through the plethora of issues resulting from a long-term Kronos outage, they should seek legal guidance as needed to avoid inadvertently creating larger problems for themselves.