Preface:

Having managed my piece of a small breach in the past, at a former employer, I am sharing much of what we learned by experience, and some things I would – in retrospect – have done differently.  The privacy laws vary from state to state, so initially I would recommend consulting with your legal counsel, and with your insurance carrier.  Legal advice will be useful, and your insurer may just have some tips for you to assist in limiting your potential liability.

What if. What if one of your client’s year-end package were to be inadvertently delivered the wrong address and were opened by another of your clients due to a mis-labeled envelope?

What if. What if your laptop were stolen with a backup copy of your payroll data or software system loaded on it?

What if. What if a disgruntled employee were to re-direct tax or direct deposit payments into their own accounts and disappear before the details came to light?

There are any number of nightmare scenarios we could dream up that could (and should) cause your guts to twist into a knot when it comes to client data and the potential fallout that would result from a breach.  Currently in the payroll industry, a scenario is being played out where the worst possible situation in customer relations has landed in a large number of bureaus’ laps.  This scenario is the breach or perceived breach of their online payroll software system, and possibly client data.

Now, know this – this article is not intended to indict those recently caught holding the bag on this.  This is about how you, if you are affected by this scenario or a future scenario like it, can be prepared to respond.  You MUST be prepared to respond to your clients, because regardless of the precautions taken by all software and hardware vendors, ‘black hat’ hackers work night and day to find (or drill) holes into the security layers of online systems.  The attitude that must be taken is, when – not if.

Where to begin?

#1 Unplug your phone, internet connection, and close your door.  Now, run around screaming madly with your arms flailing in the air and, if you’d like, froth at the mouth a bit.

#2 Calm down.  You’ve had your 5 minutes of private time to execute your personal panic attack.  Now it is time figure this thing out and keep your business from derailing.

#3 ACT NOW!  Because no one likes this kind of surprise.  YOU must be the one to break the bad news to your clients.  If not, you have lost control of the information flow, and possibly the client.

We are in a high-touch business.  This is how the small to mid-sized payroll service bureau butters its bread.  This being said, you cannot allow a breach in your security to drive you into ‘ostrich’ mode.  If you bury your head in the sand, that is admitting defeat to your clients.   What is required of you is complete transparency.

Now, as we look deeper into this, keep in mind that I’m aiming at the worst-case-scenario:  Bureau, Client, and Employee level data being exposed:

• Bureau trust account balances
• Account & Routing numbers
• EIN/FEIN
• Who has a garnishment and the agency being paid
• …all things payroll

Transparency.

I am not talking about broadcasting your woes in the local paper.  I am talking about transparency with the affected clients.  Why do we need to get personal on this?  Why not just send out a form letter?  So the client, who may or may not have found out about this from a third party, or the Internet, will respect you – rather than broadcast your silence as failure to prospective future clients.

The last thing that someone who, let’s face it, is responsible for this mess needs is to seem devious or opaque.  Yes, the buck stops with you in the client’s mind – regardless of who might be fundamentally responsible for the core of the problem.  You can educate the client regarding the source of your pain, but you cannot be seen as trying to pass off the blame.

Respect.

What can you do to maintain your integrity with your clients?  Respect them.  If you hide, you will lose their respect.  Be proud of your business, but not so proud that you cave into the natural urge to