Personally Identifiable Information

Human Resources and Payroll should advise employees in their departments to be on the lookout for the latest tax season phishing scam designed to steal employees’ tax related information and social security numbers. Given the regular frequency of these types of attacks, employers should be taking appropriate steps to safeguard employee Personally Identifiable Information (“PII”).  At a minimum, Human Resources should have in place written policies regarding the handling of employee PII and provide training designed to protect employee PII against a data breach.  Because Human Resources works with employee PII on an everyday basis, it may be the best equipped to secure sensitive personnel information against the type of fraudulent scheme highlighted in the recent IRS alert.

On February 2, 2017, the IRS issued an urgent alert to employers regarding a phishing scheme intended to steal employees’ tax related information to commit identify theft and tax fraud. The IRS reports that the scam involves spoofing an email to make it appear as if it is coming from an organization’s executive.  The email is sent to an employee in the Human Resources or Payroll departments, requesting a list of employees and their Forms W-2.  The IRS reports that the phony email may also request the names and social security numbers of employees with their addresses and dates of birth.  Since the email is disguised to be from an internal email address, should the HR or Payroll employee respond with the information it will actually be sent out of the organization to a cybercriminal.  The phishing scam is presently targeting healthcare organizations, shipping companies, school districts, restaurants, and temporary staffing agencies.

What preventative steps can be taken to guard against these attacks? Human Resources should ensure that policies and procedures are in place requiring that the sending of employees’ confidential tax related information by email only be done with 100% confidence that the intended recipient is within the organization and has requested the information. Indeed, the IRS advises that employers consider adopting written policies that govern the electronic distribution of confidential employee Form W-2s and tax related information.  One simple protective measure may be that a phone call confirmation is required before hitting the send button.  As a general matter, employers should have in place comprehensive written policies and procedures that govern the electronic sending, receiving and storage of confidential personnel related PII and provide workforce training to protect against data breaches and fraudulent schemes.  In addition to procedures verifying that the recipient of sensitive PII is actually within the organization, employers may also want to consider technologies providing for use of encryption when sending personnel related PII by email.  The maxim that “an ounce of prevention is worth a pound of cure” is in full effect here since a well thought out strategy is the best defense.