A number of companies suffered collateral damage last winter as a result of a cyber attack on a major provider of time and attendance software. With your timekeeping systems compromised, how do you determine what to pay your non-exempt employees, particularly with a payroll processing deadline looming?
The Governing Principles
To properly pay overtime-eligible employees, you have to know how many hours they have worked. Fair Labor Standards Act (FLSA) rules require employers to maintain and preserve records of “[h]ours worked each workday and total hours worked each workweek.” No particular timekeeping method or form is required, as the rules and U.S. Department of Labor (DOL) guidance make clear. As the DOL explains, “employers may use any timekeeping method they choose. For example, they may use a time clock, have a timekeeper keep track of employee’s work hours, or tell their workers to write their own times on the records. Any timekeeping plan is acceptable as long as it is complete and accurate.” In the lead-up to the FLSA’s passage in 1938, the prevalent timekeeping system for many employers was a mechanical time clock, into which employees physically inserted “punch cards” to record start and stop times. Other employers—then and to a lesser extent now—rely on handwritten timesheets. Today’s technology allows employees to record their hours worked with a mouse click, a press of the thumb on a smartphone or other mobile device, or a fingerprint scan, among other hardware-software combinations.
Knowing how many hours a non-exempt employee has worked in “real time” is crucial given federal and state timing-of-pay laws. For example, under FLSA rules,
"The general rule is that overtime compensation earned in a particular workweek must be paid on the regular pay day for the period in which such workweek ends. When the correct amount of overtime compensation cannot be determined until some time after the regular pay period, however, the requirements of the [FLSA] will be satisfied if the employer pays the excess overtime compensation as soon after the regular pay period as is practicable. Payment may not be delayed for a period longer than is reasonably necessary for the employer to compute and arrange for payment of the amount due and in no event may payment be delayed beyond the next payday after such computation can be made."
If you are among the many employers that uses a computerized or electronic timekeeping system and the system is compromised such that you don’t have ready access to time records, you may struggle to properly calculate pay in advance of an upcoming payroll deadline.
Remediation Strategies and Considerations
The ideal solution (and risk-management strategy) from a legal standpoint is a shadow or backup system that mirrors the time data recorded by employees and is maintained independently, including from an information security standpoint. In the event your primary timekeeping system is down, you can generate your payroll from the data in the backup system, the integrity of which presumably would be as reliable as the primary system. Employers that rely on third-party applications for timekeeping should ask their vendors whether they offer data backup solutions that are not linked to their primary systems for purposes of vulnerability (and, more broadly, for the details of the vendors’ disaster mitigation plans).
Absent a shadow timekeeping system, the employer is left to identify another source to “recreate” hours worked, often on a short turnaround time. In identifying and selecting among alternate sources for this data, employers should be mindful of potential challenges from employees or their advocates. One solution, if administratively feasible, is to ask employees to manually re-record their actual hours worked, with a certification that their records are complete and accurate to the best of their recollection. If some employees work on a fixed schedule, you might be able to predict with a high degree of accuracy how many hours they have worked. Other reliable data sources may exist that can support or confirm other estimates of hours worked, including office/facility access records, system login/logout records, and video recordings. Managers and supervisors may have anecdotal evidence of hours worked by their teams. An employer can combine two or more of these approaches and/or data points to recreate time records (or at least arrive at a reasonable approximation of hours worked).
As a general matter, any process that does not include employee validation will be more susceptible to challenge. Employers that are estimating hours worked are well-advised to include a methodology for employees to verify the estimates, to raise any objections, to otherwise to identify any discrepancies between their estimates and actual hours worked, and to have a process in place to resolve any disagreements.
Often the challenge in recreating time records is one of timing. A systems outage ten days before a bi-weekly or semi-monthly payroll processing deadline may be less cause for alarm than a crash a day or two prior to the deadline, depending on the nature of the compromise and the likelihood of—and timetable for—restoration. Given this, the employer should schedule a meeting with its payroll vendor (or internal payroll processing team) immediately upon learning of a system compromise, and seek assurances both as to the potential for and the timing of data recovery. In the interim, the employer should evaluate its ability to recreate time records for days passed and ensure that it has a substitute system in place for employees to record their time going forward (e.g., an email to their managers at the end of each day noting time started, time ended, meal periods taken, and total hours and minutes worked).
Other Solutions Carry Varying Degrees of Risk
You might ask whether it’s reasonable to rely on historical time records to estimate hours worked during a more recent time period. For example, if an employee has worked an average of 45 hours per week over the last year, can you assume the employee has likely worked the same hours during the week(s) impacted by a timekeeping system outage? You could—but you might be wrong. If you are considering a “past as precedent” approach (e.g., as another data point to corroborate other indicators of hours worked), you should make sure your representative periods are appropriate. For example, if your system is down during a seasonally or otherwise busy period for the impacted employees, using a trailing average that includes non-busy workweeks may not generate reliable results. On the other hand, looking only at the same workweeks in prior years isn’t likely to generate a sufficiently significant number of data points for comparison purposes—particularly for employees who have not been with the company for many years.
What about adding an extra amount of money in each affected employee’s paycheck, as a “hedge” against under-paying? This—combined with an honest explanation of the circumstances—may well buy you some goodwill with employees. But to mitigate the risk of legal claims, it has to be done in a particular manner. For example, simply adding a one-time, line-item payment to an employee’s paycheck may have the unintended effect of increasing the employee’s “regular rate of pay” (and therefore the overtime rate) for the workweek without mitigating potential underpayment of overtime pay.
The FLSA rules strictly limit the types of payments that may be used as a credit to offset overtime liability. On the other hand, nothing prohibits an employer from paying a higher amount for an overtime hour that the law requires (the FLSA states that each overtime hour must be paid at “a rate not less than one and one-half times the regular rate”). So instead of just paying a “bonus” or other one-time payment to mitigate risk, the more strategic approach is to pay the amount specifically designated as “overtime pay.” In a worst case scenario (assuming its estimates of hours worked are somewhat accurate), the employer will have simply paid more for each overtime hour—as opposed to the “double trouble” approach of both underpaying overtime and increasing the regular rate of pay and therefore the value of each overtime hour.
Do Our Contracts With Vendors Protect Us?
Unfortunately, reliance on third-party time-and-attendance software or payroll administration won’t protect you from employee lawsuits for the late payment or underpayment of wages. As a general matter, the employer is the entity with responsibility for compliance with wage and hour laws. In addition, most third-party vendors of workforce solutions specifically disclaim a joint employment or co-employment relationship with their client’s employees. Even if the vendor was deemed to be a joint or co-employer of the impacted workers, both you and your vendor would likely be deemed jointly and severally liable under the wage and hour laws—which essentially means either company could be sued and found liable for the full amount of damages. (While the U.S. Department of Labor withdrew its joint employer rule in its entirety last year, any new rule is likely to include the principle in former 29 C.F.R. § 791.2(e)(1) that “[f]or each workweek that a person is a joint employer of an employee, that joint employer is jointly and severally liable with the employer and any other joint employers for compliance with all of the applicable provisions of the [FLSA], including the overtime provisions, for all of the hours worked by the employee in that workweek.”)
Communication is Key
As with so many other workplace issues, early and open communication with impacted employees—combined with regular updates as to the status of remediation efforts—can go a long way in creating and maintaining trust and avoiding legal claims and third-party attention. Employers should designate a contact person or team to field questions from employees and to respond in real time. Assuring employees that they will be paid on schedule notwithstanding the system compromise—regardless of how the employer goes about recreating hours worked—should help alleviate what is likely the primary concern in most workers’ minds, particularly for those who rely on a predictable payroll to meet their financial obligations.
Proskauer’s Wage and Hour Group is comprised of seasoned litigators who regularly advise the world’s leading companies to help them avoid, minimize, and manage exposure to wage and hour-related risk. Subscribe to our wage and hour blog to stay current on the latest developments.