Sunday, October 11, 2009

Strategies for Managing Client Relations in the Aftermath of a Payroll Data Breach

By Logan Cashwell

Preface: Having managed my piece of a small payroll breach in the past, at a former employer, I am sharing much of what we learned by experience, and some things I would – in retrospect – have done differently. Privacy laws vary from state to state, so initially I would recommend consulting with your legal counsel, and with your insurance carrier. Legal advice will be useful, and your insurer may just have some tips for you to assist in limiting your potential liability.

What if. What if one of your client’s year-end package were to be inadvertently delivered the wrong address and were opened by another of your clients due to a mislabeled envelope?

What if. What if your laptop were stolen with a backup copy of your payroll data or software system loaded on it?

What if. What if a disgruntled employee were to re-direct tax or direct deposit payments into their own accounts and disappear before the details came to light?

There are any number of nightmare scenarios we could dream up that could (and should) cause your guts to twist into a knot when it comes to client data and the potential fallout that would result from a breach. Currently in our industry, a scenario is being played out where the worst possible situation in customer relations has landed in a large number of bureaus’ laps. This scenario is the breach or perceived breach of their online payroll software system, and possibly client data.

Now, know this – this article is not intended to indict those recently caught holding the bag on this. This is about how you, if you are affected by this scenario or a future scenario like it, can be prepared to respond. You MUST be prepared to respond to your clients, because regardless of the precautions taken by all software and hardware vendors, ‘black hat’ hackers work night and day to find (or drill) holes into the security layers of online systems. The attitude that must be taken is, when – not if.

Where to begin?

#1 Unplug your phone, internet connection, and close your door. Now, run around screaming madly with your arms flailing in the air and, if you’d like, froth at the mouth a bit.

#2 Calm down. You’ve had your 5 minutes of private time to execute your personal panic attack. Now it is time figure this thing out and keep your business from derailing.

#3 ACT NOW! Because no one likes this kind of surprise. YOU must be the one to break the bad news to your clients. If not, you have lost control of the information flow, and possibly the client.

We are in a high-touch business. This is how the small to mid-sized payroll service bureau butters its bread. This being said, you cannot allow a breach in your security to drive you into ‘ostrich’ mode. If you bury your head in the sand, that is admitting defeat to your clients. What is required of you is complete transparency.

Now, as we look deeper into this, keep in mind that I’m aiming at the worst-case-scenario: Bureau, Client, and Employee level data being exposed:

  • Bureau trust account balances
  • Account & Routing numbers
  • Who has a garnishment and the agency being paid
  • …all things payroll





I am not talking about broadcasting your woes in the local paper. I am talking about transparency with the affected clients. Why do we need to get personal on this? Why not just send out a form letter? So the client, who may or may not have found out about this from a third party, or the Internet, will respect you – rather than broadcast your silence as failure to prospective future clients.

The last thing that someone who, let’s face it, is responsible for this mess needs is to seem devious or opaque. Yes, the buck stops with you in the client’s mind – regardless of who might be fundamentally responsible for the core of the problem. You can educate the client regarding the source of your pain, but you cannot be seen as trying to pass off the blame.


What can you do to maintain your integrity with your clients? Respect them. If you hide, you will lose their respect. Be proud of your business, but not so proud that you cave into the natural urge to sweep the problem under the rug. Bottom line, respect them – and you will have a better chance at retaining their respect, and their business.

In this business, a phenomenal amount of trust is placed in your ability to manage a complex process for your clients. You are moving money, paying employees, handling massive liabilities owed to various state and federal agencies. Don’t let the normality of this process in your day to day operations let you grow calloused to the impact of this duty (if failed) can have on your individual clients. Reflect upon this, put yourself in their shoes, and let the feelings that wash over you guide your actions.


Plan for recovery and the continued growth of your business and client base. This too shall pass.

If you execute a perfect plan (FYI – there are no perfect plans) you should expect a handful of clients to leave you without even talking to you. What you need prepare and execute in real-time is an immediate communication plan with all of your clients to engage with them in an open conversation regarding the situation you’ve found yourself in with them. Yes, you get to call all of your affected clients, and hopefully visit a number of them in person. Build the relationship THROUGH the troubled waters of this crises. If there were ever a time to ramp up the ‘high touch’ side of your client relations plan, it is now.

When all is said and done, you will hopefully have a story to share about how you took care of your clients, took care of their employees, and learned from the experience.


With any luck, you’ve read this far for future reference, not immediate execution. I hope that what I have written here is a helpful starting point for recovering from a serious data breach. Bottom line, take care of your clients first – and with a little luck, they will continue taking care of you.

Beyond the management of the client relationship, here are the three areas that I would initially be focused upon if I found myself in this type of a situation:

  • Figure out what you know – get your facts down (and then call your lawyer, once you know the details). Do not get caught unable to answer your clients’ questions regarding their data.
    • Depending upon the type of data that has been compromised, you may need to prepare yourself for an expense related to purchasing ‘insurance’ for each of the employer’s employees protecting them against identity theft.
  • With your information gathered, begin by writing down and practicing a 5-minute ‘elevator’ speech on the subject.
    • Do this, so that your story remains consistent, real, and you sound confident. This is important, because if your information flow is disjointed, you will begin to sound like you have lost control of the situation which is unacceptable as seen from the client’s point of view. Perception is everything, and you need to be perceived as someone who is on top of the situation from the beginning to the end.
  • Determine what measures you can take to ensure that this is never repeated.
    • If the cause was a process based mistake within your operation such as mislabeled packages, it is time to tighten up the process.
    • If the cause was lost data due to the physical loss of the media upon which it was stored, be it laptop, flash drive, server, etc. It may be time to consult with your IT and security folks about hardware level encryption and operational changes that ensure the safety of your data within your organization.
    • If your software/hardware vendor was the root of the problem, ensure that corrective measures have been put in place, and that you have written acknowledgement of such measures. If the vendor is non-responsive, perhaps it is time to look for a new vendor.


  1. Logan,

    Nice job on this - from what little I know, sounds like good advice. Dennis

  2. Logan, I love your articles! So happy I am on the timekeeping side now. Been there - Done that!

    Your Fan,