Kronos Cyber Attack Sparks Lawsuits Against Employers

New lawsuits shows how third-party cybersecurity breaches can lead to problems for organizations that use those products/services.

(Photo: Shutterstock)

Like malware and computer viruses themselves, the consequences of cyberbreaches have a way of spreading in unpredictable ways.

A recent ransomware attack on third-party payroll and timekeeping software provider Kronos has led to several wage-and-hour class actions in recent weeks against everyone from PepsiCo to The Giant Company, alleging that the hack resulted in overtime pay violations for hourly workers.

As of April 6, there have been seven lawsuits  (most in April, though a few were filed in late March) all stemming from the December 2021 cyberattack on Kronos.

While plenty has been written about potential cyber liability exposure for companies whose vendors are compromised, this latest crop of litigation shows how third-party cyberbreaches can also lead to other causes of action, such as labor & employment claims.

All of the complaints allege that hourly employees were shorted on overtime pay as a result of the Kronos breach.

Johnson Controls International, an Ireland-headquartered building equipment manufacturer, was sued April 3 in the Eastern District Court for the District of Wisconsin on behalf of a putative class of current and former non-exempt hourly employees. The case is Henderson v. Johnson Controls, Inc.  

Frito-Lay North America Inc., a subsidiary of PepsiCo, was sued April 4 in the U.S. District Court for the Eastern District of Texas. The suit was filed on behalf of a putative class of current and former non-exempt hourly employees.

PepsiCo itself has been sued three times so far:

That same day, a suit was filed against Baptist Health Systems in the U.S. District Court for the Middle District of Florida on behalf of current and former non-exempt hourly employees. The case is Mitchell v. Baptist Health System, Inc. 

Also on April 4, The Giant Company LLC, parent company of the Giant supermarket chain, was sued in the U.S. District Court for the Middle District of Pennsylvania, again on behalf of current and former non-exempt hourly employees.

Many of the complaints are very similarly worded, alleging that, after the Kronos breach in December 2021, defendants “could have easily implemented a system for recording hours and paying wages to non-exempt employees until issues related to the hack were resolved,” but didn’t.

Some complaints allege the defendant employer “made the economic burden of the Kronos hack fall on frontline workers—average Americans—who rely on the full and timely payment of their wages to make ends meet.”

Similarly, another complaint read ”[b]ecause PepsiCo could not access Plaintiff’s and the members of the putative Class’ and Collective’s time records during the outage period, and because PepsiCo failed to adopt and have in place a functional back-up plan for recording hourly employee time and timely processing hourly employee payroll, PepsiCo could not—and did not—accurately pay its hourly employees during the outage period.”

The class actions, according to the complaints, seek “to recover the unpaid wages and other damages owed by [defendant] to all these workers, along with the penalties, interest, and other remedies provided by federal and [state[ law.”

All but one of the suits allege that, by failing to pay overtime, the defendants violated the Fair Labor Standards Act in addition to various state laws.

The New Jersey suit against PepsiCo, however, only claims violations of the New Jersey State Wage and Hour Law.