As if an HR professional’s role isn’t already fraught with peril, it’s important to guard against the inadvertent disclosure of sensitive information contained on employee W-2 forms.  While that’s common sense, what’s new about this risk is the strategies scammers use to fraudulently get to the information. Some try faking emails that look like they’re coming from a legitimate source, like your CEO. Others can actually scan data that you haven’t adequately protected.

Another common way that an employee’s personally identifiable information (“PII”) gets exposed is when an HR professional leaves a W-2 on an employee’s unoccupied desk or chair for later retrieval.  The days of simply leaving PII in a sealed envelope are long over. Don’t do it.

Standard operating procedures in the HR Department should include keeping employee PII protected, whether it’s in a hard-copy personnel file, in a cloud-based filing system, or on a W-2 form.

From a cybersecurity perspective, if the worst happens, there’s a speedy way to alert the IRS of lost employee PII.  Email dataloss@irs.gov and follow the instructions set out by the IRS on its website.  The IRS provides other useful guidance about reporting and thwarting internet theft. Remember, you may have other reporting requirements, as well so check with risk management and your legal counsel right away.

Finally, don’t let all the attention on cybersecurity get in the way of solid, common-sense office practices. Although it might take a few more minutes, personally deliver W-2s directly to employees and don’t leave them lying around, even if the area appears secure.

For guidance on helpful standard operating procedures for the HR professional, feel free to contact the attorneys at The Coppola Firm.