What would you do if you got an email from your CEO, asking you to provide a report of taxable stock plan transactions, including employee IDs—stat? A) Respond with the requested information as quickly as possible or B) forward the email to your IT department for investigation?
As it turns out, B might be the correct answer.
Phishing Scheme Targets Payroll and HR
If you are on the IRS’s mailing list, you know that it’s once again that time of year when the IRS sends out alert after alert about tax phishing schemes. Most have nothing to do with stock compensation, but a recent alert hits a little close to home. A new tax phishing scheme targets payroll and HR personnel. In a phishing scheme, a scammer masquerades as a representative of a legitimate business to trick people into giving out personal information that the scammer can use for illicit purposes.
This phishing scheme involves an email that purports to be from the company’s CEO or other executives and requests that the recipient provide employee data, including personal and W-2 information.
According to the IRS, the email may include the following (or similar) requests:
- Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary) as at 2/2/2016.
- I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
Kindly?
It seems to me that the big giveaway here is the use of the word “kindly” in the above requests. What executive ever used that word when asking for a report ASAP?
Let’s Be Careful Out There
While the schemes don’t yet seem to involve stock compensation, payroll and HR aren’t that far removed from stock plan administration. Some of my readers probably wear both hats. It’s always a good idea to verify any unusual requests from executives and to make sure that any personal data for employees, including compensation data, is transmitted in a secure manner, especially if that data includes employee identifiers, such as names and ID numbers.
– Barbara
Tags: controls, data protection, data security, internal controls, IRS alert, phishing scheme
California is serious about privacy–so serious that it’s an “inalienable right” in the California constitution. This should give consumers–and employees–in California an extra bit of confidence that their own personal information won’t fall into the wrong hands. It does, however, create some rather frustrating experiences when a California resident actually wants his or her personal information to be transferred out of the state. For example, if you are a resident of California you may find yourself at an out-of-state bank branch talking to a perfectly nice teller who insists you don’t have an account until you admit you are from California at which point he will say, “Oh…California. Why didn’t you say so?” In this respect, California may have more in common with the EU or Japan than with the rest of the United States.
Aside from the quirky anecdotes that data privacy laws provide, there are serious considerations for companies with international (or California) subsidiaries. HR, payroll and equity compensation practices must ensure that the very essential, but also very private, employee data is transmitted without violating applicable laws. Payroll considerations can be accomplished with relative simplicity compared to equity compensation by virtue of local payroll processing. The distinct difference for HR and stock plan management is that most companies want to house relevant information in one central location or database.
Consent
Just like my fun bank experience, this is an instance when employees should want to have their information transmitted–after all, it’s going to create a tangible asset for them. But, operating on the idea that you have a right to access the necessary information to create and manage grants for your employees isn’t enough. In many locations, employees must actually consent to have their personal information sent to you and also sent on to the broker who will ultimately facilitate transactions for them.
Compliance
The burden for ensuring your company policies compliant with data protection laws hopefully falls on your legal team. However, ensuring that equity compensation practices adhere to the policies is an ongoing consideration for stock plan management teams. Here are three important areas to consider when it comes to data privacy:
Incoming data -exactly what information about employees you collect and house in your stock plan administration database and how you access that information
Outgoing data – each instance where individual private information must be transmitted out of the stock plan administration database
Communications practices – when and how you are sending personal information back to your employees
Once you have established that your current practices are compliant, keep data protection in mind any time you are going to engage in a one-off situation involving the transmission of personal information. If you are in a merger situation, have opened a new office, or are partnering with another department to perform a data audit, these are all examples of situations where taking a moment to confirm that you are maintaining compliance with data privacy laws is a good idea.
Resources
The NASPP’s Global Stock Plans portal has several matrices that include data privacy issues companies should consider internationally. They can be found along the left column of the portal. We also have an update from Latham & Watkins on data privacy and protection in Germany, the UK, and Spain prompted by the draft Federal Data Privacy Act being considered in Germany. The Act could place more tringent qualifications on obtaining employee consent to collect and distribute personal information.
-Rachel
Tags: data privacy, data protection, Global, HR, International