Have you by chance recently received an email from your company’s CEO requesting copies of employee W-2 forms? If so, don’t respond without first verbally confirming that the request is legitimate. Several of our clients in Pennsylvania have reported receiving such fraudulent emails. These emails are part of a broad “spoof” scheme launched by computer fraudsters with the goal of gaining unauthorized access to individual tax records. The emails are typically sent to HR professionals from a high-ranking company officer and “kindly request” a file containing employee W-2 forms. The thieves then use the personal information on W-2 forms (i.e. names, addresses, social security numbers, and earnings information) to file false tax returns and commit other forms of identity theft. This scam is not limited to central Pennsylvania. On March 1, 2016, the IRS issued a notice alerting employers of the scheme. The IRS notice contains additional information and can be viewed by clicking here.
If you suspect your company may have released W-2 forms or other personally identifiable information to unauthorized parties, be sure to promptly comply with federal and state laws governing data breach notifications. Companies with employees in multiple states will need to comply with the varying requirements of each state. If you have any questions regarding your obligations under data breach notification laws, please contact any member of the McNees Privacy & Data Security Group or the McNees Labor and Employment Practice Group.