Pension / payroll data breach
Employee SSN/SIN, banking, and pension data exposed.
The scenario
Your payroll provider, pension administrator, or HR system is breached and employee data is in scope: SSN/SIN, banking, salary history, pension entitlements.
Who this is for: HR director, CFO, CAO, union representatives where applicable.
First steps
- 1. Notify the payroll/pension vendor and request scopeFirst hour
Get written confirmation of which employees and which fields are affected.
- 2. Brief the union(s)First hour
Most collective agreements require prompt notification of breaches affecting member data. Do this before the broader notification to avoid grievances on top of the breach.
- 3. Arrange credit monitoringFirst day
Standard expectation in most jurisdictions; usually 12–24 months. Vendor often pays — confirm in the contract before announcing.
- 4. Reset direct-deposit accounts at higher-risk individuals' requestFirst day
Some staff will want to change banks; help, don't gatekeep.
Continuity of service
- Hold sensitive HR processes (new hires, terminations) for 48 hours where possible to avoid layering changes on the breach event.
Communication
Individual letter with vendor-provided breach details, credit-monitoring instructions, and HR contact.
Prompt formal notice per collective agreement.
Status report in closed session.
Regulator hand-off
- US: state AG, IRS if W-2 data exposed (Form 14039-B), pension regulator.
- Canada: provincial privacy commissioner, CRA if T4 data exposed, provincial pension regulator.
FAQ
Required by law in some US states and increasingly the de facto standard everywhere else. Negotiate the cost into the vendor's incident-response obligation before signing anything.