A former employee of food producer Cargill has sued the company and its timekeeping software and hardware vendor UKG, alleging the employer failed to pay him and other nonexempt workers for all hours worked, including overtime, as a result of a December 2021 ransomware attack against UKG (Ellis v. Cargill Meat Solutions, No. 4:22-cv-00864 (N.D. Texas Sept. 26, 2022)).
The suit alleged that, amid the outage that resulted from the ransomware attack, Cargill issued paychecks either based on scheduled hours or estimated hours, or that it duplicated checks from prior pay periods.
As a result, the employee claimed nonexempt hourly and salaried workers were paid less than they were due for the hours they worked in a given workweek, including overtime hours, in violation of the Fair Labor Standards Act.
“Even if certain overtime hours were paid, the pay rate would be less than the full overtime premium,” according to the suit. “Many employees were not even paid their non-overtime wages for hours worked before 40 in a workweek.”
A spokesperson for Cargill confirmed the litigation in email to HR Dive. “While we can’t share specific details regarding the litigation, we can share that Cargill put alternative systems in place during the Kronos outage to pay our employees on time and conducted a full pay reconciliation process when the system was restored,” the spokesperson said.
The suit is the latest in a series of legal actions filed in response to last year’s Kronos outage. July saw two major suits against employers — West Virginia University Medical and automaker Honda, respectively — alleging improperly calculated hours and missed pay after UKG’s software went dark.
2021’s outage affected a UKG product known as Kronos Private Cloud and persisted for several weeks until the company completed the first phase of its recovery process on Jan. 22. But some employers waited even longer before producing clean payrolls free of any discrepancies introduced by contingency processes.
Following restoration of Kronos Private Cloud, employers who spoke to HR Dive previously said they planned to retain UKG as their payroll and timekeeping solutions vendor, with some noting the extensive training that switching vendors might require. But the aftermath nonetheless caused some observers to question whether employers were prepared for cybersecurity incidents involving their vendors and the liability issues that could follow.
In Cargill, the plaintiff alleged his employer paid based on estimates of time or pay, or “based upon arbitrary considerations,” rather than actual hours worked and regular pay rates.
Separately, the plaintiff alleged negligence on the part of Cargill and UKG with respect to the companies’ collection and storage of sensitive personally identifiable information, arguing that UKG “had a duty of care to Plaintiff to exercise reasonable care” in handling his information and protecting it from being compromised.
The plaintiff requested compensatory, punitive, exemplary and statutory damages, among other relief, and sought an order certifying a collective action for his FLSA claims.