We’ve had several questions lately regarding “mixups” with mailings of W-2 forms, and whether certain situations are really “data breaches.”
Some Attorneys General are taking the position that the employer is responsible for providing notice to affected individuals (employees and former employees) and providing the required AG notice letters in the event that tax forms containing personal information are misdirected or otherwise compromised – even if the actual mailing is done by a mail house or 3rd party service provider. It is considered to be a “data breach” under the applicable statutes. Situational examples after the jump.....
Example #1: Your company's HR department receives a call from a former employee that she received her envelope with her W-2 form ---- and someone else's form was also in there. Apparently, your payroll processing service double-stuffed the envelopes, so that in each run of W-2 forms, two were stuck together and stuffed into envelopes. You've starting hearing from others with the same experience.
Example #2: Your company uses a third party processor that sends all of the individual W-2 forms to you in separate envelopes, along with the employer summary sheets, and your company distributes (or sends) the individual forms out. The overnight package arrives apparently opened and re-sealed, and the employer summary sheets appear to have been tampered with.
In either case, there has been "unauthorized access" to personal information -- the trigger for data breach notices under state data breach notification statutes. Mintz Levin provides updated lists of the state data breach legislation -- here. The more widely dispersed your workforce, the more attention you will need to pay to the laws of the various states. In some states, the breach will only apply if the personal information is in electronic form. In others, it will apply to personal information in any format. You'll also need to be sure that the notices are provided to the proper parties in a timely fashion. Some states require that notice be provided within 7 days of a breach.