Dive Brief:
- An assisted living facility firm failed to show that payroll vendor UKG committed gross negligence and fraud during the 2021 Kronos outage, a California federal judge held Wednesday.
- Aegis Senior Communities LLC alleged that UKG was negligent in failing to prevent or appropriately respond to the ransomware attack that caused the outage. But Judge Araceli Martínez-Olguín of the U.S. District Court for the Northern District of California found that both parties foresaw the possibility of economic losses resulting from a service outage, noting contractual language between the two parties stating that “services are not guaranteed to be error free or uninterrupted.”
- Martínez-Olguín also found that California’s “economic loss rule” — which bars negligence claims asserting purely economic losses that arise from a contract between parties — applied to Aegis’ negligence and fraud claims. She said Aegis’ agreement with UKG specified recoverable damages from an outage in the form of service credits. Martínez-Olguín granted UKG’s motion to dismiss Aegis’ claims with prejudice.
Dive Insight:
Experts have described the ransomware attack against UKG’s Kronos Private Cloud product as one of the worst to hit HR departments in recent memory. The incident continues to reverberate in the courts, and both UKG and its clients have faced lawsuits from affected parties that have largely resulted in large settlement payments.
UKG, for example, agreed last year to pay up to $6 million to a class of employees of UKG customers that were affected by the outage, including employees whose data was stolen in the attack. The company denied any wrongdoing at the time the settlement was announced.
Multiple large employers have settled wage-and-hour claims stemming from the outage. Frito-Lay did so in June, though terms of the company’s agreement with current and former hourly employees were not disclosed. Health system UMass Memorial Health — whose payroll and timekeeping systems were offline for more than one month due to the outage — agreed to pay $1.2 million to affected workers.
Per the court’s decision in Aegis Senior Communities LLC v. UKG Inc., the terms of the parties’ contract set forth service credits as the “sole and exclusive remedy for services outages” and waived indirect as well as consequential damages related to an outage. The contract also “limited the scope of indemnification that Kronos could be responsible for.”
Analysts have previously highlighted contractual language around indemnification as a key focus of litigation resulting from the Kronos outage, according to HR Dive sister publication Cybersecurity Dive. The same analysts noted that legal responsibility for cyberattacks can be opaque due in part to uncertainty about why and how such attacks occur.