January 31, 2023

Volume XIII, Number 31


January 30, 2023

Subscribe to Latest Legal News and Analysis

Fraud, Data Breaches Continuing to Crush Federal and State Unemployment Benefit Departments, Pennsylvania’s Next?

Few want to get past the COVID-19 pandemic more than leaders of federal and state unemployment benefit departments. For the last 2 years they have been successfully targeted for fraud and data breaches, racking up billions in losses. Thousands of employees across the country, including yours truly, have had false claims submitted in their name.

Why is this happening? It appears to be a combination of factors, most leading back to one driving force – COVID-19. Congress’ passing rich unemployment compensation benefits to offset the economic carnage stemming from the pandemic created a significant incentive for criminal hackers, specifically the Pandemic Unemployment Assistance (PUA) program. During the same time, the numbers of workers in state unemployment offices went down due to layoffs, while the number of applications for unemployment benefits skyrocketed. Couple that with an expansion of benefits to workers without traditional pay stubs (e.g., gig workers) making verification harder, and data security gaps and challenges regularly facing state agencies and organizations generally, and there is a perfect storm for fraud and data breaches to proliferate.

Here’s a rundown of just some of the losses reported by Yahoo!news:

  • Oregon – $24 million in 2020

  • Washington – $646 million in 2020

  • California – $20 billion, since the start of the pandemic through October 2021

  • Federal – $87.3 billion since the start of the pandemic through September 30, 2021, per the DOL (relying on a historical improper payment rate of 10%).

What are some of the effects? There is, of course, a significant loss of taxpayer dollars, not to mention all the time spent trying to resolve the fraud, getting the much-needed benefits to those whose benefits were delayed due to the fraud, and implementing stronger controls.

With so many employees learning of and reporting false unemployment claims being submitted in their name, employers across the country have had to jump into to help. Frequently, many employees at a single company reported fraud at the same time, making it seem as if the company was the victim of a breach. While it is always important to appropriately investigate suspected data incidents, a compromise to the employer’s systems generally was not the reason for the employees’ reports in these cases.

Is it coming to an end? Maybe not. On Friday, Pennsylvania’s Department of Labor and Industry (L&I) reported it is investigating “sophisticated attacks” on its systems. According to reports,

unemployment recipients stopped receiving their checks, and that L&I telephone agents told they were among numerous Pennsylvanians whose direct-deposit banking information had been changed

What can affected organizations and individuals do? Affected federal and state agencies have been and continue to be taking steps to minimize these attacks and the resulting fraud. One of those steps is to deploy facial recognition technologies to more strongly verify the the identities of claimants. By late summer, more than half of the states in the U.S. have contracted with ID.me to provide ID verification services. For private sector organizations, the deployment of such technologies to verify identities of customers and employees faces a growing web of regulation.  Other efforts to curb this kind of activity includes steps all organizations might consider, like enabling multi-factor authentication (MFA). This is something the PA L&I wished it did. Hopefully, pandemics are not regular occurrences. But planning for business interruption is critical.

For organizations and their employees affected by unemployment fraud, it is important to quickly report incidents and follow recommended steps by the applicable agency. Below are just a few of the online resources that may be helpful.


Jackson Lewis P.C. © 2023National Law Review, Volume XII, Number 24

About this Author


Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and...

973- 538-6890