A paystub contains more PII than most employers realize: the employee's full legal name, address, last four (or full) SSN, earnings, deductions, retirement contributions, and — when the bank-deposit memo carries through — a routing number that's a phishing target on its own. Federal law doesn't impose a single comprehensive paystub-security standard, but HHS HIPAA guidance treats payroll data adjacent to PHI, CISA's identity and access management guidance names role-based access as a default control, and forty-seven states plus DC have data breach notification laws that fire when payroll PII gets exposed. The FTC's small-business cybersecurity page sets the operational floor, and NIST SP 800-88 governs the disposal end.
This guide walks the seven-layer paystub security stack, the eight risk vectors most employers face (W-2 phishing, direct-deposit redirect, shared-drive overexposure, retention overrun, unauthorized portal access, vendor breach, lost device, social engineering), the ten state breach-notification laws every multi-state employer should know, the cost-of-breach math for a real twelve-employee construction firm, and a copy-paste security policy. The seven-layer paystub security stack:
- Encryption at rest (AES-256 minimum) — for every paystub PDF in storage
- Encryption in transit (TLS 1.3) — for every paystub email, portal session, and API call
- Multi-factor authentication (MFA) — for every account with payroll access, every time
- Role-based access control (RBAC) — read/write/admin separated, owner-only delete
- Audit log — every read, write, change, and deletion timestamped and attributed
- Retention schedule with automatic disposal — tied to FLSA + IRS + state statutes
- Secure disposal — NIST SP 800-88 standards for paper, drives, and cloud
The strongest small-business security posture treats paystubs the way HIPAA-covered entities treat PHI: minimum-necessary access, encryption by default, audit-loggable, and disposable on a defined schedule. The MyStubs paystub generator renders structured PDFs that drop cleanly into an encrypted folder, and the paycheck calculator models the gross-to-net side without exposing any historical PII.
Paystub Generator
Generate paystubs that live cleanly in a secure system
Build structured paystub PDFs with employer details, gross pay, taxes, deductions, YTD totals, and pay dates — formatted for archival into an encrypted, access-controlled folder with a retention tag.
Create PaystubsRyan's Phishing Scare
Threaded character for this post: Ryan O'Brien, owner of O'Brien Builders, a twelve-employee residential construction firm in Phoenix, AZ. Three weeks before this post was written, Ryan caught a phishing attempt mid-flight. A "new hire" emailed from a Gmail account that looked vaguely like the actual employee's name, asking to update the direct-deposit account for the next paycheck. Ryan caught it because the request came BEFORE the employee's first day, the employee's HR email was different, and the email signature didn't match the offer-letter template Ryan's office uses. He flagged it, called the employee directly, and confirmed it was an impersonation.
Ryan's reaction wasn't relief — it was a security review. He realized the only reason he caught it was timing. If the request had come a month later, after the employee was in the system, he might have processed it. He's now hardened four areas: (a) what data O'Brien Builders actually keeps on each paystub, (b) how Arizona's breach notification statute A.R.S. §18-552 would have applied if 12 employee records leaked, (c) employee self-service (ESS) portal access controls, and (d) retention and disposal. The numbers anchor every worked example below.
Ryan's payroll exposure profile:
| Data field | Where it lives in O'Brien Builders | Sensitivity rank |
|---|---|---|
| Full legal name + address | Every paystub PDF + employee file | High (PII) |
| Last 4 of SSN (current paystubs) | Every paystub PDF | High (PII) |
| Full SSN | W-4, I-9, W-2 only | Critical (sensitive PII) |
| Earnings + YTD wages | Every paystub PDF | Medium |
| Pre-tax + voluntary deductions | Every paystub PDF | Medium |
| Bank account + routing number | Direct-deposit authorization form only | Critical (financial PII) |
| 401(k) deferral percentage | Paystub + provider record | Low–Medium |
| Health insurance enrollment | Paystub + benefits enrollment record | Medium (HIPAA-adjacent) |
The twelve-employee scale matters because Arizona's A.R.S. §18-552 requires written notice to affected individuals within forty-five days of breach discovery and notice to the Arizona Attorney General if more than 1,000 individuals are affected. At twelve employees, Ryan's AG-notice threshold isn't triggered, but the individual notice requirement is non-negotiable. If credit-monitoring services are required to be offered, the bill runs roughly $30–$50 per affected employee per year for one year — a $360–$600 cash hit on a small firm that doesn't carry cyber insurance.
Paystub Generator
Create your paystub in minutes
Build a professional paystub with built-in 2026 tax math, all 50 states, and instant PDF download.
Create Your PaystubThe Seven-Layer Security Stack
The federal Fair Trade Commission's small-business cybersecurity guidance and CISA's IAM page converge on a seven-layer stack for any business holding employee PII. Each layer is independently necessary; missing one is the most common path to a breach.
| Layer | Standard | What it does | Where Ryan implemented it |
|---|---|---|---|
| Encryption at rest | AES-256 minimum | Renders stored paystub PDFs unreadable without the key, even if a drive is stolen | Google Workspace business tier (drive encryption by default) |
| Encryption in transit | TLS 1.3 | Protects paystub PDFs as they move between portal, email, and storage | HTTPS-only portal; SMTP with TLS for any email delivery |
| Multi-factor authentication | NIST SP 800-63 AAL2 minimum | Stops password-only access to payroll accounts — phishing-resistant where possible | Hardware key (FIDO2) for Ryan; authenticator app for office manager |
| Role-based access control | CISA IAM baseline | Limits who can read vs. write vs. admin payroll data | Three roles: Owner (full), Office Manager (read/write), Bookkeeper (read-only) |
| Audit log | Per-event timestamp + attribution | Records who accessed what, when, and from where | Google Workspace audit log retained 90 days |
| Retention schedule | FLSA 2–3 yr + IRS 4 yr + state | Auto-disposes records past their retention window | Calendar reminder Jan 15 each year |
| Secure disposal | NIST SP 800-88 | Cryptographic erasure for drives, cross-cut shredding for paper | Iron Mountain pickup for paper; certified erasure for old laptops |
The single most-skipped layer at small employers is the audit log. Without one, a breach investigator can't tell whether the phishing email actually touched paystub data or merely tried. With one, Ryan can prove the impersonation attempt never accessed the real direct-deposit authorization form because the audit log shows no read event on that file during the window.
For the small-business cybersecurity floor, see the FTC's Cybersecurity for Small Business page. For the NIST identity-assurance levels that drive MFA strength, see NIST SP 800-63.
Eight Threats and Concrete Mitigations
Most paystub breaches aren't novel — they're variations on eight recurring attack patterns. The mitigation column is the operative control, not a generic best-practice phrase.
| # | Risk vector | How it presents | Mitigation |
|---|---|---|---|
| 1 | W-2 phishing | Spoofed CEO email to payroll asking for "the W-2 file" before Jan 31 — see the IRS W-2 phishing alert | Out-of-band verification (phone callback) for any payroll-data request; no W-2 bulk export over email |
| 2 | Direct-deposit redirect fraud | "New employee" or "current employee" emails asking to update bank account before payday | Direct-deposit changes must be made in person OR via the ESS portal with MFA; never by email |
| 3 | Shared-drive overexposure | Payroll folder accessible to "Everyone in the company" by default | RBAC review; payroll folder restricted to Owner + Office Manager + Bookkeeper only |
| 4 | Retention overrun | Old paystubs from former employees sitting in storage past the retention window | Annual retention review on January 15; automatic disposal of records past 7-year retention |
| 5 | Unauthorized portal access | Former employee retains ESS login after termination | Account deprovisioning included in termination checklist (same day as exit interview) |
| 6 | Vendor breach | Payroll provider, time-tracking app, or storage vendor suffers a data incident | Vendor security questionnaire annually; written incident-response clause in every vendor contract |
| 7 | Lost or stolen device | Office manager's laptop with payroll spreadsheets goes missing | Full-disk encryption on every device; remote wipe enabled; no payroll data on personal devices |
| 8 | Social engineering | Caller pretending to be a lender or "the employee's spouse" asking for paystub info | Identity-verification protocol; no paystub release without written authorization + ID match |
Ryan's phishing attempt was vector #2 — direct-deposit redirect fraud, attempted via impersonation rather than account compromise. His mitigation: he documented that direct-deposit changes can only happen (a) in person with the office manager, or (b) through the ESS portal after MFA verification. The second next-day step was to train his three-person office staff on the same protocol. Total time invested: under two hours. The companion piece on the IRS W-2 phishing scam covers vector #1, which spikes in volume between January 15 and March 15 every year.
Ryan's 12-Employee Math
The most common reason small employers under-invest in paystub security is that the cost of a breach feels abstract until it happens. The math below uses Ryan's twelve-employee firm with industry averages from federal incident reports.
| Cost line | Per-record (12 employees) | Total |
|---|---|---|
| Forensic investigation (outside firm, baseline engagement) | $4,000–$8,000 flat | $4,000–$8,000 |
| Breach notification (mail + certified, per affected individual) | $3–$5 per notice | $36–$60 |
| Credit monitoring (12 months, if offered) | $30–$50 per person/year | $360–$600 |
| Identity-restoration support (if SSN was exposed) | $10–$25 per person | $120–$300 |
| AZ Attorney General notification (only if 1,000+ affected — N/A at 12) | $0 | $0 |
| Legal review (counsel for notification language + state law mapping) | $1,500–$3,000 flat | $1,500–$3,000 |
| Downtime (3 days of payroll-system unavailability while contained) | ~$200/day × 3 in lost admin productivity | $600 |
| Reputational + retention impact (1 employee resigns within 6 months) | Avg replacement cost $4,700 for trades | $4,700 |
| Total estimated incident cost | calc | $7,316–$17,260 |
Compare against the cost of the security stack Ryan implemented after the phishing scare: Google Workspace Business Standard at $14/user/month × 12 = $168/month or $2,016/year; one hardware FIDO2 key for Ryan + authenticator app licenses for the office staff at roughly $80/year total; cyber insurance ($500/year for a 12-employee firm with no prior incidents). Total annual stack cost: ~$2,600. Total potential incident cost avoided: $7,316–$17,260. The math is uniform across small-employer sizes: the security stack typically pays for itself the first time it prevents a single incident, and the per-employee marginal cost is small.
Ten Breach Notification Statutes
Every US state except Alabama and South Dakota (which have since adopted variants) has a data-breach notification law. The ten below cover the highest-population states plus Arizona (Ryan's state), with operative columns for any multi-state employer.
| State | Statute | Notification trigger | Timeline | AG / regulator notice threshold |
|---|---|---|---|---|
| California | Civil Code §1798.82 | Unauthorized acquisition of unencrypted PII | "In the most expedient time possible and without unreasonable delay" | 500+ residents → AG notification |
| New York | SHIELD Act / Gen. Bus. §899-aa | Unauthorized access OR acquisition of private info | Without unreasonable delay | 500+ residents → AG, DOS, State Police |
| Massachusetts | 201 CMR 17.00 | Breach of security AND likelihood of harm | As soon as practicable | All breaches → AG + OCABR |
| Illinois | Personal Information Protection Act | Unauthorized acquisition of unencrypted PII | In the most expedient time possible | 500+ residents → AG notification |
| Texas | BCC ch. 521 | Unauthorized acquisition of sensitive PI | Without unreasonable delay, no later than 60 days | 250+ residents → AG notification |
| Florida | Fla. Stat. §501.171 | Unauthorized access to electronic personal info | Within 30 days of discovery | 500+ residents → Dept. of Legal Affairs |
| Ohio | ORC §1349.19 | Unauthorized access AND reasonable belief of misuse | Within 45 days | None specified by statute |
| Washington | RCW 19.255 | Unauthorized acquisition of PI | Within 30 days | 500+ residents → AG notification |
| Pennsylvania | 73 P.S. §2303 | Unauthorized access OR acquisition of PI | Without unreasonable delay | None specified |
| Arizona | A.R.S. §18-552 | Unauthorized acquisition of unencrypted PI | Within 45 days | 1,000+ residents → AG + 3 credit reporting agencies |
The encryption safe harbor matters. Most state statutes (CA, NY, IL, TX, FL, WA, AZ included) exempt encrypted data from the notification requirement if the encryption key wasn't also compromised. That's the legal reason layer 1 (AES-256 at rest) is the first item in the seven-layer stack — implementing it correctly converts a "notification event" into a "non-event." HIPAA's separate breach notification under the HHS guidance applies to PHI specifically; payroll data adjacent to health-plan enrollment may trigger HIPAA obligations on the benefits side even when paystub data wouldn't trigger the state statute.
Paystub Fields Ranked
Not all fields on a paystub carry equal risk. Mapping the sensitivity ranks lets a small employer prioritize which fields get the heaviest protection and which can be displayed more openly.
| Field | Sensitivity | Why it matters | Where to apply extra controls |
|---|---|---|---|
| Full SSN | Critical (Tier 1) | Identity-theft enabler; basis of credit fraud | Never on a paystub — full SSN belongs only on W-4, I-9, and W-2 |
| Bank account + routing number | Critical (Tier 1) | Direct payroll-fraud enabler | Never on a paystub — only on the direct-deposit authorization form |
| Full home address | High (Tier 2) | Identity-theft + physical-security risk | Last paystub line; access-controlled archive |
| Last 4 of SSN | High (Tier 2) | Combined with name + DOB enables some fraud | Acceptable on paystub when paired with strong access controls |
| Date of birth | High (Tier 2) | Critical input to identity theft | Avoid on paystub; keep in W-4 / I-9 only |
| Gross + net earnings | Medium (Tier 3) | Useful for fraud profiling, less directly exploitable | Standard encryption + RBAC sufficient |
| YTD totals | Medium (Tier 3) | Same as gross/net | Standard controls |
| Pre-tax + voluntary deductions | Low–Medium (Tier 3) | Generally low-risk, but health-insurance enrollment may be HIPAA-adjacent | Standard controls; HIPAA segregation if relevant |
| Pay period dates | Low (Tier 4) | Minimal exploit value alone | Standard controls |
| Employer EIN | Low (Tier 4) | Public information at IRS | No extra controls needed |
A paystub that masks the SSN to the last four digits, omits the bank routing number entirely (it lives on the authorization form, not the stub), and stores the address only in the encrypted archive is operating at the typical small-employer floor. A paystub that displays the full SSN, full bank account, and physical address on every issued PDF is doing none of the above. For what should actually appear on a paystub by FLSA and state standards, see what should appear on a paystub.
RBAC Matrix
Role-based access control means three things on a paystub: who can read, who can write, who can delete. Owner-only delete is non-negotiable; everything else flexes by org size.
| Role | Read paystubs | Write paystubs | Modify retention | Delete records | Change RBAC |
|---|---|---|---|---|---|
| Owner | Yes | Yes | Yes | Yes (after retention expires) | Yes |
| Office Manager / Payroll Admin | Yes | Yes | No | No | No |
| Bookkeeper / Accountant | Yes (read-only) | No | No | No | No |
| Employee (own records only) | Yes (own only) | No | No | No | No |
| Auditor (during engagement only) | Yes (read-only, time-limited) | No | No | No | No |
| Vendor / Payroll provider | Yes (own service window) | Yes (own service window) | No | No | No |
| Former employee | No | No | No | No | No |
Ryan implemented exactly this matrix the week after the phishing scare. The before-state at O'Brien Builders had everyone on the office team with read/write access to the payroll folder — three people, all with full access to twelve employees' worth of PII. The after-state separated Ryan as owner-with-delete, the office manager as write-but-no-delete, and the bookkeeper as read-only. The deprovisioning step for a former employee (vector #5 above) is the most-forgotten control. Add it to the termination checklist alongside collecting the building key and the company laptop.
The employee self-service portal sits on the same RBAC matrix from the employee side: every employee can read their own paystubs, no employee can write or modify, and access ends the day employment ends. For the employee-facing side of paystub access, see paystub access in 2026.
By Storage Type
The federal floor on encryption is medium-specific. AES-256 at rest is the cloud-storage default; TLS 1.3 is the transport default; NIST SP 800-88 governs the disposal end.
| Storage type | Encryption standard | Key management | Notes |
|---|---|---|---|
| Cloud storage (Google Workspace, Microsoft 365, Dropbox Business) | AES-256 at rest (provider-managed) + TLS 1.3 in transit | Provider-held keys; customer-held keys available on enterprise tiers | Default for most small-business workflows |
| On-premise file server | BitLocker (Windows) or FileVault 2 (macOS), both AES-256 | Local key escrow with backup | Less common at small employers; encryption-at-rest still mandatory |
| Employee personal device (not recommended) | Full-disk encryption mandatory if used | Per-device passcode | Best practice: no payroll data on personal devices |
| Email attachments | TLS 1.3 in transit (S/MIME or PGP optional) | Recipient-dependent | Acceptable for ad-hoc; not the primary delivery channel |
| Removable media (USB) | AES-256 with hardware encryption | Hardware key + passphrase | Best practice: avoid entirely |
| Paper archive | Physical lock + secure-shredding disposal per NIST SP 800-88 | Key control documented | Still legitimate for older records |
| Backup destination | AES-256 at rest + TLS 1.3 in transit | Customer-managed key recommended | Air-gap copies for ransomware resilience |
Ryan's encryption at rest comes through Google Workspace by default; he added a quarterly key-management review to confirm the workspace was provisioned correctly. His backup runs to a second cloud destination with a customer-managed encryption key — total cost roughly $8/month for the destination plus key management. The cost differential between an unencrypted backup and an encrypted one is rarely the issue; the issue is most employers never check that encryption is actually enabled.
Eight Common Security Mistakes
The same eight mistakes show up in payroll-breach forensic reports year after year.
- Sending paystubs to personal email addresses (Gmail, Yahoo) instead of work email or ESS portal
- Storing paystubs in a "Payroll" folder accessible to "Everyone" in the company's shared drive
- Keeping records past their retention window because "we might need them later"
- Skipping MFA on payroll accounts because it's "inconvenient"
- Running no audit log, so a breach investigation has nothing to look at
- No training for the office staff on identifying HR / payroll phishing
- Accepting verbal direct-deposit changes ("Hey Ryan, can you switch my deposit to my new bank?") without written + ID-verified authorization
- No incident response plan, so when a breach happens, the first hour is spent figuring out who to call
The fix for every item above is structural — not "be more careful," but build the system so the mistake can't happen. RBAC stops shared-drive overexposure. MFA stops password-only access. The audit log makes breach investigation tractable. A 30-minute office training stops most HR phishing. A written direct-deposit-change protocol stops vector #2. The incident response plan template at the end of this post addresses the last item.
Print this and walk it on the same day every month. Twenty minutes per review at most.
The monthly cadence catches issues before they cascade. The annual cadence (typically January 15 at small employers) handles retention disposal, vendor security reviews, and policy refresh. The companion piece on the small business payroll recordkeeping checklist covers the recordkeeping side; for why small employers are switching off paper in the first place, see why small businesses are replacing manual paystub records in 2026.
Copy, paste, and fill the bracketed fields. This document sits at the front of the payroll folder and is reviewed every year on [annual review date].
Ryan's version of this policy lives in the front of his payroll folder, dated April 12, 2026, with the annual review scheduled for April 2027. The discipline of the annual walk-through is what keeps the system aligned with whatever the next year of threats looks like.
What is the most sensitive field on a paystub?
The full SSN, when it appears — which it shouldn't on most modern paystubs. Best practice is to mask the SSN to the last four digits on the stub itself and keep the full SSN only on the W-4, I-9, and W-2. The bank account and routing number are equally critical but typically don't appear on the paystub PDF; they live on the direct-deposit authorization form, which has its own separate access controls. The home address ranks next; identity-theft kits typically combine name + DOB + address + last-4 SSN to reset accounts.
Do I need to encrypt paystub PDFs even if my cloud storage is "secure"?
Yes, the encryption-at-rest layer in your cloud provider is non-negotiable, and most enterprise providers (Google Workspace, Microsoft 365, Dropbox Business) provide AES-256 at rest by default. The detail to verify: confirm encryption is actually enabled for your tenant (it usually is, but the verification is a 2-minute task), and confirm whether you're using provider-managed or customer-managed keys. Customer-managed keys give you more control but add operational complexity. For most small employers, provider-managed AES-256 is sufficient and is what the state breach-notification statutes' encryption safe harbors recognize.
What is the typical cost of a paystub-data breach for a small employer?
For a 12-employee firm with a contained incident (no AG notification trigger), the realistic total runs $7,000–$17,000. That covers forensic investigation ($4,000–$8,000), breach-notification mail ($36–$60), credit monitoring for affected individuals ($360–$600), legal review ($1,500–$3,000), downtime ($600), and reputational impact (one employee resigning costs an average $4,700 to backfill in the trades). At 100 employees, the same incident often runs $50,000–$150,000+ because credit-monitoring scales linearly and reputational impact compounds. The seven-layer stack runs roughly $200–$300/month for a 12-employee firm — the math favors prevention by an order of magnitude.
Does Arizona's A.R.S. §18-552 require me to notify employees if paystubs leak?
Yes, if the unauthorized acquisition involved unencrypted personal information. A.R.S. §18-552 requires written notice to affected Arizona residents within forty-five days of breach discovery. If more than 1,000 Arizona residents are affected, you also notify the Arizona Attorney General and the three major consumer reporting agencies (Experian, Equifax, TransUnion). The encryption safe harbor applies — if the data was encrypted with AES-256 and the encryption key wasn't compromised, the notification requirement generally doesn't fire. That's the legal reason encryption at rest is layer 1 of the security stack.
How do I stop a direct-deposit redirect fraud attempt?
Three controls together. First, never accept a direct-deposit account change by email alone — require either in-person delivery with ID verification, OR ESS portal submission with MFA. Second, if the request comes by email, verify out-of-band by calling the employee at the phone number on file (not a number provided in the email). Third, train every office staff member on this protocol on hire and annually thereafter. Vector #2 is the most common payroll-fraud attempt because it's high-payoff (the next paycheck is the entire monthly wage) and the attacker only needs to compromise one office worker.
What's the minimum-acceptable MFA for payroll accounts?
Per NIST SP 800-63 Authentication Assurance Level 2 (AAL2) , the minimum is two-factor with at least one factor being something stronger than SMS. SMS-based MFA is now considered weaker because SIM-swap attacks can intercept the code; CISA and NIST both recommend phishing-resistant factors (hardware FIDO2 keys or authenticator-app TOTP) for accounts with sensitive data access. The practical minimum for payroll accounts is authenticator-app TOTP (Authy, Google Authenticator, Microsoft Authenticator); the stronger option is a hardware FIDO2 key (YubiKey, Titan) for the owner and any role with delete authority.
How long should I keep paystubs before disposal?
The conservative answer is 7 years. That clears FLSA's 3-year floor on payroll records, FLSA's 2-year floor on underlying time records, IRS's 4-year floor on employment-tax records under Publication 583 , and most state retention statutes. The IRS general statute of limitations on unreported income is 6 years, so 7 years adds a small buffer. Disposal at the 7-year mark uses NIST SP 800-88 standards: cross-cut shredding or certified destruction for paper, cryptographic erasure for drives.
What's the single first thing to do after discovering a breach?
Contain, then notify your incident response contact. Containment means stop the leak — disable compromised accounts, isolate affected systems, freeze any in-flight direct-deposit changes — before doing anything else. Once contained, notify your incident response owner (per your written policy, with their 24-hour contact number). Within 24 hours, engage outside forensics. Within 45 days (or your state's specific deadline), notify affected individuals in writing per your state's breach notification statute. Do NOT post anything publicly until counsel has reviewed the notification language — premature disclosure can trigger litigation and is rarely required by law. — David Whitaker, Paystub & Payroll Editor at MyStubs. David covers paystub anatomy, gross-to-net calculation, federal and state tax stacks, payroll recordkeeping, and the income documentation underwriters credit for mortgages, auto loans, and credit cards.
Official sources
Sources · 15 references
- California Civil Code §1798.82 (Data Breach Notification)
- New York Attorney General — SHIELD Act / Data Breach Statute
- Massachusetts 201 CMR 17.00 (Standards for the Protection of Personal Information)
- Illinois Personal Information Protection Act
- Arizona A.R.S. §18-552 (Breach Notification)
- Texas Business & Commerce Code, ch. 521 (Identity Theft Enforcement and Protection Act)
- Florida Statutes §501.171 (Security of Confidential Personal Information)
- IRS — Identity Theft Information for Businesses
- IRS — W-2 Phishing Scam Alert
- CISA — Identity and Access Management Guidance
- NIST SP 800-88 (Guidelines for Media Sanitization)
- NIST SP 800-63 (Digital Identity Guidelines)
- FTC — Cybersecurity for Small Business
- HHS — HIPAA for Professionals
- DOL — FLSA Recordkeeping Fact Sheet 21
Discussion
No comments yet — be the first to share a state-specific note, a follow-up question, or a correction.