National Cannabis Industry Association logo

Join Now

Member Blog: What Is New Hire Reporting and Why Is It Critical for Cannabis Companies

Illustration of paperwork for new hire reporting

Evan Pryor, Director of Sales at Tesseon

Cannabis is amongst the fastest growing industries in America, and it is also one of the most inexperienced. From the individual employee to the entire organization, the lack of commercial and regulatory knowledge can be a real burden for those facing it.

As an employer, one of the most common regulations you are responsible for is the reporting of any new hires to your state, or federal, governing body. Although new hire reporting can become quite recurrent, it is also critical to your business operations.

What is New Hire Reporting?

New Hire reporting is a process by which you, as an employer, report information on newly hired and rehired employees to a designated state agency shortly after the date of hire. As an employer, you play a key role in this important program by reporting all your newly hired employees to your state.

The Personal Responsibility and Work Opportunity Reconciliation Act (PRWORA) of 1996, known as welfare reform, requires all employers to report certain information on their newly hired employees to a designated state agency.

Who is considered a newly hired employee?

The law defines a “newly hired employee” as an employee who has not previously been employed by the employer; or was previously employed by the employer but has been separated from such prior employment and rehired.

Is the reporting process difficult?

The majority of the information you submit is already collected when your employee completes a W4 form. Still, the reporting process is an additional requirement, which may possibly add time and expense to your company’s operations. To ease the process, states are working together with employers, offering them a variety of reporting methods.

New Hire reporting is one of the many services we offer at Tesseon to reduce your burden and help you to stay in compliance.

Does New Hire reporting benefit employers?

A potential benefit to employers is the reduction and prevention of fraudulent unemployment and workers’ compensation payments. Timely receipt of New Hire data allows each state to cross-match this data against its active workers’ compensation and unemployment insurance claimant files to either stop or recover erroneous payments. States have saved millions of dollars of erroneous unemployment insurance payments because of these cross-matches.

What is done with the New Hire information?

States match New Hire reports against their child support records to locate parents, establish a child support order, or enforce an existing order. In addition to matching within a state, states transmit the New Hire reports to the National Directory of New Hires.

State agencies operating employment security (unemployment insurance) and workers’ compensation programs have access to their state New Hire information to detect and prevent erroneous benefit payments.

In addition, each state can conduct matches between its own New Hire database and other state programs to prevent unlawful or erroneous receipt of public assistance, including welfare, food stamps and Medicaid payments.

How is the data safeguarded after it is submitted?

Security and privacy of New Hire data are important issues for all those involved in this nationwide program. Federal law requires all states to establish safeguards for confidential information handled by the state agency.

All state data is transmitted over secure and dedicated lines to the National Directory of New Hire (NDNH). Federal law also requires that the Secretary of Health and Human Services (HHS) establish and implement safeguards to protect the integrity and security of information in the NDNH, and restrict access to and use of the information to authorized persons and for authorized purposes.

Where and how do companies send New Hire information?

New Hire reports should be sent to the State Directory of New Hire in the state where the employee works. Federal law identifies three methods for submitting New Hire information: first class mail, magnetic tapes, or electronically. For employer convenience, states offer additional options such as fax, email, phone, and website transmissions. Your state New Hire contact can provide you with instructions on where and how to send New Hire information.

Federal employers report New Hire data directly to the National Directory of New Hire.

What information must an employer report?

Federal law requires you to collect and report these seven data elements:

  1. Employee’s name
  2. Employee’s address
  3. Social Security number
  4. Date of hire (the date the employee first performs services for pay)
  5. Employer’s name
  6. Employer’s address
  7. Federal Employer Identification number (FEIN)

Some states require additional data, please check your state’s specific reporting requirements.

Are there penalties for failing to report New Hires?

States have the option of imposing civil monetary penalties for noncompliance. Federal law mandates that if a state chooses to impose a penalty on employers for failure to report, the fine may not exceed $25 per newly hired employee. If there is a conspiracy between the employer and employee not to report, that penalty may not exceed $500 per newly hired employee. States may also impose non-monetary civil penalties under state law for noncompliance.

Is New Hire reporting required for independent contractors?

Some states do require the reporting of independent contractors. However, federal law does not require it. Contact the person identified on the State New Hire Reporting Contacts and Program Information matrix for state-specific requirements.

How soon must I submit a report after hiring someone?

Federal law mandates that New Hires be reported within 20 days of the date of hire. However, states are given the option of establishing reporting time frames that may be shorter than 20 days. You must adhere to the reporting time frame of the state to which you report. Be sure to check with your state New Hire contact to learn your state’s requirements.

What form is used to send New Hire reports?

Reports must be made either on a copy of the W4 form or, at your option, an equivalent form developed by you. Some states have developed an alternate form for reporting, but its use is optional.

Options for multistate employers to report new hires?

If you are a multistate employer, you have two reporting options:

  1. Report newly hired employees to the states where they work, or
  2. Select one state where your employees work and report all your new hires to the selected state.

If you choose to report all new employees to one state (option B), you must:

  • Register with HHS as a multistate employer
  • Designate the state that you will report
  • Submit your new hires electronically or by magnetic tape to the state you have chosen, no more than twice a month (12 to 16 days apart)

There are two ways to register as a multistate employer, either online or by downloading and filling out the designated paper form (PDF).

Once you complete the registration as a multistate employer, report employees to the state that you have chosen.

Need advice for your business?

At Tesseon we understand that your organization may need help getting things done.  That is why we offer stand-alone services for areas that can be a challenge to any business.  With our in-house expertise and award-winning support we can help you handle any business challenge that comes your way.

Member Blog: Cannabis M&A – Protecting the Valuation Calculus Using Cyber Compliance and Due Diligence

by Rebecca L. Rakoski, Esq. and Patrick D. Isbill, Esq. of XPAN Law Partners

When it comes to the intersection of law, business, and technology, the legal cannabis industry is arguably at the center of all three. Relying heavily on creative, innovative technology to distinguish itself while continually analyzing profitability forecasts to take advantage of new business opportunities and having to monitor at the same time the changing data privacy regulatory landscape, it can all seem rather daunting when added up. Securing trade secrets and overseeing reputational management related to cybersecurity and data protection are some of the challenges rooted at the forefront of this industry, especially after last year’s stunning pace of mergers and acquisitions. Increasing consolidation of fragmented segments of the cannabis industry is foreshadowing a strategic, long-term business approach to achieving higher profits and revenue, leaning on market advantages such as relatively favorable interest costs for now and lower valuations.

Data security and past cyber events play a significant role in these transactions, as do regulatory compliance and data privacy laws. One of the primary, if not foremost, objectives of any deal involving a merger or acquisition is of course valuation. Poor cybersecurity practices, lack of a comprehensive security and data protection program, and digitally unsecured proprietary assets on the part of the target company could spell unforeseen financial, not to mention legal liability, headaches for the acquiring organization.

The business of legal cannabis is after all a highly unique industry because of the already intense regulatory oversight and the enormous amounts of data inherently built in and circulating throughout its diverse industry sectors. From cultivation and laboratory research to manufacturing that incorporates processing for global distribution and all the way out to consumer dispensaries, the aggregate value of such data is almost nothing short of priceless. Simply put, data equals money in today’s global digital economy. So when the acquiring organization fails to adequately perform its due diligence when it comes to cyber compliance, it may be in for a rude awakening post merger or acquisition, especially if this data has been unknowingly compromised.

Every company should first seek to identify and classify the type of data it is acquiring to determine regulatory compliance. Personally identifiable information (PII) and/or protected health information (PHI) and where either comes from, e.g., a consumer or patient, will go a long way to understanding whether state and/or federal laws have been violated. Next, discovery of a past cyber event or breach is critical. Compromised data from inadequate cybersecurity or failure to report potential violations of state data privacy laws to any of the corresponding state enforcement agencies could result in hefty fines and unexpected assumption of liability, not to mention the legal costs to fix it after the deal is done.

Almost every cannabis business knows from the outset it has very particularized regulatory requirements, but such knowledge does not obviate it from complying with additional regulatory data privacy and cybersecurity obligations. Regardless of the side of the transaction, businesses need to keep several key end goals in mind during an M&A deal. Questions include but are not limited to the following: (i) prior cyber practices; (ii) prior cyber incidents; (iii) documented cybersecurity and data privacy programs; (iv) whether those programs are operationalized or just “there” for window dressing; (v) whether there is cyber-liability insurance; and (vi) the nature and type of contractual obligations. All of these elements will help to determine the level of data privacy and cybersecurity maturity of a business which, in turn, affects the value of the data and practices of the targeted organization.

Poor data security and privacy practices can lead to a devaluation of the business calculus and create an unforeseen situation where an organization suddenly becomes a liability rather than the intended asset. In the current shifting legal and technological environment, ignoring or leaving cybersecurity and data privacy due diligence in an M&A transaction to the last minute can be a costly enterprise. In addition, the nature and type of contractual obligations in and around data privacy and cybersecurity can also create a potential for substantial liability if the organization has not operationalized its privacy and security program. Each part of this due diligence is interconnected and can wreak havoc if not properly assessed and, in some instances, immediately addressed.

Like water running downhill, any variation in terrain going forward will cause a parallel, and potentially unpredictable, directional shift. 

All in, the industry is keenly aware of what consumers value – privacy. For example, trust in the product sold and confidence that their identity is secure topmost consumer surveys on the topic. Any cannabis business understands this fragile balance, and any path to growth in the industry must account for it. Same applies to trade secrets. Often the linchpin of a merger or acquisition will be the result of interest in innovative research or breakthrough technology developed by the target company. If it is discovered later that this proprietary work was potentially compromised or publicly disclosed, then the initial value used as the basis for negotiations could diminish exponentially if the work has been appropriated by a business competitor or industry rival looking for a market share advantage.

Due diligence is already part of the fabric of M&A deals. Reports suggest the large volume of global mergers and acquisitions overall is expected to continue this year from last despite worries over regulations and rising interest rates. But focusing on accounting and finances without spending time on determining past commitments to cyber readiness and compliance can unravel even the best of intentions. Valuation is a key calculus in these deals. Understanding the true value of what is being acquired or consolidated is essential to taking advantage of business opportunities for growth and return on investment for an industry primed for both.

Rebecca L. Rakoski, Esq. is Co-Founder and Managing Partner at XPAN Law Partners, LLP. Rebecca counsels and defends public and private corporations, and their boards, during data breaches and responds to state/federal regulatory compliance and enforcement actions. 

Patrick D. Isbill, Esq. is also Co-Founder and Managing Partner at XPAN Law Partners, LLP. Patrick’s practice focuses on cybersecurity and data privacy compliance and enforcement, addressing the business needs and demands of highly regulated industries.

This article does not constitute legal advice or create an attorney-client relationship. The information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

This site uses cookies. By using this site or closing this notice, you agree to the use of cookies and our privacy policy.