A New Cyber Security Threat Businesses Cannot Ignore
An allegedly Chinese state-sponsored hacker campaign dubbed “Salt Typhoon” has infiltrated major cell phone providers, including AT&T and Verizon, potentially exposing your company’s communications to threat actors.
The attack has been described as the most significant telecommunications hack in U.S. history. While the breach is alarming for individuals, the implications for businesses are profound and demand immediate attention.
What is Salt Typhoon?
Salt Typhoon is a sophisticated cyber-espionage operation allegedly orchestrated by the Chinese government. The campaign has targeted vulnerabilities in telecom providers’ infrastructure to access text messages, monitor communications and extract sensitive metadata.
The ongoing breach has affected at least eight major U.S. telecom companies and poses a severe threat to national security and corporate privacy.
Potential dangers to businesses
- Exposure of sensitive informationText messages often contain business-critical details, such as contracts, client discussions, or even login credentials. If these communications are intercepted, companies risk financial loss, reputational damage and legal consequences.
- Corporate espionage
Competitors or foreign entities gaining access to a company’s internal strategies could result in lost market advantages or intellectual property theft.
- Regulatory and legal repercussions
Many industries are subject to strict data protection laws. A breach exposing customer or employee information could lead to fines and legal actions under regulations such as GDPR or CCPA.
- Erosion of trust
Business partners and clients may lose confidence in a company’s ability to safeguard information, leading to strained relationships and loss of business opportunities.
Government warning
In response to the Salt Typhoon campaign, the U.S. government issued strong recommendations for using end-to-end encrypted communication platforms.
Unlike standard text messaging or phone calls, end-to-end encryption ensures that only the sender and recipient can read the messages, preventing interception even if a network is compromised.
Apps like WhatsApp and Signal, and corporate platforms such as Microsoft eams and Zoom with encryption features have been singled out as secure alternatives. In contrast, traditional SMS and non-encrypted messaging services remain vulnerable.
For businesses, adopting these recommendations is a necessity. The FBI and the Cybersecurity and Infrastructure Security Agency have emphasized that sensitive communications must migrate to encrypted platforms to mitigate risks from ongoing cyber threats.
Protecting your firm
Protecting your business from the fallout of attacks like Salt Typhoon requires a multi-layered approach. Here are some critical steps:
- Use encrypted messaging: In light of the official recommendations above, shift all internal and external communications to end-to-end encrypted platforms such as Signal or WhatsApp, or enterprise solutions with encryption features.
- Eliminate SMS-based authentication: Avoid using text-based, one-time passwords for authentication; instead, deploy hardware security keys or app-based authenticators.
- Update systems regularly: Ensure all devices and software are updated to patch known vulnerabilities.
- Train employees: Conduct regular cyber-security training to educate employees about phishing, secure communications and device management.
- Limit data access: Implement least-privilege access controls to restrict sensitive data to only those who need it.
- Conduct security audits: Regularly audit your infrastructure for vulnerabilities. Engage third party experts to perform penetration tests and simulate attacks to identify and address weak points.
Finally, you should have in place a robust cyber-insurance policy, which can help mitigate the financial impact of a breach. A comprehensive policy should cover:
- Forensic investigations
- System remediation and restoration
- Legal and regulatory compliance
- Business interruption losses.
Top 10 laws for 2025
With 2025 now upon us, so is a slew of new laws and regulations that will affect California businesses.
Every year, laws passed by the state Legislature and signed into law by the governor take effect, and 2024 was a busy legislative session in Sacramento. The end result is another round of new legislation that California employers need to stay on top of.
This item is the first of two parts, highlighting the top 10 laws and regulations affecting California businesses in 2025.
1. ‘Captive audience’ meetings barred
Starting Jan. 1, California employers are prohibited from requiring employees to attend “captive audience” meetings where the employer shares its opinions on political or religious matters.
This includes topics such as unionization, legislation, elections or religious affiliations. Under the new law, SB 399, employees who choose not to attend must still be paid for their regular work time during these meetings.
Employers are also barred from retaliating, discriminating or taking any adverse action against employees who opt out.
The law applies broadly to most employers, but does include some exceptions, including religious organizations, political organizations and educational institutions providing relevant coursework. The law also allows for required communications or training mandated under laws related to workplace safety, civil rights or job performance.
Employers who violate SB 399 could face significant consequences, including a civil penalty of $500 per employee, per violation. Workers who believe their rights were violated can file a complaint with the Labor Commissioner, seek injunctive relief (a court order to stop the violation), and potentially claim additional damages through civil lawsuits.
2. ‘Egregious‘ offenders
Cal/OSHA is working on new rules that would crack down and step up enforcement and penalties against California employers that commit “egregious” and “enterprise-wide” workplace safety violations.
The forthcoming rules, expected to take effect this year, would impose substantial penalties on companies that have “shown a disregard towards California workplace safety regulations and the well-being of their employees.”
A business cited for an egregious violation could be fined up to $158,000 “per instance,” meaning it can be applied for each employee exposed to the violation and across multiple locations.
Violations that could be considered “egregious” include, but are not limited to, the following:
- The employer, intentionally, through conscious, voluntary action or inaction, made no reasonable effort to eliminate the known violation.
- The employer has a history of one or more serious, repeat or willful violations, or more than 20 general or regulatory violations per 100 employees.
- The employer intentionally disregarded its health and safety responsibilities, such as by failing to maintain an effective Injury and Illness Program or ignoring safety and health hazards.
3. Expanded paid sick leave
Two bills have expanded the use of paid sick leave.
The more far-reaching measure, AB 2499, expands current state law that allows employees who are victims of crime or abuse to take time off for court appearances, treatment and various other reasons.
The new measure also expands the use of paid sick leave to cover certain “safe time” absences for issues like:
- Domestic violence,
- Sexual assault,
- Stalking, or
- An act, conduct or pattern of conduct that includes:
- An individual causes bodily injury or death to another.
- An individual exhibits, draws, brandishes or uses a firearm or other dangerous weapon, with respect to another.
- An individual uses or makes a reasonably perceived or actual threat of use of force against another to cause physical injury or death.
AB 2499 also permits workers to take time off to help family members who are victims of a crime.
The law protects workers from the threat of discrimination or retaliation for requesting or taking the time off. Under the new law, employees can use vacation, personal leave, paid sick leave, or compensatory time off that is available to them for safe-time absences. It applies to workplaces with 25 or more staff.
The second measure, SB 1105, allows agricultural workers to use accrued paid sick leave to avoid smoke, heat or flooding conditions created by a local or state emergency, like a heatwave, wildfire or flooding.
The measure states that this is a clarification that existing law allows workers to take sick days for preventive care.
4. Freelance Worker Protection Act
Starting this year, California’s Freelance Worker Protection Act imposes new requirements on businesses hiring freelance workers for professional services worth $250 or more.
The law requires employers to provide freelancers with a written contract outlining key details, including the services provided, payment amounts and deadlines for compensation. If no payment date is specified in the contract, freelancers must be paid no later than 30 days after completing their work.
Businesses cannot require freelancers to accept less pay than agreed upon or provide additional services after work has begun as a condition for timely payment.
Importantly, the law also prohibits retaliation against freelancers who assert their rights, such as raising complaints about violations or seeking enforcement of the law.
Noncompliance can lead to significant penalties. If a written contract is not provided, employers may face a $1,000 penalty.
Late payments can result in damages up to twice the amount owed, while other violations may require businesses to pay damages equal to the value of the contract or the work performed — whichever is greater. Freelancers can also file lawsuits to recover unpaid amounts and seek attorney’s fees.
5. Indoor heat illness
These new requirements actually took effect at the end of last summer, so 2025 is the first full year they’ve been in effect.
Cal/OSHA’s indoor heat illness prevention rules require employers to protect workers in indoor workplaces when temperatures reach 82 degrees Fahrenheit or higher. These regulations apply to most indoor settings, but will mainly affect restaurants, warehouses and manufacturing facilities.
At 82 degrees, employers must ensure workers have cool, potable water nearby and access to a cool-down area where temperatures remain below 82 degrees. Workers should be encouraged to take rest breaks to prevent heat-related illness, and monitored for symptoms during these breaks. If clothing restricts heat removal or radiant heat sources are present, these measures apply immediately.
At 87 degrees, employers must take additional steps, when feasible, such as cooling work areas, providing personal heat-protective equipment and implementing work-rest schedules.
Affected employers should evaluate options like installing air conditioning to maintain safe temperatures. While this is feasible for smaller spaces, larger facilities like warehouses may require alternative compliance strategies.
6. PAGA reform
In July 2024, Gov. Newsom signed into law two measures aimed at curbing rampant abuse of the Private Attorney General Act, which has become a costly thorn in the side of businesses in California.
PAGA allows workers who allege they have suffered labor violations, like unpaid overtime or being denied mandatory meal and rest breaks, to file suit against their employers rather than take the more typical route of filing a claim with the state Department of Labor Standards Enforcement.
The new laws aim to reward employers with reduced penalties if they address in good faith issues raised by an employee.
For example, the reforms cap the assessment at 15% of the available penalty for employers that take immediate and proactive steps to bring themselves into compliance with California Labor Code. Employers that take “reasonable” steps to address issues within 60 days of receiving a PAGA notice would face a maximum penalty of 30% of the available penalty under the law.
The new PAGA also requires a worker to personally experience violations alleged in a claim if they want to bring action. It also increases workers’ share of awards to 35%, from 25%. The rest of the funds go to the Labor & Workforce Development Agency.
However, legal pundits predict the changes won’t reduce the amount of PAGA lawsuits being filed in the state.
7. Family leave change
A new law, AB 2123, bars employers from requiring that workers who plan to take time off under the state’s Paid Family Leave Program first take up two weeks of accrued vacation time before benefits kick in.
8. Driver’s license queries
Starting in 2025, employers are barred from listing in help-wanted ads and job applications that having a driver license is a prerequisite for a job, unless the employer:
- Reasonably expects that driving will be part of the job, and
- Reasonably believes that allowing the employee to use alternative forms of transportation (including ride-sharing, taxi or bicycle) would take more time or require the business to incur higher costs.
9. Poster updates
Employers have to update two mandatory work posters this year.
The standard poster that informs employees about their rights under workers’ compensation laws, needs to be updated. The new poster must include language stating that employees may consult with an attorney for advice about workers’ comp law and that they may have to pay attorneys’ fees if they hire a lawyer as part of their claim.
Also, businesses are required to post an updated paid leave law notice to reflect the changes ushered in by AB 2499, the paid leave law for crime and abuse victims discussed above.
10. Minimum wage
California’s minimum wage increased to $16.50 an hour on Jan. 1. This rate is for all areas of the state, except for those jurisdictions that have implemented their own minimum wage to reflect the higher cost of living in their area.
To Avoid Sexual Harassers, Start with Hiring Process
With sexual harassment and other bullying behaviors receiving more attention, and with lawsuits increasing, employers have been busy updating or creating anti-harassment policies and training their employees.
Besides the fallout from having sexual harassment occur in your workplace, employers may be targeted in “negligent hiring” charges if victims of on-the-job harassment file suit. That’s why much of the conversation among human resources specialists and risk managers is avoiding hiring harassers, or potential harassers, in the first place.
But how do you identify a harasser during the hiring process, and how far can you go to make sure that you don’t employ one? Dr. John Sullivan, an HR pundit from Silicon Valley, recommends the following methods for screening out potential offenders, and that these checks should only be done for finalist candidates.
Develop a set of indicators — Dr. Sullivan recommends that you develop a set of indicators — or traits — of previous problem employees in the workplace, particularly their attitudes about certain subjects and workplace culture. Besides your own indicators, you can conduct your own research and learn from other companies and what they have found are signs that point to potential harassers.
Toxic-employee indicators
- Professionals who are notably overconfident about their technical proficiencies are 43% more likely to engage in toxic behavior.
- Self-proclaimed “rule followers” are 33% more likely to be problem employees.
Armed with this kind of data, you can formulate questions that will help you ascertain if a candidate is overconfident about their technical proficiency or claims they are a rule follower.
Source: Cornerstone OnDemand
Employee referrals — You should allow employees to refer candidates they have worked with in the past for open positions. Based on prior experience working with someone, your current employees will know what kind of person the prospect is in the workplace.
Conduct peer interviews — You may want to consider having finalist candidates be interviewed by their future colleagues, particularly the ones who will work closely with them.
Those future colleagues probably have the most vested in identifying harassers, since they are likely the ones to be most affected if they turn out to be toxic.
You can help your employees by asking them to look for the aforementioned indicators that you have developed.
Create social interactions — Companies like Zappos and Southwest Airlines try to put top candidates in social situations that they can observe. Zappos, for example, sets up social events like coffee sessions and after-work activities. Instead of hiring managers watching them, they have other employees observe the candidates in more buttoned-down situations when their guards are down.
Situational questions — For the most part during interviews you will have to finesse the process of trying to extract information.
Dr. Sullivan recommends questions like: “In a situation where you yourself were actually witnessing sexual harassment, what would you do?”
Then you could look for things they didn’t mention, like “reporting the incident.”
Situational questions can reveal a lot about a person’s moral fiber.
Use behavioral and personality tests — Off-the-shelf behavioral and psychological tests aren’t specifically designed to weed out harassers, but they can be indicators of how job candidates treat others. These tests assess people on:
- Civility
- Integrity
- Emotional intelligence
- Values
- Moral character
- Ethics
- Conscientiousness, and more
Some of these factors can indicate a problem employee.
The final step — after hiring
Dr. Sullivan recommends that you continue to assess new employees in the months after they are hired and still on probation. You can better evaluate them during their probation, when it’s easier to let someone go.
You can gauge them to see if they meet your behavior or value standards.
Employee Surveillance Doesn’t Boost Productivity, but Breeds Resentment: Study
As more people have been working remotely over the last few years, some employers have turned to employee-tracking software to ensure that these staff are working while on the clock, and to boost productivity.
Tools like activity monitors and locations trackers, however, do not actually increase productivity and they can instead cause a backlash among workers, affecting job satisfaction and stress levels, according to a new poll.
Additionally, 26% of tracked employees said they distrust their employer and half of them feel pressured to work more hours, the survey by review website Software Finder found.
These findings cast doubt on the effectiveness of remote-employee monitoring and tracking, in light of the fact that one in four remote or hybrid workers are tracked.
What employers are tracking
Companies are mostly tracking workers to ensure they are staying productive and working their schedules. They employ a myriad of methods, including:
- Time-tracking software — Helps monitor when employees log in and out of work systems, and how they distribute their time across tasks.
- Screen monitoring — Offers real-time insights into employees’ screen activities, providing a glimpse into their work habits and efficiency.
- Keystroke logging — Tracks every keypress, offering data on productivity and potential security risks.
- Communication monitoring — Analyzes team messaging platforms to understand communication patterns, collaboration and information sharing.
Some employers also track a worker’s company-issued phone and computer locations.
Employee resentment
The survey found that:
- 53% of employees believe it’s a privacy violation for employers to track their activity.
- Three in four employees believe it’s a privacy violation for employers to track their location.
- 64% of untracked employees would recommend their company to others, while 58% of tracked staff would do the same.
- 36% of employees whose activity is tracked are currently looking for a new job, compared to just 18% of those who are not tracked.
Some employees have gotten wise and try to thwart software that tracks mouse movements by using “mouse jiggling,” a device or software that mimics mouse movement, or other software.
This prevents tracking software from detecting inactivity and makes employees appear active when they aren’t. The survey found that 17% of workers use mouse jiggling and that 12% don’t, but want to.
What you can do
All of the above said, remote-worker tracking can be a good thing if it’s implemented with care.
Insightful.com has this advice for companies that aim to track their employees’ work:
- Don’t track remote workers’ time outside work hours.
- Don’t install monitoring software on their personal devices.
- Don’t track remote workers without consent.
- Don’t use data to micromanage your employees.
- Don’t ignore signs of burnout in your staff.
If you do plan to implement tracking, it is important that you are transparent about the process. The review website recommends the following:
Set standards for remote staff. Make sure they are treated equally and entitled to the same break schedules and hours as their peers. Also, if you allow your office workers to chat with one another around the water cooler, you should allow the same deference to your remote workers who log into a social media account for a few minutes.
Encourage staff to raise questions/concerns. If you are implementing remote-employee monitoring, your staff will have many questions and concerns. It’s important that you keep an open line of communication with those who may feel that their privacy is being invaded.
Be transparent about the implementation of monitoring software, and cover the program in meetings with your staff and address their concerns.
After you’ve started using tracking software, you should hold a few meetings a year to check in with your workers about issues they may have. This will give you the chance to also adjust your tracking metrics.
Train remote employees. Your workers, supervisors and managers should know how to use the software properly and be familiar with its features and understand why it’s being used.
Protect Your Officers with ‘Drive Other Car’ Coverage
Linda is a junior partner in a law firm and drives a car that the firm owns and insures. The firm’s auto insurance covers her as a partner and she doesn’t own another car, so she sees no need to have her own policy.
Most of the time, this is not a problem. However, spring break comes and she takes her kids to DisneyWorld. She rents a car at the Orlando airport and never gives a thought to whether her firm’s insurance will cover her if she has an accident with the rental.
But in this case, a phone conversation with the firm’s insurance agent would have been a great idea.
While driving to her hotel one night, Linda rear-ends a new Lexus. The damage to the other car is extensive; she looks to her firm’s auto liability coverage for the cost of repairing it.
The ISO Business Auto Policy covers the person or organization shown in the Policy Declarations (the information page at the beginning.) In this case, the name shown is that of Linda’s law firm.
The policy goes on to say that, for liability insurance, the firm is an insured and so is anyone else using, with the firm’s permission, a covered auto the firm owns, hires or borrows, with some exceptions.
Unfortunately for Linda, the firm didn’t rent the car; she did … in her own name. Consequently, the firm’s insurance will not cover her liability for this accident. She will be forced to pay for it out of her own funds.
However, there are a couple of policy endorsements that her firm could have purchased that would have solved the junior partner’s problem.
‘Drive Other Car‘ Coverage — Broadened Coverage for Named Individuals
The insurance company will require the insured to list the names of one or more individuals on the endorsement.
The change extends several of the policy’s coverages so that they apply to the listed individuals and their resident spouses. This Drive Other Car endorsement comes with some significant limitations:
- It extends to the listed individuals’ coverages that the policy already provides; it does not add coverages not provided. If the firm’s policy does not provide collision coverage on its vehicles, Linda would not have collision coverage on a car she rents.
- It covers the named individual’s spouse if they live together. If Linda is married to Jim, he automatically has coverage for a car he rents in his name.
- The only family member it automatically covers is the resident spouse. It will not cover any other family members in the household unless the endorsement specifically lists their names.
Individual Named Insured
An alternative to the above endorsement is to list individuals’ names in the Policy Declarations along with the firm’s name and attach an endorsement called Individual Named Insured.
This endorsement covers the individual listed in the declarations and automatically covers the person’s resident spouse and family members. It also covers these individuals should they injure another of the policyholder’s employees.
These policy changes affect several coverages, including liability, uninsured motorist, medical payments and physical damage.
If you are considering this type of extended coverage, you should consult with us to discuss the endorsements’ details and identify the one that will best insure the concerned individual(s).
With the right coverage in place, Linda would have been able to enjoy her vacation without having to worry about who would pay for the fender-bender.
Spike in Pregnant Workers Fairness Act Lawsuits Alarms Employers
Since the Pregnant Workers Fairness Act took effect in June 2023, there’s been a huge spike in lawsuits against employers alleging failure to reasonably accommodate workers covered by the landmark legislation.
In the first 11 months following enactment of the law, the Equal Employment Opportunity Commission received 1,869 complaints from workers who allege their employer failed to provide them with reasonable accommodation under the PWFA, according to an article in Business Insurance, a trade publication.
As a result, the EEOC has taken action and between Sept. 10 and Oct. 11, 2024 it initiated four federal lawsuits against companies over alleged violations of the law.
The recent activity should be a wake-up call to employers to put as much effort into complying with this new law as they do the Americans with Disabilities Act, which is similar to the PWFA in that it requires employers to initiate an interactive process with a worker who seeks reasonable accommodations under the act.
The law
Essentially, the PWFA requires employers to make reasonable accommodation for workers covered by the act if they request it, particularly if they are temporarily unable to perform one or more essential functions of their job due to issues related to their pregnancy or recent childbirth.
Reasonable is defined as not creating an “undue hardship” on the employer. Temporary is defined as lasting for a limited time, and a condition that may extend beyond “the near future.” With most pregnancies lasting 40 weeks, that time frame would be considered the near future.
What‘s required
The law requires employers, absent undue hardship, to accommodate job applicants’ and employees’ “physical or mental condition related to, affected by, or arising out of pregnancy, childbirth, or related medical conditions.”
The condition does not need to meet the ADA’s definition of disability and the condition can be temporary, “modest, minor and/or episodic.”
The PWFA covers a wide range of issues beyond just a current pregnancy, including:
- Past and potential pregnancies,
- Lactation,
- Contraception use,
- Menstruation,
- Infertility and fertility treatment,
- Miscarriage,
- Stillbirth, and
- Abortion.
What’s a ‘reasonable accommodation‘
The law’s definition of reasonable accommodation is similar to that of the ADA. The regulation lays out four “predictable assessments,” which would not be an undue hardship in “virtually all cases.” These would allow an employee to:
- Carry or keep water nearby and drink, as needed;
- Take additional restroom breaks, as needed;
- Sit if the work requires standing, or stand if it requires sitting, as needed; and
- Take breaks to eat and drink, as needed.
The takeaway
The PWFA poses a significant employment liability risk for employers since it’s a new law and supervisors and managers may not be aware of it.
Employers will need to ensure that they properly handle and respond to accommodation requests under the PWFA.
To ensure compliance, you should ensure that personnel who are responsible for handling accommodation requests under the ADA are also trained in how to respond to requests under the PWFA.
As well, you should ensure that you have in place a robust employment practices liability insurance policy that may help cover the costs of any lawsuits filed under the act.
Insurance companies that underwrite these policies may also ask targeted questions in applications forms on how a business handles PWFA accommodation requests and whether the responsible employees have been trained in its application.
Companies that don’t have policies in place may instead get a policy that contains an exclusion for PWFA accommodation claims.
The Holidays Have Their Own Workplace Perils
On-the-job accidents may increase during the holidays as distractions in the workplace increase and decorations can pose safety issues.
Normal routines and schedules are disrupted, and your staff — like everyone else — are also rushing around to crowded and chaotic stores and malls after work and on weekends.
Be aware that accidents may be more likely to happen at this time of the year at the workplace, on the road or at home. Employees tend to take extra physical risks ― such as when hanging lights and lugging trees around. And if you hold a holiday party, it opens up a new set of potential liabilities.
In-office safety
When planning decorations for the office, it is important to keep holiday safety in mind.
Decorating the office helps workers enjoy the spirit of the season together, but remember that proper safety precautions should be observed at all times:
- Be mindful of potential fire hazards when selecting holiday decorations and where you place them.
- Be careful of stapling holiday lights, do not add too many strings of lights and make sure illuminated items are turned off.
- Verify that all fire extinguishers are in place and fully charged and accessible.
- Do not block exits, hang decorations on fire extinguishers, fire alarms or fire hose boxes, or obstruct the view of exit signs.
- Do not hang decorations from sprinkler heads or electrical panels.
- Without proper planning, holiday decorations can create tripping hazards. Extension cords should not be run through traffic areas where they pose trip hazards and, if you have to use an extension cord, use the proper one.
- Avoid placing trees, freestanding decorations and presents in traffic areas.
Holiday party
The holidays bring office parties and, if alcohol is being served, keep in mind the liability involved.
Provide plenty of alternatives to alcohol, such as soft drinks, coffee, tea, water and cocoa. Hire a professional bartender who can cut people off if they have too much.
Enforce the same workplace rules of etiquette at the party as you do in the workplace.
If you serve alcohol, also serve food.
Stop serving alcohol a few hours before the party ends. Offer to cover the cost of an Uber or Lyft ride home for anyone who needs it.
The takeaway
If you keep in mind that the holidays put extra pressure on everyone, it may help you to keep your workplace free of accidents.
By following a few simple safety tips, it will be easy to enjoy the holiday and the events at work without dealing with injuries or damage to property.
When planning for the holidays, incorporate safety precautions into the planning process.
Legal Traps to Avoid When Dealing with FMLA Requests
When employee files a federal Family and Medical Leave Act request to either deal with a health issue or care for a loved one, their employer is often put in a tight spot, particularly if the person serves a vital role in their organization.
There are also a number of rules that employers need to follow to avoid running afoul of the law and there are plenty who have been sued for it, a prospect that can be costly.
If you are confused about navigating the FMLA, here’s a handy list of mistakes to avoid.
Firing – It would be a bad idea to fire an employee if they’re unable to return to work following the end of FMLA leave that is due to their serious health condition. Better to find out if the employee is entitled to any additional time off under employment laws or through company policies.
The Americans with Disabilities Act (ADA) may consider granting of additional leave “reasonable accommodation,” in legal terms.
That definition comes from determining whether the employee’s condition is a disability. Under the ADA, most serious health conditions as defined by the FMLA are considered disabilities. If you’re in doubt, ask your legal counsel for advice.
Then you have to figure out whether the requested time off is legally considered “reasonable.” Under the ADA, you as an employer don’t have to grant leave as an accommodation if it poses “hardship” or “undue hardship” to your organization.
Miscalculation – You are able to calculate FMLA leave by either calendar year, any fixed 12-month period, or the 12 months measured forward from when an employee’s FMLA leave begins. It can also be calculated backward from a 12-month period from the date an employee uses the leave.
Deadlines – Meeting FMLA deadlines for processing requests for leave under its guidelines is critical. Within five business days of learning an employee has requested FMLA leave, you must provide them with the “Notice of Eligibility Rights and Responsibilities Form,” or something similar that your company has prepared.
Next, if you require the employee to file a certification form, you must allow them 15 calendar days to do so. Then, within five business days of receiving the certification form, you must provide the employee with an FMLA designation form that tells them whether the request has been approved.
But if the certification form is incomplete or insufficient, you then must allow the worker seven calendar days to make necessary corrections. You must give written notice to employees of all deadlines, and the consequences of failing to meet them.
Reassignment – If you want to reassign an employee on FMLA leave for better efficiency, you can only do so for employees who need intermittent or reduced schedule leave.
Reassignments can be done for the employee, family or covered service member if such leaves are a planned medical treatment, a period of recovery from a serious health condition, or due to the birth of a child or placement of a child into adoption or foster care. Beyond that, the reassignment is to be only as long as is required by the leave period.
You are also prohibited from transferring employees to a position to discourage them from taking FMLA leave. That means you can’t demote them from marketing supervisor to customer service rep, even if their pay and benefits remain the same at the reassigned position.
Meanwhile, you may not require a transfer to another job when the employee’s need for an intermittent or reduced schedule is unforeseeable.
The takeaway
As you can see, the FMLA is a veritable minefield for employers and, if an employee requests leave under the law, you must make sure you don’t do anything to infringe on their rights, lest you open your organization to being sued.
Business Interruption the Fastest-Growing Cyberattack Cost
A new study has found that the fastest-growing cost associated with cyber incidents is business interruption, reinforcing the need for businesses to have in place robust response and data restoration measures, particularly after a ransomware attack.
Between 2019 and 2023, the average cyber insurance claim that involved business interruption ended up costing 450% more than claims that had no lost income, according to the 2024 NetDiligence Cyber Claims Study.”
Business interruption can occur if a cyberattack like ransomware fully or partially disables a company’s operations or if a vendor suffers a cyberattack that forces the client company to suffer a loss or inability to operate.
The latter, known as “contingent business interruption,” can occur if a cyberattack cripples a supplier’s factory from producing a part that’s crucial for another company’s production operation.
The study also found that if business interruption is involved, the cost of all parts of a claim, such as crisis services and recovery costs, also increase.
For claims with no business interruption losses, the average cost of a cyber claim for small and mid-sized enterprises (SMEs) between 2019 and 2023 was as follows:
- Crisis services: $96,000
- Regulatory and legal: $24,000
- Total incident cost: $205,000
However, for SME claims with a business interruption component during the same period, average costs were*:
- Business interruption: $487,000.
- Crisis services: $279,000
- Recovery expense: $115,000
- Total incident cost: $995,000
* There was no information on regulatory and legal costs for these types of claims.
For large companies, the average business interruption cost was $26 million, with total incident costs averaging $36 million in 2019-2023.
What you can do
First: Ensure that you have in place systems, policies and training to reduce the chances of your organization being hit by a cyberattack.
One of the study authors noted that many companies he deals with are woefully unprepared for a cyber event-caused business interruption.
“We continue to see SME clients transform their businesses to be more reliant on digital systems while failing to understand the inherent risks that come from complex digital ecosystems,” said Alden Hutchison, principal of global consulting firm RSM US LLP.
“This becomes very evident during the recovery process for a client where it’s clear they haven’t planned for resilience in their digital platform nor practiced operating their business processes during a crisis scenario,” he explained.
Experts recommend:
Disconnecting all networks. As soon as a threat is discovered, disconnect every vulnerable device from your network in order to keep the attack from spreading.
Regular back-ups. Back up critical data to a secure, offsite location to enable swift recovery in case of a cyberattack. Even better: Download your data on a daily basis to a hard drive that is not connected to your database or the internet.
But beware: Ransomware can have dwell times as long as six months, so malware might have been included in your archival backups. Before restoring, run an anti-malware package on all systems and drives.
Detailed planning. Create a detailed plan outlining response procedures to a cyberattack, including roles, responsibilities, and data recovery and restoration strategies. Also, prioritize in advance what data or systems needs to be recovered first, and when.
Continuous monitoring. Continuously monitor network traffic for suspicious activity to detect potential threats early and before they spread and threaten to take your entire system down.
Cyber coverage
Finally, you should have in place a cyber insurance policy. Most policies include coverage for both business interruption due to an event on your systems and contingent business interruption for a cyber event at a vendor or supplier.
You can often work with us to tailor-make your cyber policy to ensure it would cover your business’s specific needs.
New Class-Action Lawsuits Target Group Health Plan Tobacco Surcharges
A new wave of class-action lawsuits is targeting employers that apply health insurance premium surcharges to employees who use tobacco, accusing them of discrimination and violating the Employee Retirement Income Security Act (ERISA), according to two new blogs by prominent law firms.
The lawsuits, according to a blog by Chicago-based Thompson Coburn LLP, assert that the surcharges are violations of fiduciary duty rules under ERISA, as well as discrimination regulations under the Health Insurance Portability and Accountability Act (HIPAA).
The law firm says these cases are being filed across the country on an almost daily basis and to date no courts have ruled to have the cases dismissed.
The fast-developing lawsuit trend is notable, considering that tobacco surcharges are widely used, and if any of the new lawsuits are successful, they could set a precedent that could expose thousands of employers to legal action. Most of the lawsuits are against self-insured plans, but even employers who purchase health insurance and also impose surcharges for tobacco use could be targeted as they are considered “fiduciaries” under ERISA.
The lawsuits hinge, in part, on a HIPAA prohibition on group health plans and wellness plans discriminating on the basis of health status. For example, health plans are barred by the law from charging higher premiums to group health plan participants with pre-existing conditions.
However, HIPAA has one exception to the rule: It allows plans to charge different premiums for employees who enroll in and adhere to “programs of health promotion and disease prevention.”
You can find HIPAA’s non-discrimination rules for wellness plans here.
The lawsuits target a common practice: requiring employees who use tobacco to pay higher health plan premiums than their colleagues who certify that they don’t use tobacco products (cigarettes, e-cigarettes, chewing tobacco and similar products).
Common themes
The lawsuits have two common themes. They allege that the plan:
- Did not provide an alternative standard for tobacco users to obtain a discount because the premium reductions for participating in the wellness plans are only available on a prospective basis, in violation of ERISA Section 702, and
- Failed to provide information on the existence of such alternatives in “all plan materials.”
The lawsuits typically seek several of the following remedies:
- Declaratory and injunctive relief.
- An order instructing the employers to reimburse all persons who paid the surcharges, with interest.
- Disgorgement of any benefits of profits the businesses received as a result of the surcharges.
- Restitution of all surcharge amounts charged.
It should be noted that as of the end of October 2024, no court has ruled on a motion to dismiss a case, according to the blog. At least one case has settled as a class action and the employer and plaintiffs in another class-action case had informed the court that they were working on a settlement agreement and would both ask the court to dismiss the case.
In addition to these private actions, the Department of Labor has sued several employers targeting premium surcharges, including in 2023 when it brought action against a firm whose health plan was charging tobacco users a $20 per month surcharge, according to a blog by Washington, D.C.-based Groom Law Group.
The takeaway
Thompson Coburn said in its blog that these types of cases are snowballing: “Given the number of complaints being filed weekly — at times daily — it is highly possible that any group health plan that applies tobacco surcharges as discussed faces the possibility of a class action lawsuit.”
The law firm recommends that businesses consider reviewing their health plans to ensure that they comply with HIPAA’s non-discrimination rules for wellness plans, which allow tobacco surcharges when applied properly, such as charging different premiums for workers who enroll in and adhere to a program that’s focused on promoting health and preventing disease.
This is a newly evolving threat to employers. We’ll provide future updates after courts rule on the merits of the cases, which will provide more guidance on when tobacco surcharges can be applied.