Blog - Tag: Measured Risk Insurance
Urgent: Distribute New Workplace Rights Notice to Your Staff
If you have not yet distributed the state’s new required “Workplace Know Your Rights” notice to your workers, you missed the Feb. 1 deadline and need to act immediately.
California’s Workplace Know Your Rights Act (SB 294) mandates that employers provide all employees with an annual, stand-alone written notice detailing key workplace rights, including immigration protections, union organizing, workers’ compensation and law enforcement interactions. Under the law, notices must be distributed by Feb. 1, 2026 and to new employees upon hiring.
The law also requires employers, by March 30, 2026, to give employees the opportunity to designate an emergency contact and indicate whether that contact should be notified if the employee is arrested or detained at work or during work hours.
The notice must be delivered in a stand-alone format using the same method normally used to communicate employment information, such as personal service, e-mail or text message, as long as employees can reasonably be expected to receive it within one business day. Notices must be provided annually and upon hire.
The Labor Commissioner has issued a template in English and Spanish, with additional languages — including Chinese, Filipino, Vietnamese, Korean, Hindi, Urdu and Punjabi — forthcoming.
Workers’ compensation rights
The notice must inform employees of their rights to workers’ compensation benefits if they are injured or become ill due to their job. This includes medical care and disability pay to replace lost wages.
Immigration-related protections
A significant portion of the notice addresses immigration-related protections already codified in California law.
Employers must inform workers of their right to advance notice of inspections by immigration authorities, including inspections of I-9 forms. Employers that receive notice of an inspection must notify employees and any union representatives.
The law reinforces that employers may not engage in retaliatory immigration-related practices, such as threatening to report a worker or family member to authorities or improperly reverifying employment eligibility. The notice also outlines workers’ Fourth and Fifth Amendment rights during workplace interactions with law enforcement.
Right to organize
The notice must also describe employees’ right to unionize and engage in protected concerted activity. This includes the right to discuss wages and working conditions and act together to improve workplace conditions.
Penalties and next steps
The Labor Commissioner may assess penalties of up to $500 per employee per violation for failing to comply with the notice requirement.
Violations of the emergency contact provision can trigger penalties of up to $500 per employee per day, capped at $10,000 per employee.
Employers should:
- Determine and document a distribution method for current employees and new hires.
- Ensure a reliable recordkeeping process to confirm delivery.
- Update onboarding materials for new hires to include the notice and emergency contact designation.
- Train supervisors and managers on emergency contact notification obligations.
- Circulate the notice to staff to give them the opportunity to designate an emergency contact by March 30.
Stealth Trends Driving Workers’ Comp Premiums
While employers’ main priority for containing workers’ comp costs should be workplace safety, they also need to keep an eye out for three stealth factors that can nudge their premiums higher.
Where employees work, what they do from day to day and how production technology affects workplace behavior are all often flying below the radar for many employers, who may be hit with higher premiums after an insurer audit and worker reclassification. In addition, technology designed to increase productivity — like wearables — may actually raise the potential for workplace injuries.
These issues often surface only after a claim occurs or when the insurer conducts a premium audit. The end result can be a costly surprise when the employer receives a bill for additional premiums.
Remote work creates jurisdiction issues
Remote work arrangements are now deeply embedded across many industries. Recent workforce surveys show that a large share of employees whose jobs allow it now work remotely either full time or part time, a sharp increase from pre-pandemic years.
When an employee works from another state, injuries may fall under that state’s workers’ compensation laws. If an employer is headquartered in Louisiana but has a remote worker who is injured while performing job duties in Idaho, two jurisdictions may be involved.
If that state exposure is not disclosed on the workers’ compensation application, coverage gaps or disputes can arise.
Many employers assume remote work reduces risk because employees are no longer in warehouses, job sites or manufacturing facilities. In reality, the exposure has shifted rather than disappeared. Without clear documentation of where employees work and what they do, insurers may default toward broader coverage assumptions that result in higher-rated classifications or expanded exposures.
Job creep
Another growing issue is job creep — employees gradually taking on responsibilities outside their original job descriptions. This happens frequently during staffing shortages, growth periods, tight deadlines or in smaller operations. Office staff may help with shipping. Supervisors may step into hands-on roles. Employees often wear multiple hats to keep operations humming.
From an insurer’s perspective, what matters is the work performed, not just the job title listed on payroll. When a claim occurs, carriers examine real-world duties closely. If, for example, a supervisor is injured while helping on the line, the insurer may reclassify payroll, split classifications or apply greater scrutiny across similar roles.
This issue is especially common among small and midsize employers, where flexibility is often necessary. However, without updated job descriptions and internal documentation, that flexibility can translate into higher premiums and audit-related adjustments.
Productivity technology challenges
Employers are increasingly using time-tracking software, performance dashboards, automated scheduling systems and wearable devices to monitor productivity, track output and manage work.
While these tools can improve efficiency, they can also subtly alter behavior. Employees may work faster when metrics show they are falling behind. Breaks may be delayed or skipped. Safety steps may be rushed. Early signs of strain or discomfort may go unreported to avoid appearing less productive.
Over time, this increased intensity can raise injury risk, particularly for repetitive motion and ergonomic injuries. In addition, productivity systems may change the nature of the job itself — by increasing lifting frequency, reducing recovery time between tasks or assigning more physically demanding work than originally intended.
What employers should review before renewal
To address these stealth exposures and reduce the risk of being hit with a premium increase after an audit, employers should take a closer look at:
- Where employees are actually working, including out-of-state remote arrangements.
- Whether job descriptions reflect real, day-to-day duties.
- How often employees perform tasks outside their formal roles.
- Whether productivity tools are increasing physical or ergonomic demands.
None of these issues are dramatic on their own. But together, they can quietly drive premium increases, coverage disputes and audit surprises.
Employers who proactively address these trends are better positioned to align coverage with reality — and avoid paying for risks they never intended to assume. If you have questions or concerns about any of the above, please contact us to stave off unpleasant premium surprises.
Large Trucks Account for a Third of Work Zone Accidents
Some of the riskiest locations for roadway collisions are work zones, as they often result in changes in traffic patterns and right of way, along with workers present and large commercial vehicles on the scene.
Work zones are designed to improve the safety of workers who are enhancing or repairing roads, freeways, bridges, sewage and other infrastructure by separating construction and maintenance activities from traffic. The crews do that by providing a safe route for motorists, pedestrians and bicyclists and a safe area for the workers on the scene.
That stew of activity and unpredictability sadly results in carnage. In 2023, 899 people died in work zones in the U.S., out of an estimated 101,000 crashes, according to the National Workzone Safety Information Clearinghouse. More than 300 of those fatalities involved large commercial vehicles.
The most common types of fatal accidents in work zones are:
- Crashes involving a commercial vehicle: 33%
- Crashes caused by speeding: 31%
- Rear-end collisions: 24%
With liability risk in mind, it’s important that you take the extra effort to cover driving in work zones during your driver safety training.
At the first sign of road construction, your drivers should slow down. Keep in mind that stopping takes space and time. Depending how fast a truck is traveling, it can take more than the length of a football field to stop, even in the best conditions (good tires and dry pavement). At 65 mph, the stop will take more than 7 seconds to complete.
Stopping distances can be even greater if:
- It is raining or snowing,
- Tires or brakes are worn,
- There is dirt or gravel on the road,
- The truck is carrying a heavy load,
- The truck is carrying a liquid load (especially when the tank is not completely full), or
- The truck is traveling downhill.
The most common types of accident
Let’s look at the most common commercial vehicle work-zone accident scenarios, and why they happen:
Rear-end collisions — These are most common in work zones on freeways, interstates and two-lane highways.
Why they happen: The driver was not aware or prepared for stopped or slowed traffic ahead of them.
Head-on collisions — These are most likely to happen in work zones on two-lane highways.
Why they happen:
- The driver crosses the centerline at night.
- The driver swerves to avoid objects and into oncoming traffic.
Right-angle collisions — These are most likely to happen in work zones on non-freeway multi-lane roads.
Why they happen: The driver pulls out of or turns left into a workspace, intersection or driveway without enough of a gap in traffic.
Sideswipe collisions — These incidents usually occur on freeways, interstates and other multi-lane roadways.
Why they happen: The driver fails to check for vehicles in their blind spots while trying to merge out of a closing lane or into an open one.
Truck collisions with objects or workers — These especially dangerous accidents usually happen in work zones on non-freeway multi-lane roads.
Why they happen: Typically, the driver is traveling too fast to negotiate the work zone.
The American Road Transportation and Builders Association has these recommendations for drivers entering or driving inside a work zone:
- Pay attention to work zone signs.
- Leave enough space between you and the motorist in front of you.
- Be prepared to stop or slow unexpectedly.
- Expect to stop when you see a “Flagger Ahead” sign.
- If stopped or slowed in a traffic queue, consider turning on your flashers to warn traffic coming up behind you.
- Watch for traffic and workers going into or out of the work zone.
- Get into the open lane as soon as possible at lane closures.
- Be especially aware of motorists racing to get ahead of you or trying to turn in front of you at the last second.
- Use alternative routes to avoid work zones whenever feasible.
Corporate Cyber Risk Outlook for 2026
Cyber risks are set to intensify in 2026 as artificial intelligence reshapes how attacks are launched and how organizations defend themselves.
Three new reports agree that cybercrime is becoming faster, more targeted and more disruptive to business operations. AI is accelerating existing threats and shortening the time between intrusion and impact. According to a report by Moody’s Ratings, this shift is pushing companies into “a new era of adaptive, fast-evolving threats” where manual defenses are no longer sufficient to protect an organization.
This is not just a large company problem. Small businesses are increasingly targeted, often because they are seen as easier to breach than larger organizations.
AI is supercharging cybercrime
AI is now widely used by cybercriminals to scale phishing, automate efforts to find website vulnerabilities and create malware that can modify its code to evade detection.
Moody’s “2026 Cyber Risk Outlook” warns that these tools allow attackers to scan networks continuously, exploit misconfigurations at machine speed and launch campaigns against thousands of targets simultaneously.
The World Economic Forum echoes this concern in its “Global Cybersecurity Outlook,” where 94% of leaders surveyed said AI will be the most significant driver of cyber risk in 2026. Nearly nine in 10 respondents reported an increase in AI-related vulnerabilities over the past year, alongside rising cyber-enabled fraud, phishing and software exploits.
AI-enabled social engineering is a particular concern. Advances in voice cloning and deepfake technology are making impersonation attacks more convincing, especially those targeting executives, finance teams and IT staff. These attacks increasingly bypass technical controls by exploiting human trust rather than technical flaws.
New risks from enterprise AI use
The growing use of AI inside organizations is also creating new exposures. Moody’s found that only 29% of surveyed organizations follow the Open Worldwide Application Security Project’s (OWASP’s) best practices guidance for large language model applications, leaving many vulnerable to data leakage, prompt injection and weak access control.
Research from Google Cloud highlights prompt injection as a rising threat in 2026. In these attacks, malicious instructions are embedded in data or user inputs, causing AI systems to bypass safeguards and expose sensitive data.
Ransomware an ongoing threat
Despite improved defenses, ransomware and data-theft extortion remain among the most damaging cyber threats. Moody’s reports that 44% of ransomware attempts in 2025 were stopped before encryption, up sharply from the year before, largely due to better detection and backup practices.
Large enterprises remain prime targets. Their complex networks create blind spots and attackers increasingly focus on extortion tactics that rely on stolen data rather than locked systems.
Google Cloud researchers note that ransomware, data theft and multifaceted extortion continue to generate cascading economic losses across supply chains, with incidents in 2025 resulting in hundreds of millions of dollars in total damage.
What employers can do
While no organization can eliminate cyber risk, the reports point to practical steps that can materially reduce exposure:
Strengthen AI governance. Limit AI system permissions, follow OWASP’s guidance for large language models like ChatGPT and monitor prompt injection attacks and data leakage.
Accelerate detection and response. Automated monitoring and containment tools are increasingly essential as criminals use AI to move quickly through networks.
Plan for data extortion. Create an extortion response plan that addresses regulatory, legal and reputational fallout even when systems remain operational.
Build resilience into infrastructure. Regularly test backups, use cloud systems in multiple locations to spread risk and conduct outage and breach simulations.
Control identity and access. Give staff, systems and applications (including AI agents) only the minimum access they need to do their jobs. Require multi-factor authentication during logins and create just-in-time access protocols so elevated permissions are granted only when needed and automatically removed once a task is complete.
Train employees continuously. Focus on phishing, vishing and executive impersonation scenarios that target human behavior rather than technology.
Secure cyber insurance
Finally, you should consider cyber liability insurance, which can help your business recover quickly from an attack by covering costs such as:
- Data recovery and system restoration after a breach or ransomware attack.
- Legal and regulatory expenses if sensitive customer or employee data is exposed.
- Notification and credit monitoring services for affected parties.
- Business interruption losses from downtime or system failure.
- Public relations and crisis management to help rebuild trust.
Note: Cyber insurance may cover ransomware payments, but coverage is often conditional, increasingly restricted and dependent on policy wording and the circumstances of the attack.
Businesses Scramble to Comply with EEOC’s New Playbook
The Equal Employment Opportunity Commission has rolled out the most dramatic shift in its enforcement posture in decades, narrowing some protections and targeting others, especially around disparate impact, diversity, equity and inclusion (DEI) and gender identity.
Also, with the confirmation of Commissioner Brittany Bull Panuccio in October 2025, the EEOC once again has a voting quorum. Her addition gives the new Republican majority the opportunity to rewrite guidance, revise strategic enforcement plans and launch higher-profile litigation aligned with the administration’s executive orders.
The new enforcement focus, initiated by a series of executive orders by President Trump, stands in contrast to established federal law, opening firms up to litigation by employees that runs counter to EEOC enforcement priorities.
DEI programs under a sharper lens
This year, the EEOC has trained its focus on what it describes as “unlawful DEI-motivated race and sex discrimination.” Programs that once were framed as inclusion efforts are now being scrutinized for potential reverse discrimination.
That includes:
- Mentorship, sponsorship and leadership programs limited to certain demographic groups.
- “Women only” or “underrepresented only” events and resource group activities.
- Hiring, promotion or internship pipelines that expressly prefer certain races or genders.
- Diversity metrics that function more like quotas than broad and aspirational goals.
Gender identity policies
EEOC Chair Andrea Lucas has directed agency lawyers to back away from gender identity litigation and to revisit harassment guidance that spells out protections for transgender employees.
Bathrooms, locker rooms and pronoun policies are likely flashpoints. Employers that wish to maintain strong protections for transgender and nonbinary workers may need to rely more heavily on state law, company values and reputational concerns as their guideposts.
These new policies put employers in a bind. Title VII’s ban on sex discrimination, which covers sexual orientation and gender identity, still stands and many states explicitly protect those groups.
Employers that scale back protections to comply with the new federal posture may reduce the chance of an EEOC probe but increase exposure to private lawsuits, state agency enforcement and reputational damage.
How employers can respond
Audit DEI and talent programs — Inventory all DEI initiatives, resource groups, mentorships and pipelines. Strip out eligibility rules tied to race, sex or national origin. Reframe programs around equal access and business needs.
Refresh public and internal statements — Review diversity pledges, representation goals and reporting. Avoid language that can be read as promising preferences. Emphasize fair processes, bias reduction and inclusion.
Map gender identity and facility policies to actual law — Chart federal, state and local requirements for every location. Where you maintain sex-specific facilities, consider options like single-user restrooms and clear procedures for handling complaints.
Boost religious accommodation practices — Ensure there is a clear, documented process for addressing religious objections, including objections to DEI content or pronoun expectations. Train managers to respond promptly and consistently.
Keep doing adverse impact reviews — Even if the EEOC is stepping back, continue to test hiring tools, promotion systems and layoff criteria for disproportionate effects on protected groups.
Invest in investigation capability — Make sure complaint procedures, investigation protocols and documentation would hold up under scrutiny from private plaintiffs, state agencies or the EEOC under its new priorities.
Takeaway
Finally, ensure that your business secures an employment practices liability policy, which can protect your firm from employee-initiated actions like discrimination or harassment complaints.
These policies can cover court costs, attorneys’ fees, discovery expenses, settlements or judgments and other related costs.
Construction Industry Risks Evolve, Creating Unique Challenges
As the construction industry continues to rebound from the recession, contractors face evolving risks that, left unchecked, can leave their operations exposed to new liabilities.
If you already operate a construction firm, you know that there is a labor shortage that has affected the makeup of your workforce, and that hiring entities are asking builders to take on more of the design function as well. Finally, construction firms must contend with cyber-security risks if they are using technology in their operations.
Accounting for these risks in your risk management strategy as well as ensuring you have the proper insurance coverage is key to protecting your firm from these evolving risks. Here’s a deep dive into three of those risks.
Lack of qualified workers
The construction industry has been wrestling with a labor shortage since before the COVID-19 pandemic, a shortage that’s been exacerbated by the immigration raids carried out by Immigration and Customs Enforcement in 2025.
Approximately 439,000 new workers are needed by the construction industry in 2025 to meet demand and potentially 499,000 in 2026, according to Associated Builders and Contractors.
Now, as home construction starts growing again, many contractors are having a hard time finding qualified workers, as well as project managers, engineers and estimators. That means workers are likely taking on greater workloads, which puts them at risk of injury or making mistakes. It also means longer project times.
Also, contractors have more inexperienced workers in their ranks who are not as aware of workplace safety and lack the experience to identify hazards, which puts them and others at risk of injury.
Professional liability risks
As more project owners want an all-in-one job with the lead contractors designing and building the project, those construction firms now face a new type of risk: professional liability.
The problem is that the typical contractor’s insurance policy doesn’t provide protection for any design work they may take on. If they do design a project, even partially, they’re not absolved of liability if they farm the actual construction work out to a subcontractor.
Courts have found that designers who cross over and perform traditional “builder activities” lose any limitation of liability traditionally enjoyed by design professionals. Builders who cross over and perform “design activities” assume responsibility for design deficiencies and can no longer push that liability to the design professional.
Cyber-security risks emerge
Like all industries, the construction sector has grown increasingly reliant on technology to get the job done. There are numerous solutions in the market that can help optimize workflows and save companies time and money.
While a construction firm is likely not going to keep clients’ credit card information on its website or databases (data that hackers drool over), they do keep confidential information on project designs as well as on employee records.
Recently, a contractor foreman stepped away from his work-issued laptop at a café and upon returning saw that it had been stolen. The laptop contained confidential company information and building information, like modeling construction and design methods.
More building contracts today include confidentiality agreements that require the contractor to be responsible for potential breaches associated with their activities, and that was the case in this instance.
While it was unclear if vital company secrets were exposed, the breach required that the owner’s 2,300 current and former employees be notified that their personal information may have been exposed.
Under the terms of their contract, the contractor was also obligated to pay for credit monitoring to all those employees for a year.
There was no indication that the information was ever exposed, but the notification costs and credit monitoring cost the company $25,000 out of pocket.
The takeaway
As contractors’ risks evolve, it’s important that you discuss any changes to your operations when we are helping you renew your insurance policies. We can help you discern if you need additional coverages like cyber and professional liability to ensure that these risks are covered.
Preventing Substance Abuse in the Workplace
Drug and alcohol use by employees on or off the job is a troublesome societal plague that has put many employers on the defensive.
Research by the U.S. Department of Labor shows that between 10% and 20% of the nation’s workers who die on the job test positive for alcohol or other drugs.
The same research shows that industries with the highest rates of drug use are the most physically dangerous and involve the operation of machinery, such as construction, mining, manufacturing and wholesale.
With this in mind, you need to know all of the tools available to you as an employer to ensure that you keep a strong drug- and alcohol-free workplace policy in place, while trying to minimize the effects of employees who are heavy users off the job.
An effective policy can reduce the risk of workplace injuries to an impaired employee as well as co-workers and anybody your company may come in contact with, particularly customers or vendors. The actions of one impaired person, or someone that uses heavily off the job, can have far-reaching effects and turn out to be a significant liability for your company.
The federal Occupational Health and Safety Administrations as well as state-run OSHAsl offer employers help in sorting out the complexities of putting together an effective drug- and alcohol-free workplace policy.
Federal OSHA outlines five components it considers necessary for a drug-free workplace: a policy, supervisor training, employee education, employee assistance and drug testing.
Drug testing, it says, “must be reasonable and take into consideration employee rights to privacy.”
The federal agency has guidelines available to help resource-challenged small businesses formulate a policy aimed at a drug- and alcohol-free workplace. They include:
- Drug-Free Workplace Advisor Program Builder. For employers needing to develop a policy from scratch, this guides them through the various components of a comprehensive written drug-free workplace policy. It then generates a policy based on an employer’s specific needs.
- Substance Abuse Information Database (SAID). This includes sample drug-free workplace policies, surveys, research reports, training and educational materials and regulatory information.
- Resource directories. These contain current lists of national, state and local resources, including summaries of state laws on workplace-related substance abuse, community organizations that help make businesses drug-free, and help lines for those who have a drug problem.
- Training and educational materials. These include presentations, articles, fact sheets and posters to help employers provide workplace drug and alcohol education.
- Workplace Frequently Asked Questions. These are available free of charge.
More detailed information for each of the above guidelines is online at: www.osha.gov/SLTC/substanceabuse/index.html
The New Zealand example
One good approach to drug and alcohol policies comes from New Zealand. Its OSHA – in simple, practical language – advises employers in that country to:
- Formulate rules, agreed to by all parties, which apply the same for everyone: employees, contractors and employers.
- Write the policy clearly and make it available to all in the workplace.
- Describe steps needed to ensure a drug- and alcohol-free workplace.
- Enforce the rules “consistently and fairly.”
The policy, says New Zealand OSHA, should aim to avoid worker drug or alcohol impairment without discriminating against or punishing employees.
Once formulated, the agency adds, the policy should be part of the company’s official health and management practices in recruitment and training, integrated into its human resources department and widely circulated throughout the business.
Compliance Alert: New Law Expands Protected Paid, Unpaid Leave
California employers have new compliance challenges because of a law that further broadens the circumstances under which employees can take protected paid and unpaid leave.
AB 406, which took effect Oct. 1, 2025, expands on last year’s revisions to the state’s paid sick and safe time and crime-victim leave laws, adding new categories of protected absences that cross multiple statutes — and increasing the complexity of managing employee leave.
Employers will have to once again revise their HR policies to ensure they comply with the new law as some law firms warn that AB 406 affects a number of intersecting statutes.
What AB 406 does
AB 406 amends both the state’s paid sick leave law — the Healthy Workplaces, Healthy Families Act (HWHFA) — and Government Code section 12945.8, which governs unpaid job-protected leave.
Effective Oct. 1 — The new law adds two new reasons for which employees can take protected time off:
- To appear in court as a witness to comply with a subpoena or court order, including if the employee is a crime victim.
- To serve on an inquest jury or trial jury.
Effective Jan. 1, 2026 — The law also extends job-protected leave for employees or their family members who are victims of certain serious crimes (the law cites 14 of them). Covered workers may take leave to attend court or administrative proceedings related to those crimes, such as arraignments, pleas, sentencing hearings, parole hearings or other proceedings where victims’ rights are at issue.
For this purpose, “victim” is defined broadly to include anyone who suffers direct or threatened physical, psychological or financial harm as a result of serious felonies such as domestic violence, sexual assault, felony stalking and DUI causing injury.
Overlapping leave laws complicate compliance
The new rules expand and interlink several different statutes — the HWHFA, the California Family Rights Act and the Fair Employment and Housing Act — making it more difficult for HR departments to determine which law applies to each situation.
For example, an employee attending a sentencing hearing on behalf of a family member could qualify for leave under both the paid sick and safe time law and CFRA if that family member also has a serious health condition. HR teams must carefully review each request to ensure the proper leave type is designated and tracked.
Notice, documentation requirements
The Civil Rights Department has issued a new mandatory workplace notice titled “Survivors of Violence and Family Members of Victims – Right to Leave and Accommodations.” Employers must post and distribute this notice and train managers on confidentiality and retaliation protections.
The takeaway
With some provisions already in effect and others coming Jan. 1, 2026, employers should:
- Update employee handbooks and leave policies to reflect AB 406’s new covered uses.
- Train HR staff and managers to identify overlapping leave rights and apply the proper designations.
- Post the new CRD notice and review confidentiality and anti-retaliation procedures.
- Audit HR systems and time-off codes to ensure new leave categories are captured.
- Coordinate state and local leave requirements to avoid conflicts.
Finally, discuss any planned changes with your legal counsel to ensure compliance with the new law.
New AI-in-Hiring Rules Are in Effect: What You Need to Know
Starting Oct. 1, 2025, any California employer that uses artificial intelligence and other automated tools in recruiting, hiring, promotion and related human resources decisions will have to ensure that the tools don’t discriminate against protected classes.
The new regulations, promulgated by California’s Civil Rights Department, cover any “automated decision system” (ADS) which the rules broadly define to include any computer-based process that makes or influences employment decisions, such as:
- Artificial intelligence,
- Machine learning,
- Algorithms,
- Statistics, and
- Other data-processing techniques.
If your firm uses AI or another data-driven system in hiring, you’ll want to beef up record-keeping and set testing procedures to ensure that the tools you use comply with the new regulations.
What counts as an “automated-decision system”
Examples of systems that are covered by the new regulations include:
- Résumé screeners — These may favor applicants who use certain wording, which can disadvantage older workers or those from different cultural or educational backgrounds.
- Targeted job-ad delivery — Tools may push job ads to preferred genders, age groups, races and other protected classes.
- Puzzle or game-style assessments — These tools may screen out people with certain physical or neurological conditions.
- Voice and facial analysis tools — Tools that assess “enthusiasm” or “communication style” may produce biased results against applicants with disabilities, speech differences or accents.
Basics of the new rules
Discrimination risk — It is unlawful to use an ADS or other selection criteria that discriminate based on any protected characteristic such as race, gender and ethnicity. Crucially, an employer can be liable even without intent if the ADS causes an adverse disparate impact on a protected class.
Anti-bias testing — Employers are required to perform anti-bias testing of their automated systems. In any investigation or lawsuit, regulators and courts may look at six factors to determine whether an employer took reasonable steps to avoid discrimination:
- Quality of the testing
- Efficacy (how well it detects bias)
- Recency (how current it is)
- Scope (which systems or data were tested)
- Results of the testing or due diligence
- The employer’s response to those results (what was changed or fixed afterward)
Failing to conduct or document bias testing could weigh against an employer in a discrimination case.
Record-keeping — The rule requires employers to keep ADS-related records for four years.
What you can do
If you use an ADS system in your personnel decisions, focus on the following to comply with the new rules:
Tracking — Track your ADS system’s involvement in recruiting, hiring, promotion, training selection, performance screens or advertising. Include vendor tools and “off-the-shelf” filters.
Testing — Build a defensible bias-testing program and document the six factors that regulators will look at:
- Quality,
- Efficacy,
- Recency,
- Scope,
- Results, and
- Your response.
Planning — Establish a plan to regularly test your ADS systems for bias-tainted decisions. Most importantly, if you detect deficiencies, document the steps you took to address the problems.
The takeaway
One of the keys to a successful defense is showing you have taken steps to remedy issues with tools that you use in employment decisions. That means being able to show that you have ensured your data-driven personnel tools do not discriminate.
As a side note, employers should expect more AI-related legislation in the years to come as more companies use it in their day-to-day operations.
The Five Most Common Types of Employee Fraud, Theft
At some point, the odds are that a company will be affected by some form of employee theft or outright fraud.
Fraud can severely crimp a company’s finances and put the firm in a serious bind if the theft is large enough. With technology, fraud has in some ways become easier, but at the same time it typically leaves a trail of electronic breadcrumbs that may be hard to disguise.
According to the Association of Certified Fraud Examiners’ (ACFE) global “Report to the Nations on Occupational Fraud and Abuse” report for 2024, the median loss in the U.S. from a single case of:
- Employee fraud was $61,000,
- Manager fraud was $150,000, and
- Executive fraud was $300,000.
Here are the five main types of employee fraud and what you can do to thwart it.
Purchase order fraud
This is typically carried out in one of two ways:
- The employee initiates purchase orders for goods that are diverted for personal use, or
- The employee sets up a phantom vendor account, into which they pay fraudulent invoices, with funds eventually being diverted to the employee.
Company credit cards
Employees who have company credit cards may use them for illegitimate purposes to purchase items or on entertainment and travel. Some common types of fraudulent use of credit cards are fuel purchases, airfares, home supplies, meals that are not work-related and entertainment.
Payroll fraud
There are typically three ways that an employee can pull off payroll fraud:
- Setting up phantom employees on your payroll systems who are paid like regular employees but whose funds are diverted to the perpetrator’s account.
- Paying out excessive overtime.
- Continuing to pay employees after they die or after they leave your employ.
You should have systems in place to detect whether you have more than one employee with the same bank account number or the same address, unusually high overtime payments and whether dead or terminated employees are still on your payroll.
Sales and receivables
Some employees may collude with vendors to make payments for services never rendered or products never received.
Other times, you may have sales reps who inflate sales to receive higher commissions or bonuses.
Data theft
This involves an employee stealing important company data like trade secrets, personally identifiable information, client credit card numbers or client lists. In some cases, the employee would provide this data to third parties.
You may be able to detect this kind of theft by running tests to see if a database has been accessed by an employee without access privileges or if reports were generated by employees without authorization. You may also be able to run tests to find out if any employees have sent e-mail with attachments that include sensitive company data.
What you can do
According to the report, most theft occurs at one or more of the following stages:
- Procurement
- Payment
- Expense
If you are going to do any employee monitoring, these are the places you may want to focus on first.
The ACFE said that by analyzing transactions in these areas (such as with continuous monitoring systems driven by data analysis), it is often possible to test for a wide range of employee fraud as well as bribery and conflicts of interest.
Also, three out of four fraudsters displayed at least one of the following behavioral clues:
- Living beyond means (39%)
- Financial difficulties (27%)
- Unusually close association with vendor/customer (20%)
- Control issues/unwillingness to share duties (13%)
- Irritability, suspiciousness or defensiveness (12%)
- “Wheeler-dealer” attitude (12%)
- Bullying or intimidation (11%)
- Divorce/family problems (10%)