HR Legal & Compliance Excellence - February 2023

On the Cover

Articles

10 New Year, New Covid Regulations

A review of California’s recent Covid-19 policy updates, and some early considerations for California employers in 2023 - AIicia Morrell, Senior Associate, Arlene Yang, Principal, and Alex Kat, Associate, Meyers

20 Get The Message

What are firms doing to ensure employee communications on personal devices are collected and preserved?

- Lindsay Wuller Aggarwal, Partner, and Carolyn Browne, Associate, Bryan Cave Leighton Paisner

Workplace Security Challenges And

Predictions For 2023

Emerging security trends that companies must be aware of

Stephanie Benoit Kurtz, Lead Cybersecurity Faculty, University of Phoenix

27 How To Protect Your Frontline Employees From Violence

A formalized workplace violence prevention plan is a must - Carol Leaman, CEO, Axonify

31 Cybersecurity Threats And HR

3 steps HR can take to build a human firewall against cybersecurity threats - Geoff Webb, VP, Solution Strategy, isolved

37 Combat Rising IT Security Costs With IT Asset Management

How to improve an organization’s overall security position - Jeremy Boerger, Founder, Boerger Consulting

41 How To Beat The High Cost Of Employees’ Life Insurance Policies

InsurTech can help reduce the cost of insurance

underwriting - Bob Gaydos, CEO, Pendella

12 Cybersecurity Issues That Are Top-of-Mind For HR Leaders

How to address security threats

and CEO, Terkel.io

FTC’s Proposed Ban On Non-Compete Clauses: Implications For Employers And HR

It is time to take a comprehensive look at your restrictive covenant agreements for compliance

Maintaining Workforce Compliance In 2023

Organizations need a single platform that automates labor compliance management

- Lakshmi Raj, Co-CEO, Replicon

TOP PICKS 13 24 29 33

How HR Can Protect Employers From Privacy Claims Under CPRA

A guideline for human resources professional to ensure compliance

- Dan M. Forman, Partner, and Linda Wang, Attorney, CDF Labor Law

How are our Legal & Compliance Products and Services helping to make you smarter?

Legal & Compliance Excellence - Monthly Interactive Learning Journal

This monthly interactive learning experience showcases solutions to deal with the latest legal and compliance issues facing corporations and legal departments.

Legal and Compliance Webcasts for Credit

HR.com offers various informative webcasts on a variety of topics including the latest HR compliance updates and legal considerations for employers and all HR professionals. Webcasts are available live online with a downloadable podcast and a copy of the slides (PDF) available before and after each webcast. Earn all of the required recertification credits for aPHR, PHR, SPHR, GPHR, and SHRM Certifications. HR.com’s one-hour webcasts, in every HR specialty including Legal and Compliance, are pre-approved for HRCI and SHRM credit (excluding Demo webcasts).

Legal and Compliance Community

Join almost more than 30,000 HR.com members with a similar interest and focus on compliance on legal regulations in HR. Share content and download research reports, blogs, and articles, network, and “follow” peers and have them “follow” you in a social network platform to communicate regularly and stay on top of the latest updates. This well established Legal and Compliance Community is an invaluable resource for any HR professional or manager.

Editorial Purpose

Our mission is to promote personal and professional development based on constructive values, sound ethics, and timeless principles.

Excellence Publications

Debbie McGrath CEO, HR.com - Publisher

Dawn Jeffers VP, Sales

Sue Kelley Director (Product, Marketing, and Research)

Babitha Balakrishnan and Deepa Damodaran Excellence Publications Managers and Editors

HR Legal & Compliance Excellence Team

Deepa Damodaran, Editor

Arun Kumar R Design and Layout (Digital Magazine)

Chandra Shekar A K Magazine (Online Version)

Submissions & Correspondence

Please send any correspondence, articles, letters to the editor, and requests to reprint, republish, or excerpt articles to ePubEditors@hr.com

For customer service, or information on products and services, call 1-877-472-6648

Cybersecurity: The Role of HR in Mitigating Cyber Threats

Cyber attacks and breaches continue to rise with no end in sight. Organizations continue to invest in technology at a record pace; however, continue to be at risk.

During 2022, over 65% of organizations expected security budgets to expand. Gartner estimates that $172 billion will be spent in 2022, up from $155 billion in 2021. With this increased spending, the attacks continue to be at an exponential rate.

Featured on the cover, this month, is Workplace Security Challenges And Predictions For 2023 by Stephanie Benoit Kurtz of the University of Phoenix. This article talks about the trends that executives should focus on in order to build a safe workplace.

Check out the 12 Cybersecurity Issues That Are Top-of-Mind For HR Leaders in Terkel.io's Brett Farmiloe's article.

Read, Cybersecurity Threats And HR by Geoff Webb of isolved to understand the 3 steps HR can take to build a human firewall against cybersecurity threats.

At a time when businesses are under attack from the outside, they must also

protect themselves from opening the door to employee claims under privacy laws. CDF Labor Law's Dan M. Forman and Linda Wang discuss How HR Can Protect Employers From Privacy Claims Under CPRA.

In 2023, organizations are set to face yet another inflection point. Current economic conditions are putting employees and business leaders to the test. With a potential downturn on the horizon, it has become increasingly important for organizations to ensure they pay their employees accurately and on time. Read, Maintaining Workforce Compliance In 2023 by Replicon's Lakshmi Raj, to understand the various labor laws awaiting HR this year and how technology can help organizations stay compliant.

This is not all! This issue of HR Legal & Compliance Excellence also focuses on other legal aspects and highlights that should help you keep your workforce healthy, safe, and secure.

Happy Reading!

Write to the Editor at ePubEditors@hr.com

In a world of unparalleled challenges (global pandemic, racial injustice, political rivalry, digital 4.0, emotional malaise), uncertainty reigns. Finding opportunity in this context requires harnessing uncertainty and harnessing starts with reliable, valid, timely, and useful information. The Excellence publications are a superb source of such information. The authors provide insights with impact that will guide thought and action.

Rensis Likert Professor, Ross School of Business, University of Michigan Partner, The RBL Group

Excellence publications are my ‘go-to’ resource for contemporary and actionable information to improve leadership, engagement, results, and retention. Each edition offers rich and diverse perspectives for improving the employee experience and the workplace in general.

I regularly read and contribute to Leadership Excellence and Talent Management Excellence. I use many of the articles I read to augment my own presentations and I often share the articles with my clients. They are always quick, right on target for the latest issues in my field, and appreciated by my clients. If you want to stay up to date on the latest HR trends, choose a few of the different issues from the Excellence series of publications.

We’re eager to hear your feedback on our magazines. Let us know your thoughts at ePubEditors@hr.com

Workplace Security Challenges And Predictions For 2023

Emerging security trends that companies must be aware of

organizations continue to struggle at how not to become an eventual statistic of being attacked.

As we look at 2023, several trends are emerging as top security concern areas that executives should focus upon.

1. User Awareness

User awareness is still the number one area where organizations must continue to invest. The theft of credentials to leverage access continues to be the number one threat to organizations.

Cyber attacks and breaches continue to rise with no end in sight. Organizations continue to invest in technology at a record pace; however, continue to be at risk.

During 2022, over 65% of organizations expected security budgets to expand. Gartner

estimates that $172 billion will be spent in 2022, up from $155 billion in 2021. With this increased spending the attacks continue to be at an exponential rate. According to Check Point, by 2022 mid-year cyber attacks have risen 42% globally. From supply chain breaches to ransomware,

According to the Ponemon Institute, over 54% of security incidents result from credential theft. This report states that 59% of organizations fail to maintain strict user account lifecycle management, leaving credentials that are no longer needed in the environment that can be compromised.

It is this type of failure in credential management that bad actors leverage to gain access to accounts and data. Lifecycle management of identities must improve to avoid these types of breaches. This area will continue to be an ongoing challenge for organizations in 2023.

Ransomware, as projected, would continue to lead way for bad actors to leverage control and data to monetize hacking organizations. According to the SonicWall Cyber Threat Report, the global volume of ransomware is increasing by 98%. Although this number is down from a 105% increase in 2021, the frequency and dollars spent continue to grow.

Globally, healthcare, financial services, manufacturing and state and local governments continue to see a rise in the frequency of attacks. What is interesting about these attacks is that according to Veeam in the 2022 Ransomware Trends Report, documents that 76% of those that participated in the research had experienced an attack. Of those only 69% that paid the ransom were able to obtain their data.

A growing trend in this game of cat and mouse is that you may pay the ransom and still not be set free from the hackers’ control.

3. Third-Party/Supply Chain Risk

From internet providers to manufacturers, this continues

to be an issue. In 2022, we witnessed several third-party supply chain breaches. Forbes, earlier this year, outlined how this topic has hit prime time in the board room and continues to plague organizations.

Accenture also highlighted this area of concern and illustrated the disruption of the supply chain as also part of the risk. That is not only vulnerabilities due to third parties but the actual disruption of supplies as it relates to technology disruptions. This challenge will continue in 2023 and we expect that the growth in this area will be in the double digits.

4.

IoT and DoS

IoT/OT and DoS attack vectors were key areas in 2022 for an attack. Organizations are still trying to get their arms around exactly what is on the network and how vulnerable the devices are.

Meanwhile, bad actors are finding ways to exploit devices connected to the internet at a record pace. As organizations accelerate adoption, security is woefully an afterthought. Bad actors will continue to take advantage of weak security postures in this area to exploit security holes to break into secured networks.

5. Mobile Device Attack Vector

Issues in this area have just exploded in 2022. These issues range from everything from application security to privacy of personal data. Organizations that write apps must secure code,

keys, and personal data. Few are taking the necessary precautions to validate that all these areas are covered at a comprehensive level.

The other challenge is that applications intentionally share personal data about the users. From locator services information to text messages, users fail to understand exactly what data is being collected from mobile devices and then shared or sold on the open market. This area is going to explode in 2023, with users now becoming more aware of these risks.

6. Phishing Targeted Attacks

This vector is still the number one way that bad actors get into networks. Phishing, smishing, and social engineering are still extremely popular, and the bad actors are getting more sophisticated in the methods, approaches and techniques used to gain information and credentials to gain access to systems and data.

F5, in 2021, posted that there was a 45% increase in phishing emails from 2020-2021. Expect that the number has again increased when this report is published for 2022. Bad actors are now using automated tools to carry out these attacks; with these tools, they can send millions of phishing messages with a single click. The trend for 2023 is that smishing and mobile device attacks are growing as users ditch standard email and move to text and SMS messaging.

Other Trends for 2023

Based on what is occurring in the market and the economy, here are a few other items to consider as you look at the trends in 2023. Resources will continue to be very difficult to retain, attract and find. With the changes that Covid-19 introduced into the workforce with remote work and huge demand for few resources, it has been difficult to retain and attract talent. Workers are looking for big pay and larger flexibility in work locations and schedules.

Organizations attempting to return to the office are finding that some of their best talent resources are not on board for that move. The resource constraints are going to continue in 2023, with security and cloud leading the way in highly sought-after talent.

Data security is going to be a big bet in 2023. Organizations have started figuring out that they have data everywhere and a lack of security controls to secure, encrypt and manage the data. This challenge and the compounding of third-party access and risk leave the board of directors and CIOs up at night.

2023 will be the year as some organizations start to admit their weaknesses internally and begin the process of identifying where data lives, how it is secured, who has access and complete lifecycle management.

The next area for 2023 trends is application security. In general, CI/CD pipeline and security around application development are big areas of concern. Development teams in a number of organizations have operated independently from cybersecurity. Dev/sec/ops has been held at arm’s length with the statement that developers own security in the development environment.

Without specific oversite and auditing, development teams often leave access and environments insufficiently managed and protected. This is the pandora’s box within an organization. Often, inconsistent controls are found, and auditing and identity lifecycle management are almost non-existent.

For example, contractors who worked on last year’s development project still have administrative rights to code and systems.

Libraries and other resources are stored in places like unsecured box accounts. These types of habits require organizations to look closer at development organizations’ security practices, standards, auditing, and procedures.

The last crystal ball item for 2023 is the rise in FINOPS. This is the awareness that security, development, and cloud all cost money and how FINOPS is the next big bet to analyze spend, trends, baselines and look for cost optimization, reductions, waste, and abuse.

From overspending in the cloud to shelfware, organizations have been on a spending spree and with the tightening of the economy and budgets, CIOs are going to be looking for every dime that can be saved or shaved off the budget.

How your organization prepares for some of these trends could be the difference between a better-layered defense strategy or the next headline in the local paper about a breach of your network.

Would you like to comment?

New Year, New Covid Regulations

A review of California’s recent Covid-19 policy updates, and some early considerations for California employers in 2023

Thestart of 2023 brings with it the fourth year that we have been collectively living with the Covid-19 pandemic. 2022 saw a number of changes regarding variants, the accessibility of vaccines and boosters, and for many, a new level of “Covidfatigue.” At the same time, last year gave California employers mandates, policy updates, and a number of brand new regulations regarding both the state and federal response to Covid-19.

As we kick off the new year, here are some developments to keep in mind:

1. The Definitions of “Close Contact” and “Infectious Period” Changed.

In October, the California Department of Public Health (“CDPH”) changed the definitions of both “close contact” and “infectious period.” The new “close contact” definition means

that everyone in a smaller space (400,000 cubic feet or less) who shares indoor airspace for a cumulative total of 15 minutes during an infectious period is considered a “close contact,” even if they were not within six feet of the infected employee.

For indoor spaces greater than 400,000 cubic feet, the old definition of being within 6 feet for a cumulative total of 15 minutes or more in a 24-hour period still applies. The new “infectious period” definition is less stringent, and may end after five days, in some circumstances. The new definitions are here

2. California’s Covid19 Supplemental Paid Sick Leave

Expired on December 31, 2022

When the ball dropped at midnight and we closed the books on 2022, we also said goodbye to the 2022

Covid-19 Supplemental Paid Sick Leave (SPSL) law. While there is no 2023 SPSL currently set to replace it, there are still two ways an employee may qualify to receive leave under the 2022 provision.

An employee, who was or was entitled to utilize SPSL at the end of December 2022 and whose SPSL benefit window extended into 2023, may receive the benefit of the 2022 SPSL despite the expiration.

Workers, who were not paid the SPSL they were entitled to while unable to work in 2022 for Covid-related reasons, may still request that pay from their employer.

The Labor Commissioner’s Office continues to maintain an updated FAQ regarding 2022 SPSL benefits. It can be found here

While there is no movement toward 2023 SPSL at the state level, still in effect are local SPSL ordinances in Oakland, Long Beach, and both the City and County of Los Angeles. Most local ordinances remain in effect until shortly after the expiration of their respective Covid-19 local emergency (separate from the California statewide state of emergency).

For example, the Los Angeles City Council voted to end the city’s state of emergency on February 1, 2023. As a result, LA city SPSL would then expire 2 weeks later on February 15. Additionally, San Francisco’s Public Health Emergency Leave Ordinance, operative as of October 1, 2022, provides employees of businesses with 100 or more employees worldwide of up to 80 hours of

paid Public Health Emergency Leave.

3. Covid-19 General Exposure Notification Requirements Continue Through January

1, 2024. California public and private employers must continue to notify employees within one business day, if they have been exposed to Covid-19. While the notice obligation was set to expire on January 1, 2023, recently enacted AB-2693 extends an employer’s notice obligations to New Year’s Day 2024.

The good news, however, is that the new law makes it easier for employers to notify their employees of exposure, by the information being posted in a prominent place where employees routinely receive other workplace announcements and on any

existing employee portal used for sharing notices.

If employers choose to post the notice, it must remain posted for at least 15 calendar days and provide information including

(1) the dates the employee or subcontracted employee was on the worksite; (2) the specific location of the exposures;

(3) contact information for employees to receive information on Covid-19-related benefits to which exposed employees may be entitled; and (4) contact information to receive the cleaning and disinfection plan.

The notice must be in English and the language understood by the majority of employees. Employers must keep a log of the dates the notice was posted at each worksite and retain those records for three years.

4. The Covid-19 Emergency Temporary Standards Will Likely Be Replaced by a “Non-Emergency” Covid19 Prevention Regulation.

Since November 2020, California’s Division of Occupational Safety and Health (“Cal/ OSHA”) has issued a series of Covid-19 Emergency Temporary Standards (“ETS”). The most recent ETS, which was set to expire on December 31, 2022, remains in place until the Office of Administrative Law can approve Cal/OSHA’s proposed Non-Emergency Covid-19 Prevention Standard.

The proposed Non-Emergency Standard relaxes some employer

obligations, such as the need for a standalone written Covid-19 Prevention Program, which could instead be incorporated into an employer’s existing Injury and Illness Prevention Program (IIPP).

Additionally, this new regulation does not require employers to pay employees while they are excluded from work, but does impose an obligation for employers to provide employees with information regarding federal, state, or local Covid-19 benefits they may be entitled to. Do note that this new regulation includes an employee training mandate and imposes an obligation to “develop, implement, and maintain effective methods to prevent COVID-19 transmission by improving ventilation.”

Cal/Osha’s guidance for employers regarding the new Non-Emergency Standard can be found here

5. The California State COVID-19 State of Emergency Order Is Ending.

As announced in October 2022, California’s Covid-19 state of emergency will end on February 28, 2023. The federal Public Health Emergency, which was set to expire on January 11, 2023, was renewed that same day. With the highly contagious Omicron subvariant XBB on the rise, we will have to wait and see if Governor Newsom changes his plans regarding ending the state of emergency.

Would you like to comment?

12 Cybersecurity Issues That Are Top-of-Mind For HR Leaders

How to address security threats

Fromhacking powered by AI to attacks on the supply chain, here are 12 answers to the questions, “What are the worst cybersecurity issues/trends that take your focus? Can you describe why they’re important, and what you plan to do?”

1. Tracking Remote Employees

2. Ransomware

3. Demand for Skilled Cybersecurity Talent

4. Move to Apprenticeships and Skills-Based Hiring

5. AI-Powered Hacking

6. Phishing Attacks

7. Undereducated Employees

8. Password Manager Breaches

9. HR Data Retention

10. Supply Chain Hacking

1. Tracking Remote Employees

As our company size grows ever larger and we hire more remote employees, privacy is a growing concern. When company sizes are small, it is easier to track and trust internal employees with pertinent information and documentation.

But as companies expand, this becomes increasingly difficult. It is a genuine concern that internal strategies may be stolen and potentially shared with competitors. My plan is to purchase monitoring software that tracks revisions, access points, and login details.

To this end, we plan to educate employees on safe online practices, such as avoiding clicking suspicious links or downloading unknown files. Additionally, we are ensuring that our systems are up-to-date with the latest security patches and that our firewalls are configured correctly.

3. Demand for Skilled Cybersecurity Talent

The IT talent gap is a growing problem for organizations trying to attract, develop, and retain new cybersecurity talent, and it is causing significant difficulty for HR leaders to fill critical roles within their organizations.

Despite the overwhelming need, cybersecurity continues to be one of the hardest-hit sectors of the IT talent gap because it is a necessity within all industries. To combat this, HR leaders will need to invest more in cybersecurity training and upskilling programs to equip their workers with the required skills.

2. Ransomware

Right now, we are focused on ensuring that our organization is taking proper precautions to protect itself against ransomware attacks. Ransomware is a growing threat that can cause significant damage to an organization’s infrastructure and sensitive data, so it is essential that we take proactive steps to protect ourselves.

Continuous learning is also necessary to help cybersecurity workers keep up with the ever-evolving cyber threat landscape. With the demand soaring for skilled cybersecurity workers, it is also important to provide creative pathways to cyber tech careers through apprenticeships, opportunities to learn on the job, certification programs, strategic partnerships, and other creative solutions to reduce the strain on HR professionals on a much grander scale.

4. Move to Apprenticeships and Skills-Based Hiring

The number one cybersecurity issue HR leaders should be focused on is the critical cybersecurity talent shortage that every organization is facing. There are currently more than 700,000 open cybersecurity jobs in the U.S., and without rethinking how to attract, develop, and hire talent, companies will not have the qualified cyber staff needed to keep their enterprises safe.

To help expand the current cyber talent pool, HR leaders should consider apprenticeships and move to a skills-based hiring approach rather than relying on degrees as a proxy for every role. Investing in training programs for new employees or apprentices, who might not have every skill needed for a role, as well as prioritizing investments in upskilling programs for current staff, are some solutions for tackling the issue.

5. AI-Powered Hacking

I am focused on the use of artificial intelligence in hacking and data breaches. As AI continues to improve, it is becoming increasingly accessible to everyone, including hackers, who can leverage AI to create more sophisticated and effective attacks.

The potential for AI-powered hacking is extremely concerning, as it could enable bad actors in the industry to outsmart even the most advanced security systems, leading to severe consequences for both individuals and organizations. That is why I am closely following all the trends and advancements related to AI in cybersecurity, and I believe it is important to stay vigilant and aware of the potential threats that AI can bring.

6. Phishing Attacks

A cybersecurity issue that I am currently focused on is the increasing prevalence of phishing attacks. These attacks often involve sending fraudulent emails or messages that appear to be from legitimate sources, with the goal of tricking the recipient into divulging sensitive information or downloading malware.

Phishing attacks can be particularly effective because they often use social engineering tactics to exploit human trust and emotions. This issue is top-of-mind for me because phishing attacks can result in financial losses, data breaches, and reputational damage.

To address this issue, I plan to focus on educating employees about how to identify and avoid phishing attacks. This will involve training on how to spot suspicious emails and what to do if they receive one. I will also work with IT staff to ensure we have strong security controls in place (email filtering, anti-malware software).

7. Undereducated Employees

Raising employees’ understanding and response to cybersecurity threats is the only way employees can respond appropriately and immediately to online attacks. Huge businesses have lost a lot in revenue, records, and customer goodwill because employees failed to detect a threat, and lost even more because of the delay in incident response.

In our organization, we teach employees what to do step-by-step if they spot a potential online threat. We instill in them how just one wrong click on an email can ruin the company they work for.

8. Password Manager Breaches

Over the holidays, a major cloud password manager was breached, and all user vaults were stolen. This password manager also hosted all of our organization’s most sensitive credentials.

We are currently in the process of rotating all employee credentials, piloting a new cloud password service, migrating our employee base, planning a phishing workshop, and deploying two-factor authentication on critical services.

It has created a significant workload for our operations team over the holidays, but we are using the disaster to update lagging best practices that we know should have been done earlier, but were difficult to get prioritization for.

9. HR Data Retention

Managing my startup exposed me extensively to human resources management concerns. One of the most prominent was HR data retention. We live in a highly digitized age where people are becoming increasingly sensitive about their data and its privacy.

Employees, despite how committed they are to you, want to (and deserve to) know how long you will keep their data and how robustly such data will be protected. I advise being transparent about your HR retention policy and how well such policies align with existing statutory regulations or government recommendations.

For example, the U.S. Fair Labor Standards Act (FLSA) states that employers who satisfy a prescribed economic threshold can retain payroll records for 36 months after an employee leaves the organization. Ensure your employees know you are closely abiding by HR data regulations.

10. Supply Chain Hacking

Supply chain hacks have been a massive issue over the past few years, so we are paying closer attention to it and adopting safer prevention techniques to minimize our risk. Since we are collectively adopting more software as businesses go remote and move to the cloud, our businesses are only as strong as digital suppliers’ protective measures to keep our data safe.

We are regularly auditing all team software and creating a list of standard measures we expect our suppliers to take. If they are not taking security protocols as seriously as we’d like, we will not trust them with our business or customer data.

One example of this is Slack. I love Slack, and its unique drag-and-drop file share, but file sharing can be dangerous when coming from personal computers, laptops, and even company-issued computers.

We use Slack as our primary collaboration tool, and if my employees are not well-versed in how to safely upload and share a file, our whole remote network could be at risk. One of the ways I am trying to minimize this risk is through a comprehensive onboarding process that walks new hires through safe file sharing and uploading best practices. It is my hope that by helping my employees and new hires become familiar with cybersecurity, we can create a safe network.

11. Minimizing Internal Risks

One issue that I am currently focused on is the internal risk employees can pose with their use of software and tools within the company network. I do all the hiring for my company and, as a remote company, we have a lot of cloud-based software and communications tools that could pose a risk if they are not used properly.

12. Mobile Security Threats

Mobile devices are not only vital components for individuals, but also for organizations, so the security of mobile devices has become a crucial cybersecurity issue. The surge of Covid-19 has increased the need for remote work, making it necessary to have a robust security system in all mobile devices to avoid data breaches.

Why is mobile security top of mind? Different businesses, sectors, and organizations are using these devices exponentially for smooth business operations and connecting with customers and employees quickly.

What is my plan to do about the mobile security issue? Technology has made our private life vulnerable, but I still take advantage of it to make our lives secure. As a working professional, I want my mailbox to be secure, so I use a security app to keep my mobile phone secure.

Brett Farmiloe is the Founder and CEO – and currently CHRO - of Terkel.io. Brett is an SHRM Influencer and has also been a keynote speaker at several state SHRM conferences around the topic of employee engagement.”

Would you like to comment?

Get The Message

What are firms doing to ensure employee communications on personal devices are collected and preserved?

Thesupervision and retention of communications on personal devices is a hot-button issue with securities regulators, such as the U.S. Securities and Exchange Commission (“SEC”) and the Financial Industry Regulatory Authority (“FINRA”).

To avoid harsh penalties from regulators, the time is now for firms to ensure that they have processes in place. What is your firm doing to retain and produce communications exchanged by personnel on personal devices, such as text messages or communications exchanged on applications, such as WhatsApp?

Over the past few years, the SEC and other regulators have increasingly become focused on the use of outside communication channels, such as text messaging and WhatsApp. When used for business-related purposes, the SEC has been abundantly clear that these communications are considered part of firms’ books and records, and should be retained and produced as such.

Indeed, in a recent press release, SEC Chair Gary Gensler stated that “[a]s technology changes, it’s even more important that registrants ensure that their communications are appropriately recorded and are not conducted outside of official channels, in order to avoid market oversight.”

For instance, in recent regulatory matters, we have seen specific requests for “Documents” and “Communications” that are defined to include “messages of any type,” “text messages,” and/or “instant messages.” We have also seen requests setting forth specific questions regarding firms’

searches for relevant text messages and the methods used to preserve such text messages.

Upon receipt of such requests, firms should work to have processes in place to quickly institute a litigation hold that clearly communicates to firm personnel that business-related communications on their devices must be preserved and provided to the firm. In addition, we recommend engaging a vendor to assist with imaging physical devices and applying search terms to such communications to help streamline the process.

Failure to collect these communications may result in harsh penalties. For instance, in September 2022, after gathering communications from the personal devices of a sample of the personnel from 15 broker-dealers and an affiliated investment advisor, the SEC found that employees “routinely communicated about business matters using text messaging applications on their personal devices.”

The firms under investigation did not maintain or preserve most of these off-channel communications, violating federal securities laws, and resulting in $1.1 billion in penalties.

Similarly, in December 2021, another firm agreed to pay a $200 million fine to regulators, including the SEC, for failing to track and retain broker/dealer text messages on employees’ personal devices. The severity of these penalties is no accident; they are explicitly intended to “deliver a straightforward message to registrants…[t]he time is now to bolster your record retention processes and to fix issues that could result in similar future misconduct by firm personnel… the staff will continue its efforts to enforce compliance with the Commission’s essential recordkeeping requirements.”

As the SEC continues to ramp up its focus in this space, one can expect FINRA will do the same. Notably, FINRA has also increased the number of enforcement actions against firms related to retention and supervision of messages on personal devices, and has imposed sanctions in the form of suspensions and fines for violations.

Indeed, one of the areas of focus in FINRA’s 2022 Report on Examination and Risk Monitoring Program is on digital communication channels, and specifically, “how does your firm supervise and maintain books and records in accordance with SEC and FINRA Books and Records Rules for all approved digital communications.”

FINRA’s report also cautions firms to ensure that their policies address all permitted and prohibited digital communication channels, and have a process in place to review for red flags indicating representatives are communicating through unapproved communication channels. We expect that regulators in this space will remain focused on communications on personal devices in 2023 and beyond.

Conclusion

Firms should pay close attention to how regulators define document requests. When collecting documents and information in response to regulatory requests, firms should assume text messages are included within the scope of the request, and should have a plan in place as to how to collect and produce those messages.

Lindsay Wuller Aggarwal is a partner at Bryan Cave Leighton Paisner based in the St. Louis office. Lindsay focuses her practice on broker-dealers, investment advisers and individual securities industry professionals. She routinely represents firms and individuals in litigation, FINRA arbitrations and in SEC, FINRA and state regulatory investigations.

Carolyn Browne is an Associate at Bryan Cave Leighton Paisner based in the Denver office. Carolyn has experience representing clients in complex commercial disputes, including railroad disputes and broker-dealer matters and regulatory investigations. Most recently, Carolyn served as an integral member of a team representing a client in a multi-million dollar, highstakes litigation matter, securing summary judgment for the client in state court.

Would you like to comment?

HRCI® & SHRM® CERTIFICATION PREP COURSES

GROUP RATES AVAILABLE

For HR Professionals

Show that management values the importance of the HR function, and has a commitment to development and improvement of HR staff.

Ensure that each person in your HR department has a standard and consistent understanding of policies, procedures, and regulations.

Place your HR team in a certification program as a rewarding team building achievement.

For Your Organization

Certified HR professionals help companies avoid risk by understanding compliance, laws, and regulations to properly manage your workforce.

HR Professionals lead employee engagement and development programs saving the company money through lower turnover and greater productivity and engagement.

A skilled HR professional can track important KPIs for the organization to make a major impact on strategic decisions and objectives, including: succession planning, staffing, and forecasting.

Why Certification is the Best Choice:

1 Less expensive than a masters or PhD program, and very manageable to prepare with flexible study options.

2. Recertification - ensures HR professionals continue to be up to speed on the latest legislation and best practices

3. Recognized, Industry benchmark, held by 500,000+ HR Professionals

Group Rate Options

We offer group rates for teams of 5+ or more for our regularly scheduled PHR/SPHR/ SHRM or aPHR courses.

For groups of 12+, we can design a more customized experience that meets your organization’s needs. You can have scheduling flexibility in terms of the days, times, and overall length of the course.

Groups rates for HRCI exams are also available as an add-on.

All group purchases come with 1 year of HR Prime membership for each attendee to gain the tools and updates needed to stay informed and compliant.

FTC’s Proposed Ban On Non-Compete Clauses: Implications For Employers And HR

The Basics

On January 5, 2023, the Federal Trade Commission (FTC) proposed a new rule, the “Non-Compete Clause Rule,” that would ban employers from imposing non-compete clauses on their workers in the United States. If implemented, the FTC noted that its new rule would make it illegal for an employer to:

● Enter into or attempt to enter into a non-compete with a worker;

● Maintain a non-compete with a worker; or

● Represent to a worker, under certain circumstances, that the worker is subject to a non-compete.

The FTC noted that its proposed rule “would apply to independent contractors and anyone who works for an employer, whether paid or unpaid,” but there would be a “limited exception for non-compete clauses between the seller and buyer of a business” that “would only be available where the party restricted” owned “at least a 25% ownership interest” in the business. Similarly, the “proposed rule would generally not apply to other

types of employment restrictions, like non-disclosure agreements” unless such other types of employment restrictions were “so broad in scope that they function as noncompetes,” i.e., de facto non-competes. In addition, the proposed rule would “require employers to rescind existing noncompetes and actively inform workers that they are no longer in effect.”

Foerster

It is time to take a comprehensive look at your restrictive covenant agreements for compliance

Will the Proposed Rule Become Effective?

The FTC is currently accepting public comment on the proposed rule until March 20, 2023, and is considering whether senior executives should be excluded, whether the rule should be applied differently to lower and higher income workers, and whether the rule should actually impose an outright ban or a rebuttable presumption that non-competes are unlawful. If the FTC ultimately decides to implement the rule, in whatever form, the final rule would be effective 60 days after being published in the Federal Register, and employers would have an additional 180 days thereafter in which to comply. Even then, the proposed rule is expected to face a storm of legal challenges, and it may be enjoined from going into effect until the legal challenges have been resolved. An action of this magnitude could get appealed all the way to the U.S. Supreme Court. In short, it is not at all clear what form the proposed rule will ultimately take, whether it will survive legal challenge, and, regardless, exactly when it will be resolved, one way or the other.

Potential Legal Implications for Employers and Challenges for HR Teams

Meanwhile, employers may have some combination of current employees with non-competes that the employers expect to be able to enforce at some point, potential new hires who are subject to non-competes with their current or soon-to-be former employers, or candidates who are or over the next year will be in the recruitment cycle and for whom employers will need to decide whether to include non-competes in their offer packages. These determinations present a number of potential legal implications for employers in general, and challenges for human resources professionals guiding employers in particular, including:

Even if the FTC curtails non-competes, non-disclosure agreements and non-solicitation agreements would remain enforceable. But other than indicating generally that how the non-compete “functions” will be determinative, not what the term is called, the proposed rule arguably does not clearly define what would be deemed a de facto non-compete, and this lack of clarity could pose compliance challenges for HR teams.

Similarly, the 25% threshold noted in the sale of business exception to the proposed rule may not work from a practical perspective in a number of transactions, as it effectively limits the exception to a total of four owners, when in fact there may be owners with a lower percentage of ownership but whose value and contributions are invaluable and transfer of their ownership would be necessary to protect the value of the business being sold.

If the proposed rule is NOT implemented, employers still need to be wary about their non-competes. The day before it announced the proposed rule, the FTC announced that it had already filed suit in actions that marked “the first time that the agency has sued to halt unlawful noncompete restrictions.”

Irrespective of the FTC or state legislatures, employers still need to be careful with their non-solicitation agreements, as the Department of Justice (DOJ) has stepped up its enforcement against so-called “no-poach” agreements and non-competes it believes violate antitrust laws, including most recently criminal sanctions.

In addition to the FTC and DOJ, more states around the country are passing laws and amendments that narrow the scope of non-compete agreements for employees, including, for example, barring non-competes for lower wage earning employees, requiring minimum periods of advance notice before non-competes can go into effect for employees, requiring payment of salary (or a portion thereof) during the non-compete period, and other limitations.

Non-Competes Protect Against Trade Secret Theft

For many, if not most, companies, the greatest risk that the proposed rule may pose is to their confidential, proprietary, trade secret information and their intellectual property. And it is generally acknowledged that a company’s own employees often pose the greatest threat when it comes to theft of its trade secrets. The FTC cites the Defend Trade Secrets Act (DTSA) as a replacement remedy for the protection employers might otherwise obtain from non-competes. But this ignores some basic limitations of the DTSA.

Perhaps, most importantly, the DTSA only protects trade secrets. But there is plenty of other information, data, and intellectual property that is competitively valuable and sensitive, and that can contribute to the good will of companies, that may not rise to the level of a trade secret. In fact, a recent case in which a court granted a group of defendants’ motion for summary dismissal of the plaintiff’s DTSA claim, illustrates why some may argue that the DTSA is not a satisfactory substitute for non-compete agreements.

Finally, as to the remaining intimate knowledge of customers’ financial condition, circumstances, and business needs, FIB advances no evidence or argument about any disclosure or use of this intimate knowledge to solicit customers, or for any other unfair competitive advantage

for Defendants or Glacier. Certainly, customers know lender representatives have this intimate knowledge, and it is not unusual for customers in any sector to follow their friends and/or service providers, in part because of the providers’ knowledge of customer needs. It is unrealistic to expect customers to forget their service relationship with another, just as it is unrealistic to expect Defendants to forget the knowledge they gained with their former employer. Had FIB wished to preclude Defendants from leaving to compete by taking employment with another financial institution, FIB could have proposed an enforceable non-compete agreement. The Court will not recognize a nonexistent non-compete agreement under the guise of “remembered secrets.”

First Interstate Bancsystem, Inc. v. Hubert, 2022 U.S. Dist. LEXIS 127748, __ F. Supp. 3d __, 2022 WL 2763407 (July 15, 2022) (granting summary judgment motion dismissing DTSA claims against all defendants).

Final Word

While the outlook is uncertain, employers would be well advised to take a comprehensive look at not only their restrictive covenant agreements for compliance concerns, but their trade secret and information security processes and programs in the event that non-competes at some point are no longer available or available to the same extent to protect the business.

Would you like to comment?

How To Protect Your Frontline Employees From Violence

A formalized workplace violence prevention plan is a must

Everyone deserves to feel safe at work. Because of the complexity of frontline work (think diverse, dispersed staff, a wide range of experience, confidence and communication skills, styles and knowledge) and the nature of consumer-facing roles, this requires special consideration and care.

Moreover, of late the frontline has become an increasingly hostile environment. In our recent survey, research showed over half (59%) of polled employees experienced customer conflict — daily — and 70% said they felt that customers have become more aggressive.

Combine this with an overall lack of de-escalation training (37% of surveyed workers have received no safety training at all) and you have got a workplace that is potentially perilous, which can lead to disengaged employees, who may feel unsafe, more stressed and underperform. That

likely means they will soon be looking elsewhere for employment if they are not already. And who can blame them?

Organizations need to properly prepare their frontline workers for incidents that may erupt in the grocery or retail checkout lines as the lingering effects of post-pandemic life, increasing tension based on economic disparity, not to mention inflation and overall financial concerns, continue to create challenging scenarios that may well find frontline workers in the crosshairs.

A formalized workplace violence prevention plan is a must — the more specific, the better. It should include step-by-step instructions that clearly outline how to handle various situations and offer solutions to mitigate more severe incidents. Specific roles should be assigned and made widely known so everyone is aware of who is taking care of what if a scene

develops and no time is wasted when the clock is ticking.

It is equally important that the details of the plan are easily accessible and understood by every frontline worker so that safety is not limited to who is scheduled that day. Then, it is about regularly reinforcing the plan so that employees feel as comfortable as possible with how situations should ideally be handled.

If we scratch below the surface, there is also an important aspect of fostering a culture of listening and learning that extends beyond workplace incidents. Employees should be encouraged to speak up if they experience a hostile work environment or harassment, without the fear of retaliation or disciplinary action. Our survey found that 14% of frontline workers do not report workplace incidents because they do not feel comfortable.

This lack of trust should be taken seriously and folded into an overall wellness strategy that prioritizes psychological safety and two-way communication.

It goes without saying that frontline workers have had an unbelievably tumultuous few years and the additional stressor of increasing workplace violence can be overwhelming. Companies should be offering related employee training, such as conflict resolution and identifying unconscious bias, to better help associates pinpoint potential situations before they escalate.

Connected to this is wellness training that offers tips and advice for illness prevention, stress reduction and how to navigate workplace conflicts to protect and create better employee relationships and take into account the whole person.

It is the responsibility of every frontline organization to ensure their teams feel safe and supported at work. That means companies need to offer continued support, training and communication that provides employees with the techniques and protocols to handle potentially

challenging situations and the trust and confidence to speak up if they do not get what they need.

Would you like to comment?

Maintaining Workforce Compliance In 2023

Organizations need a single platform that automates labor compliance management

In2023, organizations are set to face yet another inflection point. Current economic conditions are putting employees and business leaders to the test. With a potential downturn on the horizon, it has become increasingly important for organizations to ensure they pay their employees accurately and on time.

Further, the pandemic-driven rapid transformation of the workplace has greatly increased worries about risk and employment-related compliance. Due to the demand for new workstyles and a limited talent pool, independent contractors (ICs) have also emerged as a distinct workforce, thus introducing new challenges for organizations to maintain compliance.

Uncertainty arises regarding employee categorization, state-by-state laws, the Internal Revenue Service (IRS) and Department of Labor enforcement , and new labor laws taking effect in 2023. Organizations, in turn, must pay meticulous attention to the money flowing in and out of their business to ensure fiscal needs are met while concentrating on workforce management, employee compensation and compliance with labor laws.

Why Is Compliance So Critical to Business?

Labor compliance-related cases are complicated, time-consuming, and can result in significant monetary and non-monetary damages to companies. If an organization is found to be non-compliant with

local labor laws, then the financial penalties and fees levied can be substantial. However, the losses are not limited to just fees and penalties as non-compliant businesses are always at a greater risk of reputational damage, loss of revenue, security breaches, loss of productivity and more.

In fact, the cost of non-compliance is estimated to be over three times higher than the cost of compliance. As per a study conducted by the Ponemon Institute and GlobalScape, the annual cost of non-compliance to businesses is now estimated at an average of $14.8 million, a 45% increase since 2011.

Potential recession is around the corner. Employees are no doubt scrutinizing their paychecks with a keener eye as inflation courses through the United States, and cost of living crises ripple across the United Kingdom and elsewhere. This fact underlies how organizations might lose a lot of money simply by being non-compliant.

Upcoming New Labor Laws Across the USA in 2023

In the new year there are a number of new labor laws that will affect millions of workers and their employers in the USA. One such change to look out for in January 2023 is the raise in the minimum wage in many states. Though the federal rate will be steady at $7.25 per hour, some states have established their own increases. For instance, the minimum wage rate in California is rising to $15.50 per hour in the new year for workers in businesses of all sizes. In fact, employees will also have the right to know the pay rates for their current job or an open job posting.

Keeping pace with the rapidly evolving changes in compliance is a major challenge. Organizations require a modern digital system to support their compliance needs. The system must ensure compliance with federal and state labor legislations, local ordinances, and company policies to track and comply with. Any gap in compliance can lead to costly litigation, and lack of transparency around the compliance records can result in an expensive lawsuit.

Technology Helps Organizations Stay Compliant

Many organizations struggle to comply with government regulations like the Fair Labor Standards Act (FLSA) or financial regulations like the Sarbanes-Oxley Act (SOX). It is because of the wide range of variance in overtime and premium pay legislation, based on the area or region, requiring a great deal of meticulous, time-consuming record keeping. Typical manual processes that most organizations employ are too slow and prove to be more of a hindrance to compliance, rather than being an enabler.

must employ a single platform that assists with managing the crucial facets of regulatory compliance. Organizations must accurately track employee time while handling other business regulations, such as overtime, time-off, and meal breaks.

Additionally, organizations should be able to handle time and pay records that may be submitted in case of an audit. Besides, businesses need to achieve 100% global labor law compliance across geos because being 99% compliant is not enough.

Risk Mitigation and Managing Compliance Is a Continuous Process

Compliance is not a one-and-done program. Maintaining compliance with state, federal and international labor laws is of utmost importance while proactively and continuously monitoring legislative changes, trends, and new court rulings. The economic forecast shows a bumpy road ahead, affecting the revenue inflow, profitability, demand and operational changes.

Having a foolproof digital compliance solution will lower the risk of non-compliance by streamlining and automating an organization’s time-tracking process, decreasing potential errors, and providing essential visibility and reporting.

Organizations can also eliminate the problem of time theft by gaining real-time visibility into overtime, time-off, and other policy uses and abuses, supporting all employee types: full-time, hourly, part-time, salaried, and independent contractor. A complete compliance program can also improve the productivity and efficiency of an organization and its global workforce.

Lakshmi Raj is the Co-CEO

of Replicon

She has extensive experience in web-based marketing and was instrumental in providing global visibility for Replicon’s product. Prior to starting Replicon, she worked as a software engineer for Verity (formerly known as FTP Canada).

Organizations that want to reduce their risk of non-compliance and exposure to expensive litigation

Would you like to comment?

Cybersecurity Threats And HR

3 steps HR can take to build a human firewall against cybersecurity threats

Security of data remains one of the central threats to almost every business, regardless of size, industry, or location. There is, sadly, no company too large or too small to potentially suffer the impacts of a data breach or the disruption of ransomware attacks. Worse, as states begin to tighten controls and penalties around privacy, the pressure to keep data safe is only growing. The costs of a breach can be extremely damaging – according to IBM, the average cost of a breach for a healthcare provider last year was over $10M

Despite the highly technical nature of many security systems, it is also clear from the analysis of breaches in the past decade or more that HR actually has a strong and central role to play in keeping their business out of the headlines.

The reason is that most attackers do not target technical vulnerabilities (weaknesses in existing systems and the networks that connect them) but rather the far more fallible and available humans who use them.

This is why attacks like “Phishing” (where people are targeted with a bogus message to get them to respond or download dangerous software) or compromising email accounts remain the most common forms of a successful attack.

People, as we all know, make mistakes. Worse, we are trained and motivated in a work environment to be responsive and helpful. Want to sneak into the

network? Pretend to be an important executive on the road, who has forgotten their password and send a quick text to their admin asking for help. It works, and attackers ruthlessly exploit both our wish to be helpful and the busy nature of our day.

The best defense, then, is a workforce that can take a moment, recognize a bogus email or a suspicious document, and contact their security team first. And that requires a workforce that has been prepared.

No army goes into battle without training and equipping its troops, and that is exactly how HR professionals must now think of their employees: as troops headed into a battle against an adversary, who may be lurking around the corner or across the globe. Indeed, security experts will tell you that preparing our employees is probably the most important (and most neglected) element of any good security program. Security teams have been talking about building “the human firewall*”, educated and enabled employees who can spot and defeat an attack, for decades.

So how can HR help? There are three essential steps to building a human firewall?

Step one is to make sure there is a commitment from senior stakeholders to implement security training. This is essential because regardless of who gives the training (and there are plenty of external companies with ready-to-go training materials) it will not matter if senior leadership does not believe it is important enough to invest in and enforce.

Step two is to make sure companies have the right training in place, and it is clearly communicated. While some security awareness is important to every business (for example, how to recognize fake emails asking for information or to click on attachments) other training might be more specialized, such as dealing with personal and protected information for a healthcare company. Leaders can get the training sourced, and in place, and then communicate and enforce participation. This is where step one really pays dividends. Everyone is busy, so if HR has the backing of senior leadership, it is much easier to ensure busy employees take the time to actually engage with and take the training course.

Step three is the hardest part: stick with it. Security awareness and good habits are like any learned skill – they need regular reinforcement. Many initial security efforts fail because they are not repeated and measured and enforced. So a constant and regular set of evaluations and training is critical to maintaining a good security stance for employees. HR needs to make sure it’s part of every new hire process, and track and measure who attends, who passes, and going back to step one, have the ability to make even the busiest employees pause in the day and take the training. Typically, this would be every six months or so, but for more highly regulated industries it could even be quarterly.

Securing systems and information is not easy. Attackers constantly look for and develop new ways to breach defenses and either insert bad software, such as in a ransomware attack, or steal data to sell or use for other attacks. Nevertheless, the first, and most likely target will be employees themselves. So preparing them to be that “human firewall” is not only the best defense, but it could also save a business a lot of heartache, embarrassment and money.

Therefore, the role of HR teams has become so critical in keeping their employees informed and ready to do battle out there in the cyber-wilderness, motivated, trained and equipped with the knowledge to make a business a difficult place for attackers to get a foothold.

*If you’re wondering, a firewall is a security technology that often is the first line of defense against an attacker trying to sneak into your network and acts like a gatekeep for any computer trying to connect (and often trying to send information out too.)

How HR Can Protect Employers From Privacy Claims Under CPRA

A guideline for human resources professional to ensure compliance

Ata time when businesses are under attack from the outside, they must also protect themselves from opening the door to employee claims under the California Privacy Rights Act (CPRA).

For many California employers, compliance with privacy laws, such as the CPRA1, inevitably falls on human resources professionals.

This article provides an overview of the CPRA and guidelines for human resources professionals to ensure that their business is protected from litigation. The California Privacy Protection Agency (CPPA) is set to start enforcement on July 1, 2023, and individuals will also have a private right of action expanding the scope of litigation against employers by disgruntled former employees.

Covered California employers need to take active measures to protect their employees’ personal information and other data, as well as timely respond to employees’ requests that relate to such information.

Which California Employers Are Covered?

Any business with California employees that meets the coverage test should ensure compliance with the CPRA. Most businesses, even small businesses, are covered by the CPRA since the revenue threshold is $25 million dollars. In addition, employers that buy, sell, or receive personal information of 100,000 or more consumers on an annual basis (for commercial purposes), and employers that derive fifty percent or more of their annual revenues from selling consumers’ personal information are also covered.

While these tests appear to be straightforward, the government interprets “sale” to include obtaining any benefit from sharing personal information or other data gathered from the internet, such as discounts, advertising, or other benefits that are not typically viewed as financial transactions.

The CPRA requires covered employers to provide privacy notices and take active steps to protect

personal information routinely collected during employment to applicants and employees.

Personal Information and Sensitive Personal Information Defined

Personal information includes: real name, address, social security number, IP address, geolocation, internet activity, personal characteristics, behavior, religious or political affiliations, sexual preferences, employment and educational data, financial and medical information.

Sensitive personal information is a subset of personal information that is considered to be more sensitive in nature. Sensitive personal information includes: identifying information that is not publicly available (Social Security number, driver’s license number, state ID card, or passport number); log-in information, financial account information; precise geolocation; racial, ethnic origin, religious or philosophical beliefs; union membership; emails, mail, text messages (unless the employer is the intended recipient); genetic information; biometric information (facial recognition and fingerprint); health information; sexual preference or information concerning sex life.

Personal information and sensitive personal information are routinely collected from employees, either at onboarding or later on during the course of employment and benefits associated with employment. Indeed, many employers may not be aware of the full scope of information that they collect as some of the information may reside in computers and other electronic systems that employees access and utilize for their personal convenience.

Attack Plan to Comply with the CPRA

Even if your business is not, yet, in compliance, do not despair but start taking steps to comply. Regulators will be more lenient with a business struggling to get into compliance than with a business that ignores CPRA. Many employers do not have a privacy officer or team to facilitate compliance with the CPRA, and because human resources professionals are trained at handling employee information, the task of complying with CPRA naturally falls on human resources with assistance from the IT and cybersecurity team.

Data Mapping

As a starting point, employers should create a “data map,” which is conceptually like a flow chart that tracks how personal information is collected, processed, maintained, and utilized. As a company evolves and grows, data mapping is an ongoing effort and should be updated at least annually. The key questions to understanding the extent to which a business collects employees’ personal information and data are: (i) What personal information is collected? (ii) Where is data stored? (iii) With whom is data shared? (iv) Retention plan; and (v) What is data used for?

Privacy Notice

Employers should also provide a privacy notice to all applicants and employees specifying what personal information is collected and for what purposes. Employees must be informed of their rights to obtain a copy of their own file, delete, and correct their personal information. Explicit consent from employees is needed if a business decides it wishes to use employees’ personal information for a different purpose than that which is listed on the notice. The notice should provide employees with the contact

information of appropriate personnel if employees or applicants seek to delete or correct their information.

Privacy Policy

In addition to the privacy notice, employers should consider incorporating a privacy policy into their employee handbook. The privacy policy should provide relevant information about the CPRA, a summary explaining employers’ use of employees’ personal information, confirmation of whether employers sell or share the personal information with third parties, data retention period, and employees’ rights to opt out, delete, or correct their personal information.

Any employers with a privacy policy related to the use of a company’s technology and devices should revisit existing privacy policies to reconcile any inconsistencies. And, importantly for HR professionals, the contact information of personnel enforcing the policy.

Training a Privacy Officer

It is no surprise that the CPRA requires covered employers to train a privacy officer/personnel to be familiar with a company’s privacy practices. This privacy personnel should be familiar enough with the CPRA to answer questions employees may have, including how and why personal information is collected, with whom personal information is shared, and channels for employees to submit their requests to opt out, delete, or correct personal information.

This privacy officer should work closely with human resources, legal, IT, and cybersecurity teams to stay up to date on a company’s privacy practices. This privacy officer should visit regulatory agencies’ websites (i.e. the CPPA) and subscribe to law firm blogs with privacy practices for updates.

Revisiting Third Party Contracts

Lastly, employers need to revisit their service contracts with third parties to ensure that when employees’ personal information is shared, third parties must not use such information for unauthorized purposes. In some situations, third parties may have their own service providers with whom they share employees’ personal information with, so there could potentially be multiple layers of obligations.

In many cases, an employee’s request to delete or correct personal information must be forwarded to these third parties to ensure compliance. As the new year just started, the third party contracts should be revised to reflect compliance with the CPRA.

The CPPA

The CPPA issued proposed regulations in July 2022 and modified regulations in November 2022, and it anticipates the final regulations to go into effect in April 2023. Enforcement begins on July 1, 2023, and under the CPRA, there is a private right of action such that employees may bring lawsuits against their employers.

So far, the proposed regulations emphasize notice, explicit consent for unintended use of personal information, easy opt-out, and third-party liability. A company’s attack plan above will serve as a starting point to help your organization get into compliance.

It appears that the CPPA will target its enforcement efforts against online advertising businesses, loyalty programs and other businesses that gather consumer data, as well as entities that consumers and employees complain about, whether those complaints

are directed to the CPPA or located in the social media.

Conclusion

By acting now, California employers will minimize the risk that they will become the target of an investigation from a nascent agency or litigation driven by employment or consumer lawyers, who will be awarded attorneys’ fees under the private right of action provided by the CPRA.

Footnote:

1 The CPRA, effective January 1, 2023, amended California’s Consumer Privacy Act (CCPA). This article references the CCPA and CPRA collectively as CPRA.

Would you like to comment?

Combat Rising IT Security Costs With IT Asset Management

How to improve an organization’s overall security position

Pity the poor chief information security officer (CISO). On one hand, their needs are real: emergent cybersecurity threats are increasingly sophisticated and numerous. On the other hand, the cost of defending against these threats follows the same trajectory. Every organization’s resources are finite, but not investing in the right technology or tactics could place the organization in the same inauspicious gallery as Hollywood Presbyterian1, Riviera Beach2, or Colonial Pipeline3

Then again, what other value-add IT services should be cut? There is one group inside the department that is in a position to help: IT asset management (ITAM). Few CISOs and cybersecurity professionals realize the “hand in glove” relationship ITSec and ITAM should have.

In 2016, an article published in a technology research magazine insisted up to thirty percent (30%) of a corporation’s software budget could be cut by implementing a software asset management (SAM) program4.

The article identifies three best practice activities that must be performed to achieve this remarkable return:

● Optimize Software Configurations — make sure to use the features and tools you pay for, and avoid paying for features and tools you do not use

● Recycle Software Licenses — remove unneeded software installations so the corresponding software license can be applied somewhere else

● Use SAM tools — invest in specialty license management systems that can accurately calculate complex software license rules and point out cost-saving opportunities

In many organizations, software-related expenditures make up a significant portion of the overall IT budget. Any reduction in that line item would fund a number of other projects, so IT security needs to present a good case to justify redirecting some of those funds to them.

Interdepartmental budget strategy sessions can be cutthroat, but most will respect the “Little Red Hen” rule: you only get the bread if you help with the baking. If our intrepid CISO is going to ask for a part of the savings ITAM can deliver, they need to demonstrate how their team, or tools, or data are actively helping in those three SAM practices.

Combat Rising IT Security Costs With IT Asset Management

Most ITSec professionals are familiar with the ISO/IEC 27000 standards, which require an “asset inventory” to be made of the corporate computing environment. The trouble is, the methodology of ISO 27000 focuses on information security management and does not provide any necessary details and data attributes for effective SAM. But, dig deeper into the supporting standards and you will find ISO/IEC 197705, which specifically addresses ITAM and SAM process requirements. Last updated in 2017, it contains a maturity model constructed of three tiers:

● Tier 1: Trustworthy Data — knowing what you have so that you can manage it

● Tier 2: Life Cycle Integration — achieving greater efficiency and cost-effectiveness throughout the asset life cycle (i.e., purchasing, inventorying, using, recovering, and disposing)

● Tier 3: Optimization — achieving greater efficiency and cost-effectiveness across functional management areas

In typical fashion, the ISO/IEC standards do not describe how “trustworthy data” is obtained or derived, but do describe four processes where ITAM will find “trustworthy data”:

● Change Management

● Data Management

● License Management, and

● Security Management

This makes sense; if IT security is maintaining an asset inventory (as mandated by ISO 27000), why not harvest reliant parts of their data to build out an asset inventory for a SAM tool just like one prescribed in the aforementioned Gartner article!

Is that enough, though, for a typical CISO to claim a portion of the ITAM savings for their own expenditures? Maybe not, but let us consider the second cost-saving source from the Gartner

article: recycling software licenses. Typical security vulnerability tools are licensed by either the software agents deployed and installed on objects discovered within the computing environment or by total found objects discovered in a passive sweep of IP address ranges. Unfortunately, IT security might not catch and remove retired, duplicated, or incorrect records from its own asset inventory lists.

That, in turn, risks an over-count of needed licenses and an over-charge to IT security’s budget. However, if IT security partners with ITAM and purges recovered and disposed asset inventory records from its vulnerability tools, the overall total cost of ownership for IT security’s tooling can be significantly reduced. And those savings will unarguably return to IT Security.

The final factor — optimizing software configurations — might seem like a stretch, but IT security does have a say in the matter. Consider this example: while advising a client a few years ago, the IT security department identified a number of high-risk security vulnerabilities in the corporate-standard PDF viewer. The CISO recommended removing the standard-issued software outright before the next phishing attack successfully exploited the known bugs within the tool.

The IT service support team resisted, arguing re-platforming to the IT security recommendation would be too costly and could be rejected by the end-user community. The ITAM team stepped in, and identified a comparable tool with more features than currently offered (satisfying the end-users), with a better vulnerability score (satisfying IT security’s concerns), and at a total-cost-of-ownership of 60% less than the current PDF standard (more than covering the cost of deploying the new tool). The moral of the story: simply by engaging ITAM, the CISO was able to improve the security position of his organization without incurring any extra cost to his department or the rest of the organization.

Modern IT security initiatives are necessary and expensive. Smart CISOs should always be on the lookout for cost-reduction and spend-justification opportunities. Both best business practice proponents and independent researchers identify the IT asset management team as a willing partner. By working together, ITAM and ITSec can improve the overall organization’s security position and simultaneously reduce the overall cost of ownership for IT.

Footnotes

1 “Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating”, 18Feb2016, Los Angeles Times

2 “How Riviera Beach left the door wide open for hackers”, 21Jun2019, Palm Beach Post

3 “Cybersecurity Attack Shuts Down a Top U.S. Gasoline Pipeline”, 8May2021, NPR

4 “Cut Software Spending Safely With SAM”, 16Mar2016, Gartner ID: G00301780

5 International Standard ISO/IEC 19770 — Information technology, asset management, Third edition 2017-12

Would you like to comment?

VIRTUAL EVENTS

The State of Human Experience in the Workplace

The Future of Upskilling and Employee Learning

February 15-16, 2023

February 22, 2023

Solving for Today’s Workforce Shortages

February 23, 2023

View our Upcoming Virtual Conference Schedule and Register Today!

WEBCASTS

www.hr.com/virtualconferences

HR’s best-kept secret: Contingent workers are the key to a resilient workforce

Engage, Connect, Inspire your teams: a Roadmap for Leaders

Living Our Values Every Day - How Leading Companies Build Cultures of Employee Appreciation

Elevating the Employee Experience in 2023: Why Engagement, Wellbeing, and Culture Are Key

Culture, Connection and Belonging in the New World of Work

February 7, 2023

AM - 12:00 PM

February 8, 2023

AM - 12:00 PM ET

February 14, 2023

PM - 2:00 PM ET

February 15, 2023

PM -

February 16, 2023

AM - 12:00 PM ET

View our Upcoming Webcasts Schedule and Register Today!

www.hr.com/upcoming_webcasts

How To Beat The High Cost Of Employees’ Life Insurance Policies

InsurTech can help reduce the cost of insurance underwriting

It’shard enough to attract good employees these days. For many companies, it’s proving even harder to hold onto them.

As businesses search for ways to retain valuable employees, they often think about expanding their benefits. And for good reason. Roughly 50% of employees see benefits as one of the top factors influencing their decision to stay or leave their current jobs.

Life insurance is one benefit that can help employers stand out from the crowd. Offering life insurance to employees can help them feel that you genuinely care about them and their families. Unfortunately, most basic group life insurance policies have fairly low coverage. The financial protection such policies may offer employees’ families or dependents is very limited.

While many employers allow workers to purchase

supplemental life insurance to raise their coverage, the approval process can take weeks and be fairly expensive, mainly because underwriting is a complex and expensive process for insurers. Processing a single life insurance policy can cost up to $2,500, depending on the complexity and policy parameters, and underwriting is a high percentage of that cost.

In other words, expensive underwriting drives up the overall cost of an individual or supplemental policy. This high cost is what keeps two-thirds of uninsured Americans from getting coverage. If businesses hope to decrease that number and provide affordable insurance options for employees, they need to uncover the root cause of these high costs and find ways to bring them down.

Plus, as the world emerges from the Covid shutdown, this is an

especially good time to address the problems in the life insurance industry. Roughly a third of consumers have said they are more likely to buy life insurance now than when the pandemic began.

Why Is Underwriting Expensive?

So, why is life insurance underwriting so expensive? Well, because it is not an easy thing to do. Underwriting is how insurers determine whether someone is eligible for insurance and how much the premiums will cost. Therefore, an underwriter needs to be an expert who can dig into mounds of data to determine the level of risk for an insurance prospect. Finding and sorting through all the relevant data needed for an accurate assessment takes time and effort, so hiring a good underwriter tends to be expensive.

Here is how the process usually works: A life insurance agent reviews a prospective client’s application to confirm any information if necessary. Then the policy goes to underwriting. The underwriter may have additional questions beyond the initial application, and they will likely need information from third-party medical sources. But getting the data can take a lot of time and effort, especially since the health care industry as a whole has been overwhelmed since the outset of the pandemic. After collecting all the relevant data, the underwriter has to apply expertise and personal judgment to determine the outcome.

In all, the process could take weeks or months and require dozens of hours of effort for an experienced and highly-trained underwriting expert. Thus, underwriting for life insurance is unusually labor-intensive and time-consuming: i.e. expensive.

Hurdles for Insurers

One way a lot of insurers have tried to bring down underwriting costs is through accelerated underwriting, which eliminates the need for a medical exam. The convenience of this process is very appealing. About half of Americans say that they are more likely to buy life insurance with simplified underwriting compared to the traditional underwriting process.

But since simplified underwriting does not pull together the

same kind of data as traditional underwriting, it brings more risk to insurers. To offset the risk, some life insurance companies charge more for policies based on accelerated underwriting, which means these companies are in effect reducing insurance options for individuals with limited financial means.

Because of the increased risk, not every insurer offers accelerated underwriting, so many policies still require an exam and extensive medical data. So, despite the length and complexity of the traditional underwriting process, it continues to be the backbone of life insurance today.

Traditional underwriting has additional issues beyond its cost. For example, personal bias will always be a part of traditional underwriting, since it is all up to the individual underwriter how much the policy costs and whether or not an individual is qualified. This raises all kinds of issues regarding the fair treatment of people across gender, race, socioeconomic status, and other demographic categories.

Can Insurers Solve the Issue?

These problems have led many people, both within the industry and from the consumer side, to call for replacing traditional underwriting with a process that is data-fueled and automated. Change will not come easily in such an entrenched industry, but one major factor effecting change will be the rise of insurtech

companies — carriers that rely on cutting-edge technology to provide insurance. As a result, life insurance may become more accessible to millions.

Automated underwriting based on AI and machine learning algorithms can save much time and effort. Insurtech companies have already started using automation and artificial intelligence for claims processing, thereby reducing the amount of manual work required by around 80% and cutting processing time in half. Applying the same kind of automation to underwriting could allow insurers to collect and process large amounts of data with ease.

What is more, the objectivity and faster processing speeds of automation and AI may help remove bias from the underwriting process. Questions remain, however, about whether automated underwriting could increase risk for insurers through inaccuracies or inadequate data sources.

Data-fueled automated underwriting may be particularly helpful for creating better group life insurance offerings through employers. This is where businesses and HR can help bring down costs. Insurtechs are fueled by the data, and businesses generally have a lot of that employee data on hand already, and because that data is generally high quality and reliable, this helps reduce the risk for insurers.

The result could be a dramatically accelerated underwriting process for group life insurance plans — and, in the future, enhanced individual plans that employees can opt for to increase their coverage, offered through partnerships between insurers and individual companies.

So in the end, reducing the cost of life insurance underwriting comes down to big data.

Underwriting pulls in data from a vast number of sources and then an underwriter has to make a decision based on all that data. But by leveraging automation,

AI, machine learning, and data sources provided by employers, insurers can largely automate underwriting while keeping estimates accurate, keeping premiums relatively low, and cutting down on work hours for insurers and insurance agents.

There is no easy answer to the high costs of underwriting in a huge industry that is slow to adopt new technologies. Still, insurtechs have already started to lead the way. The technology is available. Providers that make use of automated underwriting and leverage big data can reduce

costs and thereby make insurance more accessible to a wider client base.

Thank you for partnering with us!

Circa provides OFCCP compliance management and recruiting technology solutions to deliver qualified candidates on a level, equitable playing field for organizations.

Aimed Alliance is a non-profit organization that seeks to protect and enhance the rights of health care consumers and providers.

Global employment partner

Omnipresent provides techenabled business solutions combined with personalized expertise to support hiring people globally.

Paycom (NYSE:PAYC) offers cloud-based human capital management software to help businesses streamline employment processes, from recruitment to retirement. With a robust suite of products including payroll, time and labor management.