April 2024 – Protecting Your Data – Deepfake Technology Used to Fool Employees


THE NEWEST cyber and financial fraud threat facing businesses is deepfake technology, which criminals are using to extract money from unsuspecting accounts payable personnel.
A finance worker at a multinational company in Hong Kong was duped into transferring $25 million to criminals who had used deepfake technology to pose as the business’s chief financial officer during a video conference call, according to local police.

A deepfake is an artificial image or video generated by a special kind of machine learning called “deep” learning. The creations have grown increasingly sophisticated and harder to detect.

How it happened

The worker received an e-mail from what he thought was the company CFO, inviting him to attend a teleconference with him, other company executives, and staff, according to Hong Kong police. The digitally recreated version of the CFO then ordered money transfers during the video conference call.
Based on instructions the employee got during that call, they transferred 200 million Hong Kong dollars ($25.6 million) to various Hong Kong bank accounts in a series of transactions.
The employee did not interact with the deepfakes during the video conference, and he later told police that others on the call looked and sounded like people he knew in the organization.
In fact, all of the other people on the call were fakes of real people in the company. The criminals had used deepfake tech to alter publicly available video and footage found online to create convincing digital versions of the others in the meeting.
Police said that the case was one of several recent incidents in which criminals had used deepfake technology to change publicly available video and other footage to steal from people and companies.

Warning to US businesses

This type of attack is essentially an extension of the wire transfer fraud, a threat that’s been growing in recent years.
These scams usually start with e-mails or even phone calls from scammers posing as someone higher up in an organization, a client or vendor. The end goal is to convince an employee with access to the company’s payment systems to transfer funds to the criminals.
Deepfake technology adds a dangerous new arrow to wiretransfer fraud criminals’ quivers, making the scam even easier to fall for.
To avoid being victimized, the law firm of Fischer Phillips recommended in a November 2023 blog that businesses:

Provide deepfake training to staff. You should already be training and providing refresher meetings on preventing cyber attacks of all sorts. Consider educating them about the dangers of deepfakes and provide the Hong Kong case as an example. Cover ways to spot deepfakes, including:
• Blurry details,
• Irregular lighting,
• Unnatural eye and facial movements,
• Mismatched audio, and
• Absence of emotion.

Urge staff to be suspicious. Your employees should be able to comfortably question the legitimacy of information and be urged to report suspicious activity.
Use strong authentication protocols. Put in place robust measures — like multi-factor authentication and similar tools — for accessing sensitive information and systems.

Insurance coverage

If your organization has a cyber insurance policy, it might cover a wire transfer fraud loss. The coverage provided by cyber insurance can vary significantly between insurance companies and policies. Some cyber policies may explicitly cover wire fraud, while others require additional endorsements or riders to provide adequate protection.
A commercial crime policy will cover losses resulting from the use of a computer to fraudulently transfer funds from inside the business premises or the insured’s bank to an outside party.
However, policies may only offer coverage if an employee was fraudulently involved in the wire transfer fraud. This type of funds transfer fraud is basically the only computer-related coverage that a crime policy offers.


January 2023 – Ransomware Fallout – Firms That Pay Ransom Often Hit Again


A new report found that one-third of companies who are hit with ransomware and pay the hackers to unlock their systems, are often likely to be targeted a second time.

And after they pay, they are often faced with significant consequences, including system rebuilding costs, their data still being leaked and financial consequences, according to the “2022 Cyber Readiness Report” by Hiscox. The eye-opening results of the study come as the number of businesses hit by cyber attacks continues growing.

Considering the potential damage to your organization if your systems are compromised in the aftermath of a ransomware attack, even if you have cyber insurance to pay recovery costs, it’s best to take steps to thwart attacks in the first place.

More than ransom

It’s clear that paying a ransom often doesn’t mean the recovery for an affected business will be smooth, according to the report, which covers the poll results of 5,000 organizations.

The risk

Nearly half (47%) of firms reported that they had been hit by a cyber attack during the past 12 months, up from 40% in 2021. Of those who were attacked, 17% were ransomware victims.
The median cost of an attack has risen 29% to just under $17,000.
Small firms can no longer expect to fly under the radar as the criminals increasingly have them in their sights.

 

What you can do

Some firms have little exposure to a cyber attack, particularly if they don’t handle customer data or are not techdriven operations. Each firm has a different exposure level.
For companies that have cyber exposure, protecting their organization requires a multi-pronged approach that includes cyber insurance and strong data security protocols.
Cyber insurance may cover the cost of a paid ransom as well as recovery and rebuilding costs. If your organization has exposure, please give us a call to review your risk and see if cyber insurance is right for your business.

Besides that, Hiscox recommends taking a number of steps to protect against an attack and be able to recover from one faster:

  1. Keep all of your software up to date to include the installation of all the latest security patches.
  2. Frequently back up your data on a server that is not hooked up to the cloud.
  3. Train workers on how to recognize and avoid common social engineering attacks that criminals use to trick them into revealing sensitive information about themselves or their company.
  4. Teach your staff how to detect potentially dangerous e-mails that try to get them to click on a malicious link that can unleash ransomware or other malware.

January 2023 – Top 10 California Laws, Regs for 2023


A slew of new laws and regulations that will affect California businesses are taking effect for 2023.

Last year was a busy one, with ground-breaking new laws on employee pay disclosures, a law prohibiting discrimination against cannabis-using employees and another expanding the circumstances when employees can take leave to care for a loved one. The following are the top 10 laws and regulations that employers in the Golden State need to stay on top of.

1.  Pay disclosure

This sweeping law in part requires more disclosure of pay information by employers. Under current law, employers are required to provide the pay scale for a position upon reasonable request by a job applicant. SB 1162 goes a step further by:

  • Requiring employers, upon request by a current employee, to provide the pay scale of the position they are employed in.
  • Requiring employers with 15 or more workers to include pay scale in any job postings for open positions.
  • Requiring employers to maintain records of job titles and wage rate history for each employee while employed for the company, as well as three years after their employment ceases.

Note: The law defines “pay scale” as the salary or hourly wage range that the employer “reasonably expects” to pay for the position. Penalties range from $100 to $10,000 per violation. This law took effect Jan. 1, 2023.

 

 2.  State of emergency and staff

This new law, SB 1044, bars an employer, in the event of a state of emergency or emergency condition, from taking or threatening adverse action against workers who refuse to report to, or leave, a workplace because they feel unsafe. “Emergency condition” is defined as:

  • Conditions of disaster or extreme peril to the safety of persons or property caused by natural forces or a criminal act.
  • An order to evacuate a workplace, worksite or worker’s home, or the school of a worker’s child due to a natural disaster or a criminal act.

SB 1044 also bars employers from preventing employees from using their mobile phones to seek emergency assistance, assess the safety of the situation or communicate with another person to confirm their safety. The law, which took effect Jan. 1, 2023, does not cover first responders and health care workers.

 

3. Cannabis use and discrimination

This law bars employers from discriminating in hiring, termination or other conditions of employment based on employees using cannabis while off duty. The bill’s author says the legislation is necessary because THC (tetrahydrocannabinol), the active ingredient in marijuana, can stay in a person’s system after they are no longer impaired. As a result, drug testing may detect THC in an employee’s system even if they used it weeks earlier and it is having no effect on their job performance. AB 2188 does not require employers to permit employees to be high while working. The bill would exempt construction trade employees and would not preempt state or federal laws that require employees to submit to drug testing. This law takes effect Jan. 1, 2024.

4.  Leaves of absence

The California Family Rights Act and the state’s paid sick leave law allow employees to take leave to care for a family member, defined as a spouse, registered domestic partner, child, parent, parent-in-law, grandparent, grandchild or sibling. The definition has been expanded to include “any individual related by blood or whose association with the employee is equivalent of a family relationship.”

5.  Contractor workers’ comp

Starting July 1, the following contractors must carry workers’ compensation coverage regardless of if they have employees or not:

  • Concrete (C-8 license)
  • Heating and air conditioning (C-20)
  • Asbestos abatement (C-22), and
  • Tree service (D-49).

Starting Jan. 1, 2026, all licensed contractors must have coverage.

6.  OSHA citation postings

Under current law, employers that receive citations and orders from OSHA are required to post them in or near the place the violation occurred, in order to warn employees about a potential hazard. Starting Jan. 1, 2023, they must post the notice not only in English, but also: Spanish, Chinese (Cantonese, Mandarin), Vietnamese, Tagalog, Korean, Armenian and Punjabi.

7.  Permanent COVID standard

Cal/OSHA has a permanent COVID-19 prevention standard that will sunset in 2024. The new standard, which replaces the temporary emergency standard the agency had implemented, should provide more certainty for prevention procedures and practices. Here are the main takeaways:

  • Employers are no longer required to pay employees while they are excluded from work due to COVID-19, or to screen employees daily.
  • Employers must still notify and provide paid testing to employees who had a close contact in the workplace.
  • Employers can now incorporate written COVID-19 procedures into their Injury and Illness Prevention Programs.

8.  CalSavers expanded

SB 1126 requires any person or entity with at least one employee to either provide them with access to a retirement program like a 401(k) plan or enroll them in the state-run CalSavers program. Prior to this new law only companies with five or more employees that do not offer a retirement plan are required to enroll their workers in CalSavers.

9.  Bereavement leave

Employers with five or more workers are required to provide up to five days of bereavement leave upon the death of a family member, under a new law starting in 2023. This leave may be unpaid, but the law allows workers to use existing paid leave available to them, such as accrued vacation days, paid time off or sick leave. Employers are authorized to require documentation to support the request for leave.

10.  PFL wage replacement

This law was passed last year but does not take effect until 2025. Existing California law allows employees to apply for Paid Family Leave and State Disability Insurance, both of which provide partial wage replacement benefits when employees take time off work for various reasons under the California Family Rights Act. Starting in 2025, low-wage earners (those who earn up to 70% of the state average quarterly wage) will be eligible for a higher percentage of their regular wages under the state’s PFL and SDI benefit programs.


July 2022 – Privacy Liability – Companies Bleed Data as Workers Move It Offsite


THE MORE employees are working from home, the greater the risk that their employers’ sensitive data is also being stored on their poorly secured devices and laptops.
A new study by Symantec Corp. found many workers are sharing, moving, and exposing sensitive company data as part of carrying out the requirements of their jobs, and they may not realize they could be compromising the information or that what they are doing is wrong.
More worrisome, the study found that half of all employees surveyed who left or lost their jobs in the prior 12 months had kept confidential company data. When that happens, the departing worker, your company, and the new employer are all put at risk.

 

 

 

 

Worse still, the majority of employees put these files at further risk because they don’t take steps to delete the data after transferring it. “In most cases, the employee is not a malicious insider,” writes Symantec, “but merely negligent or careless about securing IP. However, the consequences remain. The IP theft occurs when an employee takes any confidential information from a former employer.”

 

 

 

 

 

What you can do

Symantec suggests attacking the problem from multiple angles:
• Educate employees – You should take steps to ensure that IP migration and theft awareness is a regular and integral part of security-awareness training. Create and enforce policies dictating how they can and cannot use company data in the workplace and when working remotely. Help employees understand that sensitive information should remain on corporate-owned devices and databases. Also, new employees must be told that they are not to bring data from a former employer to your company.

• Enforce non-disclosure agreements – If you have not done so already, you need to craft new employment agreements to ensure they include specific language on company data.
They should include language that the employee is responsible for safeguarding sensitive and confidential information (and define what that is).
For employees that are leaving your employ, conduct focused conversations during exit interviews and make sure they review the original IP agreement.
Include and describe, in checklist form, descriptions of data that may and may not transfer with a departing employee.

• Track your data – You need to know where your data is going and how you can find out by using monitoring technology. One option is to install data-loss-prevention software that notifies managers and employees in real-time when sensitive information is inappropriately sent, copied, or otherwise improperly exposed.
Also, introduce a data protection policy that monitors inappropriate access or use of company data and notifies the employee and you of violations.
This increases security awareness and deters theft. When you know how data is leaving your company, you can then take steps to prevent it from seeping out.


April 2022 – Growing Threat – Funds Transfer Fraud Hits Small Firms the Hardest


WHILE RANSOMWARE is making the headlines as the major cyber threat, small and mid-sized businesses are increasingly being targeted by lower fraud that dupes them into wiring criminals funds, according to a new report.

These funds transfer fraud crimes involve hackers gaining access to a firm’s mailbox and extracting payments that go into their accounts. Companies should have in place proper systems safeguards to combat these attacks, and that includes regularly training staff on how to identify these attempts to steal funds.

How it works

Criminals will often try to penetrate your servers by sending “spearphishing” e-mails. These messages look like they’re from a trusted sender to trick victims into revealing confidential information. They may also send malicious e-mails in the hope that an employee clicks on a bogus link. The link then releases malicious software that infi ltrates company networks and gains
access to legitimate e-mail threads about billing and invoices.
Once the criminals have access to your business mailbox, they can manipulate your contacts and modify payment instructions. They may also use their access to your systems to send e-mails that appear to come from a known source making a legitimate request.

 

 

 

Insurance options

The best option for coverage is a commercial crime insurance policy. Most of these policies cover acts like:
• Employee dishonesty
• Computer and funds transfer fraud
• Forgery or alteration
• Money and securities theft
• Theft of client’s property.

Some policies may exclude funds transfer fraud, or they may have lower sublimits for such acts. In such cases you may need to get a policy extension to cover the risk. There is also cyber liability insurance, which covers direct losses resulting from cyber crime. But these policies will often exclude coverage for social engineering attacks, which are the kinds that the criminals behind funds transfer fraud use. You may be able to purchase a rider to your cyber liability policy that would cover these crimes.


Jan 2022 – CYBER THREAT – Software Security Hole Puts Firms at Risk


THE FEDERAL government is warning that a newly discovered computer software vulnerability poses a major threat to the security of computer networks around the country.

Cyber criminals are exploiting holes in open-source code software commonly used in computer applications, websites and cloud services, which can allow them to seize control of a business’s computer network if preventative measures are not taken.

This is not a threat that businesses should take lightly as it could cripple your organization if your network is affected. If your firm is large enough to have dedicated IT staff, it should be their focus now.

 

The danger

The vulnerability lies in the Log4j software library, written in the Java programming language and created by the Apache Software Foundation. Many software vendors incorporate the Log4j software library into products such as websites, applications and cloud services to record network security and performance information.

It is likely that some of the software your business uses is built around Log4j. It runs on everything from cloud services to business enterprise software to internetconnected devices such as security cameras.

The federal Department of Homeland Security, the National Security Agency and other agencies announced on December 10 that they were “responding to active, widespread exploitation” of the vulnerability.

They warned that, if a company’s software has this vulnerability, a criminal could take over the network and cripple the business.

 

VULNERABLE BRANDS
Software developed by these firms have the security hole:

  • Microsoft

  • McAfee

  • Hewlett Packard

  • IBM

  • Red Hat

  • Dell

  • Cisco

  • Adobe

  • Salesforce

  • Oracle

 

What you should do

Do not take this threat lightly. As stated above, if you have dedicated IT staff, make it their primary focus right now. Major software developers have  reported that their products have the vulnerability.

You can find the full list of affected vendors and software here. Apache has published three software patches to address the problem since it became known. Software developers who use Log4j are likely applying the patches and making updates to their software available to business users.
If you receive notification about an updated version of software you are using, it should be installed promptly.

Companies that do not have their own IT department, should contact computer network consultants as soon as possible to get advice on how to proceed.

The Cybersecurity & Infrastructure Security Agency has technical information on this threat on a dedicated website. IT experts should review the site’s content, take appropriate actions as soon as possible, and monitor the site for further updates to the situation.

In the meantime, system administrators should adjust logging system settings so it does not interpret data as computer code.

Antivirus software, using a virtual private network for remote access to the system, and being alert for phishing e-mails are also important protections. Sound network data security coupled with safe internet practices can protect your business’s systems and your ability to continue operating.

 


October 2021 – CONSTRUCTION INDUSTRY – Building Risks Evolve, Creating Unique Challenges


AS THE CONSTRUCTION industry booms, contractors face evolving risks that, left unchecked, can leave their operation exposed to new liabilities.
If you already operate a construction firm, you know that there is a labor shortage that has made it difficult to find experienced workers and that hiring entities are asking builders to take on more of the design function, as well.
Your liability picture has also likely changed with the increasing use of wrap-ups and, if you’re using technology in your operation, you now have rising cyber-security risks, too.

Lack of qualified workers

The bottom fell out of the construction industry in the U.S. during the first few months of the COVID-19 pandemic, and many worksites were idled. Now that the industry has found its footing, it’s been dealing with a severe labor shortage.
As construction firms struggle to find workers, the ones who are on the job are having to take on larger workloads, which can put them at risk of injury or making mistakes.
Also, many contractors are having to take on younger, less-seasoned laborers, who may lack the experience to identify and avoid hazards, which puts them and others at risk of injury. Those injuries in turn affect your workers’ comp
premiums.
A lack of workers coupled with inexperienced new ones on sites can also end up drawing out projects, forcing contractors to miss deadlines.

Professional liability risks

As more project owners want an all-in-one job with the lead contractor designing and building the project, contractors now face a new type of risk: professional liability.

But the typical contractor’s insurance policy doesn’t provide protection for any design work you take on.
Courts have ruled that:

  • Designers who perform “builder activities” lose limitation of liability typically enjoyed by design professionals.
  • Builders who perform “design activities” assume responsibility for design deficiencies.

Wrap-ups more prevalent

Many construction projects are now covered under one general liability policy to cover the work of the general contractor, as well as of all the subs. More lenders are requiring that liability is set up in one all-encompassing policy.
A properly assembled general liability wrap-up should provide coverage not only during the construction period, but also up to 10 years after the work is completed.  These policies often reduce the cost of coverage.

More cyber-security risks

Like all industries, the construction sector has grown increasingly reliant on technology to get the job done. That exposes contractors to a variety of cyber risks, including keeping project designs, client records and employee records confidential.
Many building contracts today include clauses requiring the contractor to be responsible for potential cyber breaches.
Given the increasing popularity of practices such as “building information modeling,” “integrated project delivery,” and file-sharing between participants in a construction project, contractors may be at increased risk of liability in the event of a data breach.


April 2021 – Social Engineering Crime – Business Compromise Scams Growing Fast


BUSINESS COMPROMISE scams that use both technology and a human touch to steal funds from businesses are growing as criminals engage in social engineering tactics to dupe unsuspecting employees.

Businesses have lost millions of dollars to social engineering scams, where attackers impersonate a company president or executive who is authorized to approve wire transfers to trick employees into transferring funds into a fake client or vendor account.

According to the FBI’s Internet Crime Complaint Center, in 2019 U.S. businesses were hit with an estimated 23,775 e-mail compromise scams that
resulted in aggregate losses of $1.7 billion. Figures for 2020 are not yet available.

Vishing – or voice phishing – attacks have been growing. The FBI in January warned of an increase in vishing attacks targeting employees working remotely in the COVID-19 pandemic, and of the heightened risks companies face when network access and broadening of online privileges may not be fully monitored.

 

How to train employees

Providing practical employee phishing training is key to keeping your company safe. The following are activities and tips to help you train employees to stay vigilant.

Remote workers should be vigilant in checking internet addresses, more suspicious of unsolicited phone calls, and more assertive in verifying the caller’s identity with the company, the FBI recommends.

When training staff, you should:

  • Explain what vishing and phishing is, how it happens, and what risks it poses on a personal and company level.
  • Explain the different types of phishing attacks.
  • Train your workers in identifying signs of phishing attacks, like e-mails with poor spelling and grammar, incorrect e-mail addresses (for example BobS@ Startbucks.com), and fraudulent URLs.
  • Train your staff in recognizing phishing links, phishing attachments, and spoofed e-mails. Additionally, your employees should know what steps to take after they identify a threat.
  • Conduct simulations that send employees fake phishing e-mails. The results should be shared with them to show how they fell for the scam and the damage that being duped into clicking on a malicious link can cause.

 

Insurance

As vishing and business e-mail compromise scams increase, more employers are seeking to add coverage in their commercial crime policies.
Typically, these policies have been used to cover losses for internal theft, but lately, about 50% of claims are for losses related to phishing and fishing scams.
The price of social engineering coverage varies by risk and limit, but it can often be added to a crime policy as a rider.
One thing though: social engineering coverage will often have lower limits than a typical commercial crime policy. This is because of the risk of much larger financial losses than a company could expect from internal theft or white-collar crime perpetrated by an employee.

 

ADVICE FROM THE FBI

  • Consider instituting a formal process for validating the identity of employees who call each other.
  • Restrict VPN connections to managed devices only (meaning not on employees’ personal devices).
  • Restrict VPN access hours.
  • Employ domain monitoring to track the creation of or changes to corporate brand-name domains.

April 2021- Cyber Insurance – As Attacks and Costs Mount, Rates Climb Higher


CYBER INSURANCE rates are going to increase dramatically in 2021, driven by more frequent and more severe insured losses, according to a recent industry study.

The report by global insurance firm Aon plc predicted that rates would jump by 20% to 50% this year due to two main factors:

 

1. Cyber attacks are becoming more frequent

While publicly disclosed data breach/privacy incidents are actually occurring less often, ransomware attacks are exploding in frequency.

Ransomware incident rates rose 486% from the first quarter of 2018 to the fourth quarter of 2020. The comparable rate for data breach incidents fell 57% during the same period. The incident rates for the two types of events combined rose 300% over the trailing two years.

 

2. The costs of these attacks are growing

The average dollar loss increased in every quarter of 2020. Ransomware attacks were particularly severe – many of them resulted in eight-figure losses. Others may grow to that level as business interruption losses are adjusted and lawsuits against insured organizations proceed.

The combination of more frequent and more costly losses is a
recipe for higher rates.

Cyber insurance rates continued increasing in 2020, with rises of between 6% and 16% in the last four months of the year. In January 2021, most of the top 12 cyber insurance companies told Aon they were planning more drastic rate hikes. Nearly 60% reported that they would be seeking rate increases of 30% or more during the second quarter. None of them expected increases less than 10%.

 

New underwriting criteria

When insurers evaluate cyber insurance applicants, they will be particularly concerned with the organization’s overall cyber risk profile, its cyber governance and access control practices, and its network and data security. Prior loss history will be less important because the frequency of attacks is growing so quickly.

Some insurers may also cap how much they will pay for ransomware losses, or even exclude them entirely. They may also increase the waiting periods before coverage begins to apply.

 

WHAT BUSINESSES CAN DO

To improve your chances of getting more favorable pricing and coverage, the report recommends that you focus on:

  • Reducing the risk of cyber losses.
  • Measures to keep data private.
  • Building an internal culture of cybersecurity.
  • Preparing for ransomware attacks and disaster recovery planning.
  • How your contracts and insurance will respond to a supply chain security breach.
  • Understanding primary and excess coverage terms and
    communicating primary terms to excess insurers.

December 2020- EMERGENCY REGULATIONS – COVID-19 Workplace Safety Rules Take Effect


THE CAL/OSHA Standards Board has approved new emergency regulations that will impose strict rules on employers to implement safeguards in order to reduce the risk of COVID-19 spreading in the workplace.

The sweeping rules extend the reach of protections to employer-provided housing and transportation, as well as THE CAL/OSHA Standards Board has approved new emergency regulations that will impose strict rules on employers to implement safeguards in order to reduce the risk of COVID-19 spreading in the workplace.

The sweeping rules extend the reach of protections to employer-provided housing and transportation, as well as imposing new reporting requirements on employers who have workers that contract the coronavirus. The new rules took effect Nov. 30, so employers need to ramp up immediately to comply with them.

HIGHLIGHTS OF THE NEW REGULATIONS

  • Physical distancing and mask-wearing are required unless it is not possible to Wear masks on the job. If physical distancing is not possible, the employer would have to explain why.
  • Employers must provide face coverings and ensure they are worn by employees over the nose and mouth.
  • At fixed work locations where it is not possible to maintain physical distancing, the employer shall install cleanable partitions that effectively reduce aerosol transmission between employees.
  • Employers must implement cleaning and disinfecting procedures for frequently touched surfaces and objects, such as doorknobs, elevator buttons, equipment, tools, handrails, handles, controls, bathroom surfaces and steering wheels.
  • Employers will be required to have a written COVID-19 prevention program. Cal/OSHA will allow the program to be incorporated into an existing injury and illness prevention plan or be stand-alone.
  • Employers must identify and evaluate COVID-19 hazards with participation from employees, and then correct those hazards.
  • Employers must investigate cases among their employees. If they discover one of their staff has contracted COVID-19, they must notify all employees at a worksite who might have been exposed, within one day. Workers who may have been exposed must be offered COVID-19 testing at no cost.
  • Employers must report coronavirus cases in their workplaces to local health authorities.
  • Employers must maintain medical records related to COVID-19 and provide those records to the local health department, the California Department of Public Health, Cal/OSHA, and the National Institute for Occupational Safety and Health (upon request).
  • Employers must implement a system of record-keeping to track all COVID- 19 cases in the workplace.
  • Employees with COVID-19 symptoms may not return to work until at least 10 days since symptoms first appeared, and not until after 24 hours have passed since the employee had a fever of 100.4 or higher and after all symptoms have passed.

There are even rules for disinfecting and cleaning employee housing and  transportation if the company provides them. The regs also include provisions that are beyond the scope of workplace safety regulations, such as requiring employers to maintain employees’ earnings, seniority and benefits when they are off work because of COVID-19.

Key takeaways

The new rules took effect Nov. 30, so you will need to immediately prepare.  You should:

  • Prepare for new record-keeping requirements,
  • Write COVID-19 prevention program guidelines,
  • Implement testing protocols according to the
    regulations, and
  • Prepare policies and procedures for notifying affected staff and others of possible COVID-19 exposure.

Request a Wholistic Mindful Analysis

Ask us how we can help your organization