THE $2 TRILLION Coronavirus Aid, Relief, and Economic Security (CARES) Act stimulus law has a number of provisions that employers and their workers need to know about and can take advantage of during this crisis.

The CARES Act aims to help workers and employers weather the outbreak by:
• Extending unemployment benefits.
• Requiring health plans to cover COVID-19-related costs.
• Providing Small Business Administration (SBA) emergency loans.
• Providing emergency loans for mid-sized and large companies.

Parts of the CARES Act will likely benefit your organization and employees in some way. Here’s what you need to know:

Extended unemployment

The CARES Act extends unemployment insurance benefits to workers, as long as they lost their jobs due to the outbreak.
Unemployment benefits under the CARES Act also apply to furloughed employees.
Workers in California will be able to collect both state unemployment and federal unemployment through the new law.
Under existing state law, workers who have lost their jobs can already receive regular unemployment benefits of between $40 and $450 per week, depending on their highest-earning quarter in a 12-month period beginning and ending before they apply for benefits with the state Employment Development Department. These benefits can last for up to 26 weeks.
The Pandemic Emergency Compensation program funded by the new law will provide an additional $600 per week on top of state unemployment benefits, through July 31.
The law extends state-level unemployment by an additional 13 weeks. For example, whereas most of California’s unemployment benefits last 26 weeks, the bill extends state benefits to 39 weeks.
The extended benefits will last through Dec. 31.

Health plan changes

Under the CARES Act, employer-sponsored group health plans must provide for covered workers – without cost-sharing or out-of-pocket expenses – the cost of COVID-19 testing, treatment and vaccinations when and if they become available.

SBA loans

In response to the Coronavirus (COVID-19) pandemic, small business owners are eligible to apply for an Economic Injury Disaster Loan advance of up to $10,000.
This advance will provide economic relief to businesses that are currently experiencing a temporary loss of revenue. Funds will be made available following a successful application. This loan advance will not have to be repaid.
This program is for any small business with fewer than 500 employees (including sole proprietorships, independent contractors and self-employed persons) as well as private non-profit organizations affected by COVID-19. You can find more information here.

And the law’s Paycheck Protection Program offers 1% interest loans to businesses with fewer than 500 workers. Borrowers who don’t lay off workers in the next eight weeks will have their loans forgiven, along with the interest. These loans are designed to provide a direct incentive for small businesses to keep their workers on the payroll. If small businesses maintain payroll through this economic crisis, some of the borrowed money via the PPP can be forgiven – the funds will be available through June 30. Act fast.

Mid-sized employers

Under the new law, the Secretary of the Treasury is authorized to implement financial assistance programs that specifically target mid-size employers with between 500 and 10,000 employees.
Loans would not have an annualized interest rate higher than 2% and principal and interest would not be due and payable for at least six months after the loan is made. But unlike loans under the PPP, these are not forgivable.

AS IF BUSINESSES didn’t have enough to worry about, online scammers have started sending out malicious e-mails to organizations about coronavirus that appear to be from business partners or public institutions. The criminals send these to rank and file employees in the hope that at least one of them will click on a link or attachment in the e-mail, which unleashes malware or tries to trick them into wiring money for supplies purportedly to protect the organization’s workers.

The number of malicious e-mails mentioning the coronavirus has increased significantly since the end of January, according to cybersecurity firm Proofpoint Inc. The company noted that this wasn’t the first time they had seen such widespread cyber attacks associated with some type of disaster. But because this is global in nature, it decided to track the new threat. This practice of launching cyber attacks that are centered around global news and outbreaks (like the current COVID-19 coronavirus) isn’t anything new. Cybercriminals have long employed these tactics to take advantage of users’ desires to keep as up to date with any new information as possible or to evoke powerful emotions (like fear) in the hope that their sentiments will get the better of them and they will not pause to check for the legitimacy of these e-mails.

The cybercriminals are using the public’s ignorance about coronavirus, as well as the conflicting claims of how to protect against it, to lure people into clicking on their malicious links or get them to wire money. Because people are afraid, their guards may be down and they may not be as careful about identifying the e-mail as dangerous.

Some real-life examples

• Japanese workers were targeted in January and February with e-mails that looked like they came from local hospitals. The messages even included legitimate contact information for key personnel. The e-mails were focused on employees of various companies and came in a message that would look like it’s a reply to something or a warning that people are getting from the government. But when they clicked, it was malware. E-mails were sent to companies in the transportation sector that looked like they came from an employee of the World Health Organization.
They included the WHO logo and instructions about how to monitor crews aboard ships for coronavirus symptoms, and they included an attachment with instructions. This phishing e-mail attack was
intended to lure individuals into providing sensitive data, such as personally identifiable information and passwords.
• Companies in the US and Australia have been receiving malicious e-mails that use a display name of “Dr. Li Wei” and are titled “CORONA-VIRUS AFFECTED COMPANY STAFF.”

What you can do

All that it takes to break into your business is a cleverly worded e-mail message. If scammers can trick one person in your company into clicking on a malicious link, they can gain access
to your data. It’s important to train your staff to identify suspicious e-mails. They should avoid clicking links in e-mails that:
• Are not addressed to them by name, have poor English, or omit personal details that a legitimate sender would include.
• Are from businesses they are not expecting to hear from.
• Ask you to download any files.
• Take you to a landing page or website that does not have the legitimate URL of the company the e-mail is purporting to be sent from.
• Include attachments purportedly with advice for what to do. Do not open them even if they come from relatives or friends.

IF YOU are operating a small business, you are likely relying on a small staff to get the job done. Many employees in small firms have to wear many hats and if one of them or an owner should die, the business could suffer greatly from that sudden loss of talent. If you don’t have “key man” insurance, that setback could be devastating to the viability of your operations, whereas coverage would provide you with extra funding that you would need while recovering from the loss. Keyman insurance is life insurance on a key person or persons in a business. In a small business, this is usually the owner, a founder or perhaps a few vital employees. These are the people who are crucial to a business – the ones whose absence would sink the company. You need key man insurance on those people.

Key man insurance basics

Before buying coverage, give some thought to the effects on your company of possibly losing certain partners or employees. In opting for this type of coverage, your company would take out life insurance on the key individuals, pay the premiums and designate itself as the beneficiary of the policy. If that person unexpectedly dies, your company receives the claim payout. This payout would essentially allow your business to stay afloat as you recover from the sudden loss of that employee or partner, without whom it would be difficult to keep the business operating in the short term.

Your company can use the insurance proceeds for expenses until it can find a replacement person, or, if necessary, pay off debts, distribute money to investors, pay severance to employees and close the business down in an orderly manner. In other words, in the aftermath of this tragedy, the insurance would give you more options than immediate bankruptcy.

Determining whom to cover

Ask yourself: Who is irreplaceable in the short term? In many small businesses, it is the founder who holds the company together – he or she may keep the books, manage the employees, handle the key customers, and so on. If that person is gone, the business pretty much stops.

Determining amount of coverage

• The amount of coverage depends on your business and revenue.
• Think of how much money your business would need to survive until it could replace the key person, come up to speed and get the business back on its feet.
• Buy a policy that fits into your budget and will address your short-term cash needs in case of tragedy.
• Ask us to get some quotes from different insurers. • Check rates for different levels of coverage ($100,000, $500,000, etc.)

WITH THE current isolation orders for most workers in California, many companies have had to scramble to put systems in place to allow their employees to telecommute. Many businesses are not set up for having employees work from home, and they have legitimate concerns about productivity and communications. But there are steps you can take to make sure that you keep your employees engaged and on task.

1. Make sure they have the right technology

If you don’t already have one, you may want to consider setting up a company VPN so your employees can access their work e-mail and databases. You will also need to decide if you are going
to provide them with a company laptop, and you need to make sure that they have an internet connection that is fast enough to handle their workload. Also provide an infrastructure for them to be able to work together on files. If they are not sensitive company documents, they can use Dropbox or Google Documents, which allow sharing between co-workers.

2. Provide clear instructions

It’s important that you provide clear instructions to remote workers. Some people do not perform well without direct oversight and human interaction. Without that factor, you will need to spell out your expectations and the parameters of the projects they are working on in detail. Make it clear that if they are confused or unsure about any part of the work, they should contact a supervisor for clarification. If you can eliminate misunderstandings, then your workers can be more efficient.

3. Schedule regular check-ins

To hold your employees accountable for being on the clock, schedule calls or virtual meetings at regular intervals. Even instant messaging works. During these meetings they can update their
superiors on their work. This also helps with productivity, since there are consequences for failing to meet expectations and coming to the meeting empty-handed. Their supervisors should be working when they are, so they can be in regular communication.

4. Keep employees engaged

One of the hardest parts of working from home is the feelings of isolation and detachment from colleagues. It’s important that you build in interactive time for your workers. One way to do that is by using a chat program like Slack, Hangouts or WhatsApp (which has a group chat function). For remote workers, these programs are a blessing because they make it easy to keep in touch with their colleagues in and out of the office – and they level the playing field, so to speak, by making distance a non-issue.

5. Cyber protection

With employees working from home, you also increase your cyber risk exposure, especially if they are using a company computer that is tapped into your firm’s database or cloud. Teach them cyber security best practices, such as:
• Not clicking on links in e-mails from unknown senders.
• Making sure their systems have the latest security updates.
• Backing up their data daily.
• Training them on how to detect phishing, ransomware
and malware scams, especially new ones that try to take advantage of people’s fears about COVID-19.

The new decade is starting off with a tsunami of new laws and regulations that will affect California businesses. Companies operating in California will have to be prepared for significant changes or open themselves up to potential litigation, fines, and other risks.

Here’s what you need to know coming into the new year:

1. AB 5

The controversial AB 5 creates a more stringent test for determining who is an independent contractor or employee in
California.  Known as the “ABC test,” the standard requires companies to prove that people working for them as independent contractors are:

A) Free from the firm’s control when working;
B) Doing work that falls outside the company’s normal business; and
C) Operating an independent business or trade beyond the job for which they were hired.

Legal experts recommend that employers:

• Perform a worker classification audit, and review all contracts with personnel.
• Notify any state agencies about corrections and changes to a
worker’s status.
• Discuss with legal counsel whether they should now also include them as employees for the purposes of payroll taxes, workers’ compensation insurance, federal income tax withholding, and FICA payment and withholding.

2. Wildfire safety regulations

Cal/OSHA issued emergency regulations that require employers of outdoor workers to take protective measures, including providing respiratory equipment, when air quality is significantly affected by wildfires. Under the new regs, when the Air Quality Index (AQI) for particulate matter 2.5 is more than 150, employers with workers who are outdoors are required to comply with the new rules. These include providing workers with protection like respirators, changing work schedules or moving them to a safe location.

3. Arbitration agreements

Starting Jan. 1, the state will bar almost all employee arbitration agreements. AB 51 bars employers from requiring
applicants, employees and independent contractors to sign mandatory arbitration agreements and waive rights to filing
lawsuits if they lodge a complaint for discrimination, harassment, wage and hour issues. Businesses groups sued to overturn the law on the grounds that it is preempted by the Federal Arbitration Act.

4. Overtime rules

New federal overtime regulations are taking effect for non-exempt workers. Under the new rule, employers will be required to pay overtime to certain salaried workers who make less than $684 per week – or $35,568 per year – up from the current threshold of $455, or $23,660 in annual salary.

5. Consumer privacy

Starting Jan. 1, under the California Consumer Protection Act, businesses that keep personal data of residents are required to safeguard that information and inform website users how their personal data may be used. The law applies to firms with $25 million or more in annual revenues or those that sell personal information as part of their business.

6. Return of the individual mandate

A new law brings back the individual mandate requiring Californians at least to secure health insurance coverage or face tax penalties. This comes after the penalties for not abiding by the Affordable Care Act’s individual mandate were abolished by Congress in late 2017. Starting in 2020, California residents are required to have health insurance or pay excess taxes. This will affect any of your staff who have opted out of your group health plan as it may mean they are going without coverage, unless they have opted to be covered by their spouse’s plan. If you have staff who didn’t enroll in your plan for 2020, they may have to wait until your group’s next open enrollment at the end of the year. That could force them to pay tax penalties.

7. New audit, X-Mod thresholds

The threshold for physical workers’ compensation audits for California policies incepting on or after Jan. 1 is $10,500 in annual premium, a drop from $13,000. This means that any employer with an annual workers’ comp premium of $10,500 or more will be subject to a physical audit at least once a year. On top of that, the threshold for experience rating (to have an X-Mod) has also fallen – to $9,700 in annual premium as of Jan. 1, from $10,000.

8. Harassment training partly pushed back

Employers with five or more workers were required to conduct sexual harassment prevention training for their staff by the end of 2019 under a California law passed in 2018. A new law extends the compliance deadline for some employers who had already conducted training prior to 2019. The original law, SB 1343, required all employers with five or more staff to conduct sexual harassment prevention training to their employees before Jan. 1, 2020 – and every two years after that. If you have never trained your staff, you should have done so in 2019.

But if you have, here are the new rules:
• If you trained your staff in 2019, you aren’t required to provide refresher training until two years from the time the employee was trained.
• If you trained your staff in 2018, you can maintain the two-year cycle and comply with the new Jan. 1, 2021 deadline. You did not have to repeat the training in 2019.

9. Hairstyle discrimination

A new law makes it illegal for employers to discriminate against employees and job applicants based on their hairstyle if it is part of their racial makeup. The CROWN Act (Create a Respectful and Open Workplace for Natural Hair), defines race or ethnicity as “inclusive of traits historically associated with race, including, but not limited to hair texture and protective hairstyles like braids, locks, and twists.” This new definition of race means that natural hair traits fall under the context of racial discrimination in housing, employment and school matters.

10. Reporting serious injuries

A new law broadens the scope of what will be classified as a serious illness or injury which regulations require employers to report to Cal/OSHA “immediately.” The new rules being implemented by AB 1805 are designed to bring California’s rules more in line with Federal OSHA’s regulations for reporting. It will mean that some injuries that were not reportable before will be, such as:
• Any inpatient hospitalization for treatment of a workplace injury or illness will need to be reported to Cal/OSHA.
• An inpatient hospitalization must be required for something “other than medical observation or diagnostic testing.”
• Employers will need to report any “amputation” to Cal/OSHA. This replaces the terminology “loss of member.” Even if the tip of a finger is cut off, it’s considered an amputation. As of yet, there is no effective date for this new law, as enabling regulations have to be written – a process that will start this year.

Gov.  Gavin Newsom has signed a measure into law that will greatly expand when employers are required to report workplace injuries to Cal/OSHA. The new law, AB 1805, broadens the scope of what will be classified as a serious illness or injury which regulations require employers to report to Cal/OSHA “immediately.” As of yet there is no effective date for this new law, but observers say regulations will first have to be written, a process that would start next year.

The definition of “serious injury or illness” has for decades been an injury or illness that requires inpatient hospitalization for more than 24 hours for treatment, or if an employee suffers a “loss of member” or serious disfigurement. The definition has excluded hospitalizations for medical observation. Serious injuries caused by a commission of a penal code violation (a criminal assault and battery), or a  vehicle accident on a public road or highway have also been excluded.

Compliance

Rules for reporting serious injuries and illness or fatalities are as follows:
• The report must be made within eight hours of the employer knowing, or with “diligent inquiry” should have known, about the serious injury or illness (or fatality).
• The report must be made by phone to the nearest Cal/ OSHA district office (note that a companion bill, AB 1804, eliminated e-mail as a means of reporting because e-mail can allow for incomplete incident reporting).

Because of the “diligent inquiry” component, employers should monitor any injured worker’s condition once they learn of an injury, particularly if they need to seek out medical treatment. A member of the staff should be on hand to monitor the employee and report to supervisors immediately if that person will need to be hospitalized. Employers should make sure that supervisors are made aware of the new rules so that any time a worker is injured to the point that they need to be  hospitalized, they know to notify Cal/OSHA within eight hours.

Also, if you have an employee that suffers a medical episode at work – such as a seizure, heart attack or stroke – you are required to report the hospitalization to Cal/OSHA. It’s better to err on the side of caution if an employee is hospitalized for any reason. Not doing so can result in penalties for failure to report or failing to report in a timely manner. Accordingly, it is important to educate management representatives, particularly those charged with the responsibility to make reports to Cal/OSHA, about the nuances of Cal/OSHA’s reporting rules.

One final note: The results of a serious injury or illness or workplace fatality will usually trigger a site inspection by Cal/OSHA, so be prepared if one should occur.

As CYBER scams and hacker attacks grow, the insurance industry has been frantically trying to keep up in providing appropriate coverage for these events. Hacks, viruses, ransomware and exposure of sensitive personal information of your customers or employees, and any resulting regulatory implications, are often covered by cyber liability insurance. But what about the recent trend of criminals spoofing a company executive’s e-mail address, posing as them and ordering accounts payable to cut a check and send it to the fraudsters?

Well, two firms suffered similar incidents, but different federal appeals courts issued opposite opinions – one saying that a crime insurance policy covered the event, while the other court said it didn’t. The fact that two courts came out with two different rulings illustrates how many traditional and even cyber policies are slow to keep up with evolving hi-tech threats to businesses. The devil is always in the details, so read your policies and discuss your concerns with us.

The number of business e-mail compromise scams quadrupled in 2017, and losses averaged $352,000 per business and topped out at $3 million, according to an analysis of insurer Beazley’s clients. The FBI says these schemes are one of the fastest-growing cybercrimes.

Court case one: Covered

Employees of Medidata, a clinical-trial software firm, wired $4.7 million for what they thought was for an acquisition by their employer. They were sent a series of fraudulent e-mails that they thought were from their company president and the firm’s outside lawyer.

The company didn’t have a cyber insurance policy, but it had an executive protection policy, which had a crime section that included coverage for computer fraud, funds transfer fraud and
forgery. The insurer rejected the claim and the firm sued in federal court. The lower court ruled in favor of the insurer, but upon appeal, the federal appeals court ruled that the policy did in fact cover the loss.

The insurer argued the policy applies to only hacking-type intrusions. The appeals court found that while no hacking occurred, fraudsters inserted spoofing code into the firm’s e-mail system, which the court said is part of the computer system. The court held that the insurer must pay under the computer fraud portion of its policy.

Court case two: Not covered

A federal district court found no crime policy coverage after a Michigan tool and die firm wired $800,000 in funds to a fraudster’s account in the belief the account belonged to one of its vendors. The insurer faulted the company for not verifying the bank account with the vendor. The district court agreed with the insurer that the loss was not a “direct loss” caused by the “use of a computer,” and thus the crime policy did not apply.

The takeaway

Computer fraud is evolving rapidly, so it’s important that you talk to us about the types of fraud that appear in the news. We will work with you to ensure that your coverage is forward-looking and covering more than just threats from last year. We can also discuss with you how computer fraud coverage interacts with other types of cybercrime policies.