Have you received a text from a random number in the last few days? Perhaps the text looks quite obviously suspicious, but it could pass as legitimate – especially if you are distracted or multitasking while scrolling through your device. The text contains a link asking you to confirm the delivery or receipt of a package. Or it tells you that you have just paid a bill. Or need to pay an outstanding bill. Or it could just be advertising a random product. These texts are actually scams that have been dubbed “smishing” – combining “SMS” and “phishing” – and your employees are no doubt receiving them, too. In a remote-work era where a multitude of attackers are attempting to gain access to your company network through digital vulnerabilities, the time is now for employers to guard yourself against this latest weapon in the cyberwar raging all around us. What are the five steps your organization can take today to best prepare?
What is Smishing?
“Smishing” is a version of phishing carried out over SMS (short message service, commonly known as texting) channels. The senders of these malicious texts are trying to get hold of personal information, passwords, and money.
Smishers start by sending a text impersonating a reputable company. Typical smishing attempts specifically involve using the name of common parcel carriers informing you that your package has been delivered, or fake texts seemingly coming from a bank, company vendor, or other common company name. The messages almost always have a link. Unfortunate recipients who click that link will often end up having unsuspecting malware downloaded to their devices, or will be lead to a legitimate-looking form to “log in” and voluntarily provide a trove of valuable data.
Smishing is the New Cyberattack
There is ample evidence indicating a rapid increase in smishing attempts. Smishing attacks increased 24% in the U.S. alone and 69% globally last year. According to data from the Federal Trade Commission, 21% of fraud reports that were filed in 2021 involved smishing. That’s 377,840 out of the total 1,813,832 reports that identify a contact method. Of those hundreds of thousands of claims, a total of $131 million was lost, with an average of $900 per report.
Work-from-home and hybrid work arrangements have led your employees to use their mobile phones and company devices at an increasing rate. This has led many of these smishing attacks to have a workplace component.
What Can Employers Do? A 5-Step Plan to Combat Smishing
So what can you do to address this latest cyber-concern? Here are five steps your organization can take to put yourself in the best position.
The new 2023 limits are:
HSA – Single $3,850 / Family $7,750 per year
HDHP (self-only coverage) – $1,500 minimum deductible / $7,500 out-of-pocket limit
HDHP (family coverage) – $3,000 minimum deductible / $15,000 out-of-pocket limit
You may recall the Seinfeld episode where Elaine Benes consumes a $29,000 piece of cake from the 1937 wedding of the Duke and Duchess of Windsor. A birthday cake from an office party in Kentucky may have that pricey wedding slice beat. If you haven’t heard already, a Kentucky jury just served an employer with a $450,000 bill associated with a surprise office birthday party gone awry. Does this massive legal loss spell the end of office birthday parties as we know them? Thankfully, no. Despite the media attention the April 15th verdict has garnered, it had less to do with the fact that the employer threw a surprise party than with how it handled the situation – and particularly the fallout. All kidding aside, this case has important reminders for employers about how you should handle disabilities in the workplace – and you can easily avoid a similar fate by following some commonsense steps.
The Worst Birthday Party Ever?
This case stemmed from a surprise birthday party thrown by Gravity Diagnostics LLC for lab worker Kevin Berling. According to his lawsuit, Berling suffered from an anxiety disorder and specifically asked his office manager not to celebrate his birthday party in the office. Coincidentally, the office manager was out of the office on Berling’s big day and his co-workers decided to plan him a surprise birthday celebration. When Berling caught wind of it, he alleged that he suffered a panic attack and spent his lunch period hiding out in his car.
But it’s what happened next that was particularly damning for the employer. According to Berling, his managers subsequently called him into a meeting and scolded and belittled him for his reaction. In fact, according to media reports, Berling said he was accused of “stealing his co-workers’ joy.
This in turn led him to suffer another panic attack where he used methods such as clenching his fists to deescalate the situation. According to the lawsuit, his behavior alarmed the employer, who feared Berling might respond violently. He says they asked him to immediately leave the property. He alleged that the company terminated him several days later.
Berling sued his ex-employer for disability discrimination and by the time the case went to the jury the only claim to decide was whether Gravity Diagnostics reasonably failed to reasonably accommodate his disability. After deliberating for merely one and one-half hours, the jury awarded Berling $450,000 – which consisted of $120,000 in lost wages and benefits, $30,000 in future lost earnings, and $300,000 for pain and suffering, mental anguish, embarrassment, humiliation, mortification, and loss of self-esteem. At some point in the near future, the court will tack on reasonable attorneys’ fees and costs, which could considerably increase the final tally that Gravity has to pony up to Berling.
All in all, that’s a costly payout for a birthday cake and some decorations.
What Can You Do to Avoid a Similar Fate?
What went so wrong with this seemingly joyous occasion? The alleged facts of the case offer some simple steps for employers to take to avoid a similar fate:
There was some dispute in this case about whether Berling had explicitly informed his employer about his anxiety order. Regardless of what happened here, it’s a good reminder to be attuned to your employees that may have disabilities and are seeking reasonable accommodations – even if not specifically couched in those terms.
If an employee is expressing significant unease with an office social function, they may very well be signaling that they suffer from some form of disability such as an anxiety disorder. A request not to throw a party or to not participate in a similar workplace function could be construed by a court as a request for a reasonable accommodation if the employee ties such request to something that is health related. At a minimum, you should be aware that issues such as this could trigger your obligation to engage in an interactive process to discuss this issue further with your employees.
While many employees are excited about returning to the office, seeing co-workers again, and getting back into the swing of social interactions at work, you should be aware that this may not be the universal sentiment for all employees. In the post-pandemic world, many employees may still be cautious or even fearful about such social interactions – especially those who may be immunocompromised or live with vulnerable family members.
As much as you may want to promote employee engagement and interaction, you should realize we are in a new era. Some employees may simply choose to be more cautious while interacting with others. After the trauma of the last two years, in fact, some employees may find that this discomfort rises to the level of an anxiety disorder or similar disability.
You should train your employees – especially HR folks and front-line supervisors and managers – to be attentive to such issues. They should know the specific steps to take in response to requests for reasonable accommodations and handling potential disabilities. The outcome in this case may very well have been avoided had the employer provided good training to the office manager and other employees about how to respond in such situations. Leaving employees to navigate these issues on their own and figure things out “on the fly” is almost always a recipe for disaster.
Before taking any adverse action against a worker, you should consider working with appropriate staff to look into whether there have been performance issues, disabilities, or any mitigating circumstances before making a final decision to discipline an employee. This process should be well-documented and consistent across the board.
In this case, the company alleged that it was concerned about violent behavior by Berling and acted on its “zero tolerance” policy towards workplace violence in making the decision to discharge him.
Depending on the circumstances, removing an employee from the workplace may be the right call from a workplace violence prevention standpoint. If an employee makes a threat or commits an act of violence, termination may simply be the best course of action. When an employee has not made a direct threat but you have witnessed behavior that may suggest the employee could be violent, you may want to remove the employee from the workplace until you can more carefully evaluate what you observed and make an informed decision concerning continued employment. This would include following up by asking the right questions, investigating, and figuring out what was happening with the employee in the specific situation. In some cases, a “cooling off” period of paid leave might be worth considering to assess the situation further and determine the appropriate course of action – rather than immediately making the decision to terminate without having all the facts.
Conclusion
Cases such as this generate a lot of attention and buzz due to their novelty. The facts of this case may certainly be unique. But cases like this are a good reminder for all employers to take a step back and contemplate how you would have handled a similar situation, and what you would have done differently. Keeping the points above in mind may help you avoid a similar outcome and ending up with egg (or birthday cake) on your face.
This flexibility allows employers whose workforce is working remotely to defer the physical presence requirements associated with the Employment Eligibility Verification (Form I-9) and section 274A of the Immigration and Nationality Act. The policy initially applied only to employers and workplaces that were working entirely remotely. However, the policy was expanded to cover all employers who hire employees on or after April 1, 2021 to exclusively work remotely due to the employer’s COVID-19 policy. In these cases, the in-person inspection requirement relating to Form I-9 identity and employment eligibility documentation applies only to employees who physically report to work at a company location on any “regular, consistent, or predictable basis.”
The temporary guidance continues to provide the following:
Employers that have gathering bans or restrictions due to COVID-19 are not required to perform an in-person review of the employee’s identity and employment authorization documents. Instead, employers may inspect the employee’s “Section 2” I-9 documents remotely, using “video link, fax or email, etc.” Employers must obtain, inspect and retain copies of the documents within 3 business days, and provide written documentation of their remote onboarding and remote work policy on the employee’s Form I-9. Once normal operations resume, employers must conduct an in-person verification of any documents presented by employees who were onboarded remotely, within 3 days of a return to the work location.
Although DHS has signaled a willingness to permanently adopt remote document examination for I-9 eligibility verification, to date, no permanent changes have been made. Accordingly, employers are encouraged to begin, at their discretion, the in-person verification of identity and employment eligibility documentation for employees who were hired on or after March 20, 2020, and who presented such documents for remote inspection in reliance on the flexibilities first announced in March 2020.
One of the biggest trends that arose from the pandemic has undoubtedly been the “work from anywhere” mindset. Once both employers and employees realized that work could be performed effectively without sitting in a traditional office, things started to change. Some employers chose to close their brick-and-mortar worksites for good, while some workers decided to relocate to be closer to family or to live in a region with a lower cost of living.
Employers often wonder whether there are legal implications for allowing employees to work temporarily or permanently from a state in which their organization has no business presence. It comes as a surprise to many that allowing an employee to work remotely from a new state is not as simple as they originally thought.
When employers allow an employee to work remotely from a different state, the employer must register to do business in that state and comply with its labor laws. This includes employer payroll and income tax withholding obligations, as well as wage and hour laws and statutory benefits, just to name a few.
Tax Implications
Because income tax requirements are based on where income is sourced, rather than where an employer is headquartered, employers must determine their tax obligations based on the state in which their remote employee is performing work. This generally includes registering with the state as a new employer, withholding employee state income tax, and remitting employer state payroll and unemployment taxes.
Wage and Hour Laws
The Fair Labor Standards Act (FLSA) governs wage and hour requirements at the federal level. However, many states have enacted their own laws that are more generous to workers than the FLSA, and employers must comply with these policies, as well. For instance, some states require that meal and rest breaks be provided, where federal law does not. Minimum wage rates and overtime pay laws differ by state, as do final pay requirements. A handful of states also have minimum salary thresholds for exemption that exceed the federal requirements.
Paid Leave Laws
While not required at the federal level, many states and localities have passed laws mandating paid sick leave for employees. The laws vary by jurisdiction with respect to employer size and the amount of leave required, and they often include notice requirements.
Similarly, numerous states have laws regulating vacation leave when voluntarily offered by employers. These laws might require employers to pay out accrued vacation leave upon separation, prohibit use-it-or-lose-it provisions or impose other limitations on employer leave policies.
Additional state leave laws might also entitle employees to time off from work for other reasons, such as absences related to domestic violence, voting or jury duty, or family and medical leave.
Other Considerations
The nuances of state laws do not end there. Worker anti-discrimination protections vary at the state level, as do pay equity laws and sexual harassment training requirements. Some states require employers to reimburse employees’ business expenses; others have statutory disability benefits. The list goes on. Employers will need to examine their obligations under various state laws when determining how to manage their remote workforce.
In furtherance of the Biden Administration’s January 28, 2021, Executive Order 14009 and April 5, 2022, Executive Order 14070 to protect and strengthen the ACA, the Treasury Department and IRS published a proposed rule on April 7, 2022, advancing an alternative interpretation of Internal Revenue Code Section 36B. Employers can breathe a sigh of relief as the proposed changes do not alter the Employer Shared Responsibility Payment (ACA penalty) construct. Employers can continue to offer affordable employee-only coverage and spousal or dependent coverage that is unaffordable. However, the potential indirect effects of the proposed regulations on employers are noteworthy.
At its core, the proposed regulation eliminates the current regulatory concept that the cost of coverage for a spouse and dependent children is deemed affordable if the lowest-cost silver plan for employee-only coverage is affordable. Citing studies addressing the “family glitch” that disqualifies employees from subsidized Marketplace coverage if the employee-only coverage is affordable and finding this inconsistent with the purpose of the ACA of expanding access to affordable care, the Treasury Department and IRS have reinterpreted Section 36B as permitting a Premium Tax Credit to individuals if the only coverage available to them is unaffordable spousal or dependent coverage.
In an attempt to calm employers’ concerns that this proposed rule will affect their cost-sharing schedules, the Preamble to the proposed rule notes:
The proposed regulations would make changes only to the affordability rule for related individuals; they would make no changes to the affordability rule for employees. As required by statute, employees continue to have an offer of affordable employer coverage if the employee’s required contribution for self-only coverage of the employee does not exceed the required contribution percentage of household income. Accordingly, under the proposed regulations, a spouse or dependent of an employee may have an offer of employer coverage that is unaffordable even though the employee has an affordable offer of self-only coverage.
The proposed rule also modifies the minimum value regulations to include the entire family and addresses multiple offers of coverage.
Although not directly affecting employer-sponsored plans, employers may experience indirect effects of the changes if the proposed rule is finalized. For example, in order for the Internal Revenue Service to make Premium Tax Credit determinations involving family coverage, they may require further information reporting from employers. The IRS Forms 1094 and 1095 might be modified to require separate affordability reporting regarding both employee-only coverage and other coverage offers.
Further, employer-sponsored plans may see an uptick in enrollment if the Premium Tax Credit becomes available to families when employer-sponsored coverage is unaffordable for spouses and dependent children. The Premium Tax Credit would help offset the high cost of coverage in employer-sponsored plans.
With the protection and strengthening of the Affordable Care Act being a focus of the current Administration, employers should prepare for further changes.
The recorded presentation of AAG’s 2022 Education Seminar held on April 7, 2022 is now available for viewing.
Guest Speaker and Attorney Keith Hammond, of Hammond Law Center, focuses on changes in employment law that have occurred over the past year. Some of the topics addressed include new regulations under the Biden administration, as well as how the new DOL Secretary Marty Walsh and Democratic controlled NLRB could impact your business.
This seminar is also approved for 2 Professional Development Credits (PDCs) with SHRM for all attendees.
As expected, state and local mask requirements continue to be lifted following the CDC’s loosening of its masking recommendations last month. As of today, only 10 states require masks – and many of those requirements apply only in certain limited settings, such as in the healthcare context, shelters, residential care facilities, and schools. The lifting of these governmental mask mandates raises the question of whether employers should continue to require masks in the workplace as a matter of internal policy. There’s no “one size fits all” answer to this question. Rather, each business should weigh the pros and cons of requiring masks in their workplace and decide what’s best for their particular locations and circumstances.
What Does the Law Say?
Importantly, the CDC still recommends that masks be worn in places of high transmission. As of today, that covers only about 15% of the country and that number has been decreasing. Employers who don’t follow the recommendations of the CDC (and applicable state and local health departments) do so at their own peril. That’s because OSHA or a state OSHA agency can – and often does – cite employers under the “General Duty Clause,” using the failure to follow recommended safety measures (i.e. CDC recommendations) as the basis for the alleged violation.
The General Duty Clause of the OSH Act broadly requires that employers provide a work environment that is “free from recognized hazards that are causing or are likely to cause death or serious physical harm.” This clause has served as OSHA’s COVID-19 workhorse, as the agency has not successfully issued new specific pandemic-related standards applicable to most employers but repeatedly cited employers under the General Duty Clause for failures related to masking.
While OSHA looks to CDC recommendations in issuing its own guidance documents for employers related to COVID-19 and workplace safety, it has not yet updated them to reflect the CDC’s recent relaxation of masking recommendations.
It is therefore prudent for employers to continue to require masks, regardless of vaccination status, in places of high transmission and to continue to track the CDC Date on Community Transmission Levels to make sure your workplaces are not in a place of high transmission. In places of “medium” or “low” transmission, the CDC does not currently recommend masks (except in areas designated as “medium,” where it recommends that those who are immunocompromised or at high risk for severe illness should confer with their doctor about whether to wear a mask). That means in these areas it is up for the employers to decide what to do.
Finally, before brainstorming about possible next steps, make sure you understand the lay of the land in your own state.
Pros and Cons of Lifting Mask Requirements
Once you understand the lay of the land, you’re ready to consider the various pros and cons associated with removing mask requirements at your business.
Pros:
Cons:
As most states lift their mask mandates, the Centers for Disease Control and Prevention (CDC) announced Friday (2/25/22), that the agency has adopted new metrics for determining whether to recommend face coverings – a shift that will result in most Americans no longer being advised to wear masks in indoor public settings. By moving away from looking solely at the number of COVID-19 cases in a given area but instead taking into account local hospitalizations and hospital capacity, the updated metrics will create room for businesses and employers to revisit their own approaches to masking policies. What should you know about these changes before making a decision for your organization?
The CDC’s previous guidelines recommended that fully vaccinated individuals residing in communities of substantial or “high” transmission wear a mask in indoor public settings. Given that the standards solely examined the positivity rate of COVID-19 cases in a community, roughly 95% of counties in the United States met the definition of substantial or high transmission.
The metrics used to determine whether to recommend masks will now take a more holistic view of the risk COVID-19 to a community. The number of COVID-19 cases will still but considered, but hospitalizations and local hospital capacity will also be taken into account.
The CDC adopted “COVID-19 Community Levels” of “Low,” “Medium,” and “High” to help communities decide what recommendations and requirements to put in place. The CDC has provided a “COVID-19 County Check” tool to find the community level in a particular county and the prevention steps recommended for that county.
Given the highly transmissible but less severe nature of the omicron variant, masks will no longer be recommended for the vast majority of Americans, including those who remain unvaccinated.
The CDC’s new guidance provides important considerations for employers who have been considering rescinding their masking policies. Even though CDC guidance is not directly binding on employers, it is critically important. That’s because while OSHA has not yet expressly adopted the most recent CDC guidance, OSHA’s guidance repeatedly refers to CDC guidance.
Employers should review their local and state masking requirements and continue to comply with those requirements. For employers in areas where a mask mandate is no longer in place, they should review the CDC’s latest guidance and utilize the COVID-19 County Check tool to make an informed decision regarding their mask policy.
Employers who lift their mask mandate should make sure that employees who continue to voluntarily wear a mask do not face illegal mistreatment at the hands of supervisors or coworkers. Make sure your employees know that retaliation, discrimination, and harassment will not be tolerated, and include this prohibition in written policies distributed to all workers.