Compliance

With the Department of Labor’s (DOL) decision to increase the salary threshold for employees to be exempt from overtime pay, many employers will need to reclassify employees to non-exempt status. This status entitles employees to 1.5 times their pay rate when they work beyond a 40-hour week. To stay ahead of overtime compliance concerns, employers should conduct an internal audit of their overtime procedures and consider using a “percentage bonus” as part of their strategy to adjust to the guidelines and stay compliant.  

DOL Changes Necessitate Adjusting Overtime Compliance Procedures

Any employer that pays non-exempt employees bonuses should review overtime compliance obligations now. The DOL’s new rules will give more employees non-exempt status and goes into effect in early 2025.

Overtime compliance factors to review: 

• New Salary Threshold: The U.S. Department of Labor’s (DOL’s) new salary threshold for the Fair Labor Standards Act’s (FLSA’s) “white-collar” exemptions will rise to nearly $59k. Only workers who pass the duties test and reach this threshold will be considered exempt from overtime pay obligations.
• Reclassification: It may become more cost-effective to reclassify employees to non-exempt rather than raise their salary to meet the threshold. 
• Regular Rate of Pay: Non-exempt employees are entitled to overtime premiums based on their “regular rate of pay.” This includes all types of compensation (including bonuses). For this reason, the “regular pay rate”  isn’t as simple as it may seem at first glance. Internal reviews require a thorough understanding of section 7(e) of the FLSA. 

Enter the Percentage Bonus 

Employers must consider bonus payments when calculating overtime under the FLSA. While most bonuses have to be included when calculating the regular rate, the percentage bonus allows employers to pay a bonus without factoring it into overtime pay calculations. This approach simplifies calculations. The bonus is calculated as a predetermined percentage of an employee’s total straight-time and overtime pay during the relevant period. To adhere to compliance standards, overtime pay must be included in the calculation. The predetermined percentage must not change in response to variations in hours worked, and the bonus amount cannot be a fixed sum that ignores fluctuations in overtime.

Alternatively, employers can distribute a bonus pool among employees based on their proportion of the total straight-time and overtime wages. Each employee’s share of the pool is calculated by dividing their wages by the total wages of all participants, then multiplying by the total bonus pool. This ensures that the bonus reflects the employee’s contribution to the overall work period, including overtime.

If an employer uses one of these percentage-based approaches to address the FLSA overtime ramifications of bonuses, it should also ensure the plan complies with standards in every way and is maintained properly going forward. 

The DOL says the method may be used only for true bonuses–as in those that are properly applied to a sum and paid as an addition to total wages. Such bonuses are usually attributed to extra effort, as a reward for loyal service, or as a gift. The term is improperly applied if it is used to designate a portion of regular wages that employees are entitled to receive under their regular wage contract. As always, employers should evaluate where this type of plan complies with applicable state and local requirements and ensure these bonuses are accurately and clearly explained to employees.

The Bottom Line

The DOL’s changes necessitate changes for all employers to stay compliant. Companies may be able to use a percentage bonus to simplify the changes while staying compliant with the new rules. If you would benefit from a conversation with overtime compliance pros to address questions or concerns, please schedule a free consultation now.  

The Private Attorneys General Act (PAGA) is making waves once again. In a significant ruling, the California Supreme Court has determined that public employers are not subject to PAGA—a statute that allows employees to file lawsuits on behalf of the state for Labor Code violations. This landmark decision brings clarity to the longstanding debate regarding whether public entities, such as cities, counties, and state agencies, fall under the statute’s jurisdiction.

Understanding PAGA

PAGA was enacted in 2004, empowering employees to step into the shoes of state regulators and file claims for Labor Code violations against their employers. These claims can lead to civil penalties, with a portion of the recovered penalties going to the state and the remainder to the aggrieved employees. Historically, the act has been applied broadly, impacting various industries and sectors across California. However, the recent ruling clarifies that public employers are exempt from these lawsuits.

Key Implications of the Ruling

1. Distinguishing Between Public vs. Private Employers: The court’s decision solidifies the distinction between public and private employers under PAGA, ensuring that public agencies are not held to the same standards as private companies in the context of labor-related lawsuits.
2. Impact on Labor Disputes: While public employers are no longer subject to PAGA, this does not absolve them of adhering to the state’s labor laws. Employees can still file complaints through other channels.
3. Reduced Burden on Public Employers: One of the most significant outcomes of this ruling is the reduced burden on public agencies.

Practical Tips for Employers

Even though public employers are now exempt from PAGA, it’s essential for both public and private entities to remain vigilant in their labor law compliance. Here are practical steps employers should consider:

1. Maintain Rigorous Compliance Procedures: Public employers should continue to follow all applicable Labor Code requirements, including wage and hour laws, meal and rest breaks, and workplace safety standards.
2. Conduct Regular Internal Audits: Proactive measures such as regular audits can help identify potential labor code violations before they escalate. Reviewing employee records, wage payments, and workplace policies can ensure compliance with California’s complex labor laws.
3. Stay Informed on Legal Changes: Although PAGA no longer applies to public employers, California labor laws are subject to frequent amendments and new regulations. Employers should monitor legal developments and work closely with appropriate partners to stay up-to-date on any changes that might impact their operations.
4. Train Managers and Supervisors: Ensuring that management teams are trained on labor laws and employee rights can help prevent violations and mitigate potential legal issues.

The Bottom Line

The California Supreme Court’s ruling marks a pivotal shift for public employers, relieving them from PAGA-related litigation. However, the need for ongoing labor law compliance remains. By following best practices and maintaining a culture of compliance, public employers can avoid legal pitfalls. If your company would benefit from a partner in all things compliance, schedule a free consultation with the pros. 

A digital nomad is someone who uses technology to work remotely while traveling or living in different locations, often without a fixed home base. In recent years, the workforce has experienced a significant and rapid shift towards remote work and digital nomadism, with this article estimating that digital nomads make up nearly 11% of the U.S workforce (or 18.1 million workers). This trend has reshaped how organizations manage, engage, and retain talent.

Some organizations have resisted the shift, citing challenges such as coordinating across different time zones, communication barriers, and concerns about productivity. There are also compliance issues involved with engaging workers in various locations with different legal requirements, payroll guidelines, and tax laws.

Still, embracing the shift has benefits, too. For many companies, the cost savings associated with reducing overhead and the ability to access a broader talent pool are reason enough to overcome concerns. 

Strategies for Companies to Engage Digital Nomads

One of my client’s cardinal rules is “Make it easy for customers to give you their money.” If you’ve ever abandoned a vase in the Dollar Spot at Target or skipped your first choice for dinner because the line was too long, you understand. Surely this is part of the strategy behind Chick-fil’a’s system of moving cars through its lines with the speed and precision of a Navy Seals mission. Just make it easy breezy for people to hand over their lunch money and move right on through your line with their piping hot waffle fries and Chick-fil-a sauce. There’s a case to take a similar approach with digital nomads. If you want to attract the best talent and choose from a wider pool of prospects, you might want to consider making it easier for people to work for/with you. 

Here are a few ways:   

1. Offer Flexible Work Hours: Allow digital nomads to manage their schedules across different time zones and focus on their results and deliverables rather than the schedule on which they deliver them.
2. Provide Remote-Friendly Tools: Use collaboration platforms like Slack and Zoom for seamless communication and project management.
3. Foster Community: Create virtual events, online meetups, or digital spaces for nomads to stay connected with the company culture.
4. Incentivize with Travel Perks: Offer travel stipends, co-working space allowances, or support in obtaining remote work visas.
5. Engage a Partner for Compliance: Engage a partner that specializes in worker classification, payroll services for contract workers, and compliance concerns to make engaging workers in various locations (and therefore, various rules) a non-issue.   

The Bottom Line

Engaging digital nomads presents both challenges and opportunities. While time zone differences, communication challenges, and compliance concerns can create obstacles, the benefits are compelling. Many organizations find gaining access to a much broader talent pool and reducing overhead costs make overcoming the challenges well worth the effort. As more of the workforce shifts towards flexible work arrangements, companies that effectively engage digital nomads will position themselves for long-term success in a dynamic, globalized world. If your company could benefit from making it easier for the best workers to join your team, schedule a free consultation with the pros to address any concerns you might have about worker classification, compliance, payroll, or more. 

Let’s Start With a Quiz: What is a Cookie?

1. A delicious cake-like ball of baked dough. 
2. A marketing director’s dream.  
3. A compliance liability. 
4. All of the above. 

It is indeed all of the above. From here on out though, we’re skipping the sweet treats and talking specifically about the small text files stored on a user’s device–also known as http cookies. The film The Social Dilemma made the argument that if you aren’t paying for a product, you are the product. So who’s buying? And at what point is a company liable when an individual’s personal data is stolen or compromised? Well, let’s talk about it. 

Tell me About Definition 2 (A Marketer’s Dream) 

Every link you click on. Every ad you engage with. Every preference you set. It’s all saved. It’s a level of profiling sophistication an FBI agent of the 1900’s could only have dreamed about. These little bits of data can serve the purpose of improving user experience by tracking the following:

• Session Management: Keeping track of user sessions (such as items in a shopping cart).
• Personalization: Remembering user preferences (such as language settings).

They can also be used to monitor user behavior for analytics or advertising purposes by collecting a range of data, including:

• Identifiers: IP addresses, device IDs.
• Behavioral Data: Browsing history, click patterns.
• Preferences: Language, interests.

Under the CCPA, much of this data qualifies as “personal information,” especially if it can be linked to a particular consumer or household (as in–a profile).

What is the CCPA?

The CCPA is one of the most comprehensive privacy laws in the United States. And while it is a California-specific law, it has implications for all businesses in the United States. Often, California sets a precedent for others to follow. The primary objective of the law is to enhance privacy rights and consumer protection for residents of California. 

Key provisions of the CCPA include:

• Right to Know: Consumers can request details about the personal information a business collects about them and how it’s used and shared.
• Right to Delete: Consumers can request that their personal information be deleted.
• Right to Opt-Out: Consumers can direct a business not to sell their personal information.
• Non-Discrimination: Businesses cannot discriminate against consumers who exercise their rights under the CCPA.

Tell me More About That Compliance Liability Part

The California Consumer Privacy Act (CCPA), is designed to grant Californians more control over their personal information. While many businesses have taken strides to comply with the CCPA, an often-overlooked facet of personal information is the role of cookies. Under the CCPA, a customer could sue for a data breach if certain information (such as usernames, passwords, identification numbers, medical information, etc.) is exposed as a result of a company’s failure to implement appropriate security measures. 

The intersection of cookies and the CCPA presents several liabilities:

1. Legal Repercussions

Data breaches under the CCPA can lead to statutory damages ranging from $100 to $750 per consumer per incident or actual damages, whichever is greater. A recent lawsuit has also likely set the stage for more legal battles to come. 

2. Reputational Damage

Beyond legal consequences, breaches erode consumer trust. Consumers are increasingly privacy-conscious, a breach can lead to lost business and long-term brand damage.

3. Operational Challenges

Post-breach, businesses might need to overhaul their data practices, invest in security infrastructure, and undergo audits, all of which can be resource-intensive.

What Constitutes a Data Breach Under the CCPA? 

Under the CCPA, a data breach is not just about unauthorized access. The legislation refers to the “unauthorized access and exfiltration, theft, or disclosure” of a consumer’s non-encrypted or non-redacted personal information when a company fails to comply with “reasonable security” measures. This means that if a business fails to adopt said reasonable security measures and a breach occurs, it could face significant repercussions. 

When Cookies Lead to Data Breaches

While cookies are essential for modern web functionality, their misuse or mismanagement can inadvertently lead to data breaches under the CCPA. Here’s how:

Unauthorized Access Through Cookies: If cookies storing personal information aren’t adequately secured, malicious actors can exploit vulnerabilities to access this data. For instance, cross-site scripting (XSS) attacks can allow hackers to steal session cookies, leading to unauthorized access to user accounts.

Third-Party Mismanagement: Relying on third-party cookies means entrusting external entities with user data. If these third parties mishandle the data or suffer their own breaches, the originating website can be held accountable.

Unintended Data Sharing: Some cookies might inadvertently share more data than intended. For example, misconfigured cookies might expose user data to unintended recipients or across insecure channels.

Lack of Transparency: If businesses fail to inform users about the extent of data collection via cookies or don’t obtain proper consent, any unauthorized disclosure, even if unintentional, can be construed as a breach.

Best Practices to Mitigate Risks

To navigate the complexities of cookies under the CCPA (and also just to protect consumer information because it’s the ethically sound choice), businesses should adopt proactive measures:

1. Comprehensive Cookie Audit

• Inventory: Catalog all cookies deployed on your website, both first-party and third-party.
• Purpose Assessment: Understand why each cookie is used and what data it collects.
• Necessity Evaluation: Determine if each cookie is essential or if its function can be achieved through less intrusive means.

2. Enhanced Security Measures

• Encryption: Ensure that cookies containing personal information are encrypted.
• Secure Transmission: Use HTTPS to protect data in transit.
• Set Secure and HttpOnly Flags: This prevents cookies from being accessed through client-side scripts.

3. Transparent Disclosure

• Cookie Policy: Clearly articulate your cookie practices, types of data collected, purposes, and third-party sharing.
• Consent Mechanisms: Implement tools that allow users to consent to or opt-out of non-essential cookies.

4. Regular Monitoring and Updates

• Vulnerability Assessments: Regularly scan for and address potential security vulnerabilities related to cookies.
• Stay Updated: As regulations evolve, ensure your practices align with current standards.

5. Third-Party Due Diligence

• Vendor Assessment: Evaluate the data practices of partners and third-party vendors, ensuring they adhere to stringent security and privacy standards.
• Contracts: Incorporate clauses that hold third parties accountable for data breaches.

The Bottom Line

The digital age offers unprecedented opportunities for businesses to engage with consumers. However, with great power comes great responsibility. The CCPA underscores the importance of safeguarding consumer data, and as we’ve explored, even the humble cookie isn’t exempt from scrutiny. By understanding the potential pitfalls and adopting robust data practices, businesses can achieve compliance and foster trust and loyalty among their user base. This article is for informational purposes only. Businesses should consult with professionals to understand their specific obligations under the CCPA and other relevant regulations. Want to discuss your specific situation? Let’s talk.

If an individual’s personal information gets compromised, that individual suffers. When a company or organization’s data is compromised, on the other hand, the cascading repercussions can be catastrophic. The collateral damage extends to innocent customers, clients, and even patients–as is the case in breaches of healthcare systems. For that reason, such entities bear a much greater legal and ethical responsibility to protect data from the pervasive threat of scammers and cybercriminals. As cyber threats evolve in sophistication, organizations must adopt a multi-faceted approach to cybersecurity. They must implement digital hygiene practices, comprehensive training programs, and advanced cybersecurity solutions. In addition, robust insurance policies should be in place in case of a breach. This holistic strategy not only safeguards sensitive information but also fosters trust.

Legal and Ethical Responsibility

Companies must implement measures that protect sensitive data from unauthorized access and breaches. The California Consumer Privacy Act (CCPA) mandates stringent data protection practices, with severe penalties for non-compliance. Legal mandates aside, there is an ethical imperative to safeguard clients’ and employees’ personal and financial information. Negligence can lead to severe reputational damage, loss of business (your competitors might even use a slip against you), and erosion of trust.

AI: A Double-Edged Sword

Cybercriminals are leveraging Artificial Intelligence (AI) tools to develop more sophisticated attacks. At the same time, AI has emerged as a formidable tool in the fight against cybercrime. AI-driven systems can analyze vast amounts of data in real time, identifying anomalies and potential threats more efficiently than traditional methods. 

Machine learning algorithms can detect patterns indicative of phishing attempts, malware, and other cyber attacks, enabling faster and more accurate responses. Additionally, AI can automate routine security tasks, allowing human experts to focus on more complex issues. 

This continuous cat-and-mouse necessitates that companies stay ahead of the game as much as possible.

Digital Hygiene and Training Practices

While defensive measures like the above are important, the most effective strategies are still human-based. Savvy people with good digital hygiene are at the front line when the inevitable malicious attempts arrive in their inboxes and beyond. 

Digital hygiene refers to the practices and habits individuals and organizations adopt to maintain a secure digital environment. Proper digital hygiene is critical in mitigating the risk of cyber attacks. Key practices include the following:

1. Regular Updates and Patch Management: Ensuring all software and systems are up-to-date with the latest security patches to prevent exploitation of known vulnerabilities.
2. Strong Password Policies: Implementing complex password requirements and encouraging the use of password managers to reduce the risk of credential theft.
3. Multi-Factor Authentication (MFA): Adding an extra layer of security by requiring additional verification steps beyond just a password.
4. Secure Wi-Fi Practices: Using encrypted networks and avoiding public Wi-Fi for sensitive transactions.

In addition to these practices, comprehensive training programs are essential. Regular training sessions should cover topics such as recognizing phishing attempts, safe internet browsing habits, and how/when to report suspicious activities. Creating a culture of security awareness can significantly reduce the likelihood of successful cyber attacks.

Advanced Cybersecurity Solutions

Implementing advanced cybersecurity solutions is crucial for protecting against sophisticated cyber threats. These solutions include:

1. Third-Party Penetration Tests): Hiring a third party to simulate attacks and identify vulnerabilities.
2. Intrusion Detection and Prevention Systems (IDPS): Identifying and preventing malicious activities on networks, IDPS can stop attacks before they cause damage.
3. Encryption: Ensuring that sensitive data is encrypted both at rest and in transit to protect it from unauthorized access.
4. Have Systems in Place: In case of an incident, have incidents in place ahead of time to provide comprehensive visibility and facilitate rapid incident response.

Adopting a multi-layered approach to cybersecurity helps organizations create redundant safeguards to thwart even the most persistent cyber criminals.

Insurance 

Proactive measures are essential, but no system is entirely foolproof. The right insurance policies provide an additional layer of protection, helping organizations mitigate the impact of cyber attacks. Cyber insurance policies typically cover expenses related to data breaches, ransomware attacks, business interruption, and legal liabilities. They also often provide access to cybersecurity experts who can assist in incident response and recovery.

An organization’s specific risk profile and potential vulnerabilities helps determine the appropriate insurance approach. It is important to work with insurers who understand the evolving nature of cyber threats and offer comprehensive coverage tailored to the unique needs of the business.

Engage Partners

Every company–no matter the industry or size–needs systems in place to manage the cybersecurity threat. Still, the more data that flows through a company’s system, the more important it is. Those that handle a lot of personally identifiable information (PII)–such as staffing agencies, human resource departments, and companies with many temporary contract workers–should pay extra close attention and invest in every possible security measure. 

For some, it makes sense to outsource aspects of the business that have the potential to cause the most damage to a partner that specializes in handling (and protecting) sensitive information. As an Employer of Record (EOR) PayReel specializes in the aspects of business that involve the most sensitive data (such as onboarding and payroll) and as such, has the most stringent data practices and insurance policies (which extend to clients) in place. Sometimes, it just makes sense to let a partner handle the aspects of business they specialize in–especially when those aspects of business make a company vulnerable. Schedule a free consultation today to discuss security solutions to help you sleep better at night.

The Bottom Line 

Combating scammers and cyber criminals requires a multifaceted strategy with proactive defenses, rigorous digital hygiene, continuous training, advanced cybersecurity solutions, and comprehensive insurance coverage. Companies have a legal and ethical obligation to protect their clients and workers, and adopting a holistic approach to cybersecurity is crucial in fulfilling this responsibility. By staying vigilant and proactive, organizations can build a resilient defense against the ever-evolving landscape of cyber threats, safeguarding their assets and maintaining trust.

The Federal Trade Commission (FTC) has banned non-compete clauses for the vast majority of workers. Such employment contracts exist across various industries and the new rule will significantly alter the employment landscape in the United States. Non-compete agreements traditionally prevent employees from joining competing firms or starting similar businesses within a specified time after leaving a company. The implications of this ban are significant and companies need to make immediate changes to project business interests.

Business Implications of the Non-Compete Ban

What Are The Drawbacks?

Businesses are most worried about the increased risk of losing proprietary information. Without non-compete agreements, employees may take proprietary knowledge, trade secrets, or client lists to direct competitors. This has the potential to increase competition as employees can start competing businesses or join rivals without any temporal restrictions. The ban could also make it harder for a company to reap the benefits of their investments in training an employee if workers can easily take their new skills over to a competitor. Businesses will need to find new ways to protect their interests and these methods could lead to increased legal and administrative costs.

What Are The Benefits?

The drawbacks seem to make the headlines, but businesses could see benefits from the ban, too. Employees moving freely between companies has the potential to increase competition and innovation. Such mobility also allows businesses to attract talent more easily, especially those who may have been previously locked into restrictive contracts. New employees bring new ideas and new ideas foster innovation. 

What Businesses Must do NOW

Protect Business Interests:

Non-competes are not the only way to protect your investment. Trade Secret Laws and non-disclosure agreements (NDAs) still provide legally sound avenues to protect sensitive information. Clear definitions of confidential information and explicit employee obligations post-employment can mitigate risks. Adjust employment contracts in accordance with new guidelines and solicit legal advice to ensure compliance. 

Invest in Employee Relations:

Rather than preventing workers from leaving, companies can invest in building a strong company culture. Increasing employee loyalty by fostering a positive work environment can be an effective strategy to retain talent. Fostering a positive work environment and offering competitive benefits are crucial in this regard. Having a happy workforce pays dividends in multiple ways. 

Innovate:

Maintain your competitive edge by continuously innovating and improving products and services. This not only helps in retaining customers but also makes it harder for former employees to replicate success.

Invest in Training And Development:

Continue to invest in employee training coupled with career development opportunities that align employee growth with the company’s goals. This can include leadership tracks, skill development workshops, and more.

Engage an Employer of Record (EOR):

EORs provide expertise in navigating employment compliance from region to region as well as addressing any areas of ambiguity when it comes to compliance laws/regulations. The right EOR can also help at the onboarding stage to make sure employers have all proper NDAs reviewed, signed, and on file. Engaging an EOR to dot the legal i’s and cross the compliance t’s can be a key to reducing business risks for many companies. 

The Bottom Line

The FTC ban on non-compete agreements is the beginning of a new era of workforce mobility and business operations. While there could be some benefits, the drawbacks and new legal challenges cannot be ignored. Businesses must proactively adapt to these changes through strategic planning and legally sound practices. By implementing the suggested guidelines, companies can not only comply with new regulations but also turn these changes into opportunities for growth. Take advantage of a free consultation to discuss how an EOR can help safeguard your business against the new challenges.