News & Events

Wednesday, March 10th

Vulnerabilities with On-Premises Versions of Microsoft Exchange Server

Early last week, Microsoft revealed that suspected state-sponsored hackers from China were exploiting four previously unknown vulnerabilities being used to attack on-premises versions of Microsoft Exchange Server. This has enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. 

Since that disclosure, other hackers have used automated programs to scan the internet, looking for companies that have yet to install the fix. Microsoft has urged IT administrators and customers to apply the security fixes immediately. However, just because fixes are applied now, this does not mean that servers have not already been compromised.

Microsoft has listed indicators of compromise here. Admins can also use this script from Microsoft to test if their environments are affected. 

For more information about these vulnerabilities and how to defend against their exploitation, see:

What Action Should You Take?

For businesses potentially impacted, we strongly advise consulting with a cybersecurity expert. For those with cyber insurance, you may have access to complimentary cybersecurity resources through your insurance provider. Please reach out to our office if you have any questions on your cyber insurance coverage or to submit a claim.  

To learn find more about cyber insurance or request a quote, please visit our website:

This material is intended for informational purposes only and is not to be construed as legal advice.

Monday, March 1st

COVID-19 Vaccines in the Workplace: Insurance Implications

As COVID-19 vaccines become more widely available, many employers will be faced with difficult decisions on how to address vaccination in the workplace. On December 16, 2020, the Equal Employment Opportunity Commission (EEOC) issued guidance indicating that employers can require their workers to get a COVID-19 vaccine within the legal confines of the Americans with Disabilities Act (ADA) and Title VII of the Civil Rights Act, even while under the Emergency Use Authorization.

There are many advantages to having a vaccinated workforce, including reduced employee illness and being able to reassure customers that every possible measure is being taken to assure their safety. At the same time, a mandatory vaccination program is ripe with potential pitfalls, and the decision to implement such a program should not be taken lightly. Here are just a few things to keep in mind, particularly when it comes to insurance:

  • Employers that require the COVID-19 vaccine must consider reasonable accommodations for employees with disabilities or religious objections. The employer must engage in the interactive process and try to find a reasonable accommodation without presenting a significant risk to other employees. If the interactive process fails to produce an outcome that is agreeable to all parties or is conducted in an inconsistent manner, the employer may be subject to claims alleging discrimination and/or retaliation
  • Although the EEOC does not consider the act of administering vaccination a “medical exam,” employers should be aware that the vaccination pre-screening questions may implicate the ADA’s provisions on disability related inquiries. Failure to ensure that these questions are “job-related and consistent with business necessity” may lead to claims alleging invasion of privacy, or illegally eliciting information protected under the Genetic Information Nondiscrimination Act (GINA). 
  • Failure to appropriately compensate employees for their time or cover costs associated with an employer-mandated vaccine could potentially lead to wage and hour claims. Employers may also need to evaluate paid time for post-vaccination symptoms. 
  • Any employee injuries (e.g. adverse reaction) due to taking an employer-mandated vaccine would likely be covered by workers compensation. Coverage could be triggered by a variety of scenarios, including requiring vaccination for continued employment or as a condition for physically returning to work, providing vaccinations to employees directly, or even by simply facilitating employees’ vaccinations (e.g. paying for vaccinations, setting appointments, providing on-site vaccinations).
  • If vaccination is required and an employee refuses to comply, the employer may ultimately have to terminate the employee, which could result in a wrongful termination claim. 

Employers will need to determine whether to mandate, encourage, or remain neutral. Regardless, every situation is unique, and employers must weigh the risks and benefits of workplace safety, while balancing business needs, employee morale, and legal exposure.

Any new employment policy or practice needs to be reviewed with counsel to be sure all potential avenues of legal exposure are identified and managed. Counsel will also be able to address the legality of alternatives strategies, such as vaccine incentives.

Employers should continue to monitor the EEOC for any updates as well as California’s Department of Fair Employment and Housing for state specific vaccine mandate guidance. Employers should also monitor all federal, state, and local workplace safety guidance and standards for vaccination updates to assure compliance. 

This material is intended for informational purposes only and is not to be construed as legal advice.

Thursday, February 18th

The Power of Multi-Factor Authentication: Passwords Aren’t Enough

P@ssw0rd123! Look familiar? It doesn’t matter if you replace your vowels with symbols, include the name of your first pet, or use a complex combination of letters and numbers – these days, passwords aren’t enough. And when you are running a business and dealing with sensitive data, you have an added responsibility to protect that information from cyber-attacks. That’s where MFA comes into play.

What is Multi Factor Authentication? (MFA)

Multi-factor authentication (MFA) is a security measure that requires two or more forms of identification to access an account. This involves a combination of:

What should my business protect with MFA?

Any account with access to critical data, applications, and systems within your business should be protected.  Here are some critical areas to address:

  1. Remote network access
  2. Privileged/administrative account access
  3. Business email
  4. Customer relationship management (CRM) system 

MFA and Cyber Insurance

Enabling MFA is a strong indicator of proactive risk management practices.  This, along with other measures can have a significant impact on the availability and affordability of coverage. Due to rising claims frequency, MFA is becoming a more common condition to qualify for coverage. MFA has the potential to prevent claims, which over the long term can result in preferential pricing and coverage terms.

MFA can block over 99.9% of
account compromise attacks.


How to Implement MFA

The vast majority of MFA is free and several common platforms (Gmail, Outlook, Dropbox) offer it internally. For 3rd party platforms, there are also several apps available that allow you to set up MFA free of charge.

It’s best to engage with your IT department or IT vendor to set up an implementation plan that not only establishes MFA but educates your employees on using the feature and explains the purpose and need for added security.

Contact Morris & Garritano at to learn how implementing MFA can help your business or check out our Cyber Coverage Resources for more information.

Additional Resources:
MFA Explained in Under 2 minutes
How to implement Multi Factor Authentication (Microsoft)
Enable MFA in Outlook | Enable MFA in Gmail | Enable MFA for Apple ID

Wednesday, March 24th

American Rescue Plan Act Signed Into Law

The American Rescue Plan Act (ARPA), which is the latest bill to address the ongoing economic impacts of COVID-19, has been signed into law. Most aspects of the law do not directly affect the HR function, but those that do—optional extension of sick and family leave and establishment of COBRA subsidies—are outlined below.

Optional Extension of Sick and Family Leaves

Part of ARPA is an extension of the current tax credit scheme for Emergency Paid Sick Leave (EPSL) and Emergency Family and Medical Leave (EFMLA) under the Families First Coronavirus Response Act (FFCRA). The FFCRA required many employers to provide EPSL and EFMLA in 2020, but became optional when it was previously extended to cover January 1 through March 31, 2021.

The new extension under ARPA takes effect April 1, 2021, and lasts through September 30, 2021. Like the current version, it remains optional. In addition, tax credits are available but only to employers with fewer than 500 employees and up to certain caps. To receive the tax credit, employers are required to follow the original provisions of the FFCRA. For example, they can’t deny EPSL or EFMLA to an employee if they’re otherwise eligible, can’t terminate them for taking EPSL or EFMLA, and have to continue their health insurance during these leaves.

Emergency Paid Sick Leave (EPSL) Changes

Here are the key changes to EPSL, in effect from April 1 through September 30, 2021:

  • Employees can take EPSL to get the COVID vaccine and to recover from any related side effects.
  • Employees can take EPSL when seeking or waiting for a COVID-19 diagnosis or test result if they’ve been exposed to COVID-19 or if the employer has asked them to get a diagnosis or test. (Previously, time spent waiting on test results was not necessarily covered, which seemed like an oversight.)
  • Employees will be eligible for a new bank of leave on April 1. Full-time employees are entitled to 80 hours while part-time employees are entitled to a prorated amount.
  • Employers can’t provide EPSL in a manner that favors highly compensated employees or full-time employees or that discriminates based on how long employees have worked for the employer. (Be aware that any inconsistencies in the granting of leave could potentially lead to a discrimination claim.)

Emergency Family and Medical Leave (EFMLA) Changes

Here are the key changes to EFMLA, in effect from April 1 through September 30, 2021:

  • EFMLA can now be used for any EPSL reason, in addition to the original childcare reasons. This includes the two new EPSL reasons noted above.
  • The 10-day unpaid waiting period has been eliminated.
  • The cap on the reimbursable tax credit for EFMLA has been increased to $12,000 (from $10,000). This applies to all EFMLA taken by an employee, beginning April 1, 2020. This change accounts for the additional 10 days of paid time off—the daily cap of $200 remains the same.
  • The law isn’t clear as to whether employees are entitled to a new 12-week bank of EFMLA. We anticipate that the IRS, DOL, or both will provide guidance on this question soon. It is possible that an employee will be entitled to additional unpaid protected time off, even if they already received the maximum reimbursable amount during previous EFMLA leave(s). We will update our materials if and when new information is available.
  • Employers can’t provide EFMLA in a manner that favors highly compensated employees or full-time employees or that is based on how long employees have worked for the employer. (Again, be aware that any inconsistencies in the granting of leave could potentially lead to a discrimination claim.)

Reasons for Using EPSL and EFMLA

Starting on April 1, employees can take EPSL or EFMLA for the same set of reasons, which is a useful simplification. The following are acceptable reasons for taking these leaves:

  1. When quarantined or isolated subject to federal, state, or local quarantine or isolation order
  2. When advised by a health care provider to self-quarantine because of COVID-19
  3. When the employee is:
    • Experiencing symptoms of COVID-19 and seeking a medical diagnosis
    • Seeking or awaiting the results of a diagnostic test for, or a medical diagnosis of, COVID-19 because they have been exposed or because their employer has requested the test or diagnosis
    • Obtaining a COVID-19 vaccination or recovering from any injury, disability, illness, or condition related to the vaccination
  4. When caring for another person who is isolating or quarantining on government or doctor’s orders
  5. When caring for a child whose school or place of care is closed due to COVID-19

Employees and employers will—in most cases—want to exhaust EPSL first, since it has a higher tax credit, except when used to care for others.

Tax Credit Review

The tax credits available between April 1 and September 30 are the same as under the original FFCRA, except for the increased aggregate cap for EFMLA. Tax credits are available as described below, regardless of how much EPSL or EFMLA an employee used prior to April 1.

  • The credit available for EPSL when used for reasons 1, 2, or 3 (self-care) is up to 100% of an employee’s regular pay, with a limit of $511 per day.
  • The credit available for EPSL when used for reasons 4 or 5 (care for another) is up to 2/3 of an employee’s regular rate of pay, with a limit of $200 per day.
  • The credit available for EFMLA for any reason is up to 2/3 of an employee’s regular pay, with a limit of $200 per day and a cap of $12,000 per employee.

Employers can also claim a credit for their share of Medicare tax on the employee’s wages and the cost of maintaining the employee’s health insurance (qualified health plan expenses) during their absence.

COBRA Subsidies

Another important aspect of the law employers should understand is the creation of COBRA subsidies.

Employees and families enrolled in the employer’s group health plans may lose coverage if the employee’s work hours are reduced or employment is terminated. They can elect to continue coverage under COBRA, but the high premium cost can make it difficult to afford this coverage.

ARPA provides a 100% COBRA subsidy if the employee’s work reduction or termination was involuntary. The subsidy applies for up to six months of coverage from April 2021 through September 2021 (unless the individual’s maximum COBRA period expires earlier).

For group plans subject to the federal COBRA rules, the employer will be required to pay the COBRA premium but then will be reimbursed through a refundable payroll tax credit.

Employers with fewer than 20 workers usually are exempt from the federal COBRA rules, but their group medical insurance plans may be subject to a state’s mini-COBRA law. In that case, it appears the subsidy will be administered by the carrier. The carrier will pay the premium and then be reimbursed by the government.

Employers will need to work with their group health plan carriers and vendors on how to administer the new subsidy provision. Although it takes effect April 1, 2021, employees who were terminated earlier but are still in their COBRA election window also are included. Federal guidance is expected to be released by April 10, including model notices that plans can tailor for their use.

Note that the COBRA subsidy doesn’t apply during FFCRA leaves because employees are entitled to maintain their health insurance during those leaves on the same terms as though they had continued to work.

Source: ThinkHR

Wednesday, December 2nd

Cal/OSHA Emergency Regulations to Protect Workers from COVID-19

Cal/OSHA has adopted emergency regulations – effective immediately – requiring all employers take additional action to protect their employees from COVID-related hazards. Cal/OSHA can enforce non-compliance with the new Standard through civil penalties, ranging in size depending on the severity of the violation. The official press release from the DIR can be read here

Does this regulation apply to you?

The emergency standards apply to all employees and places of employment with three exceptions:

  • Workplaces where there is only one employee who does not have contact with other people
  • Employees who are working from home
  • Employees who are covered by the Aerosol Transmissible Diseases standard

What do you need to do?

  • Refer to Cal/OSHA Resources
  • Develop, implement and maintain a written COVID Prevention Program, either as part of your Injury and Illness Prevention Program (IIPP) or as a stand-alone document.
  • Investigate COVID-19 cases, notify and provide testing to potentially exposed employees.
  • Require physical distancing, mask wearing, improve ventilation, and maximize outdoor air.
  • Don’t allow employees to return to the worksite until quarantine ends, and pay employees throughout quarantines.
  • Report all outbreaks – 3 or more cases in two weeks – to public health department, and provide continuous testing at least weekly to all on site employees. For major outbreaks – 20 or more cases in 30 days, provide twice a week testing.
  • In employer provided housing, beds must be spaced, and daily disinfection is required.
  • In employer provided transportation, workers get screened before boarding, sit apart from each other and wear face coverings.

We understand this places additional burden on employers during already trying times. We will continue to evaluate the details of the regulation and keep you apprised to any new developments or resources as they become available. Given the scope of these provisions and the connection with other recently passed legislation such as AB 685, we encourage employers to evaluate these provisions with collaborative input from operation teams, safety personnel, human resources, and legal counsel. 

Please do not hesitate to reach out to our office for questions regarding Cal/OSHA compliance or employer obligations. 

Tuesday, November 24th

AB 685: Effective 1/1/20201

As we continue navigating COVID-19 and safety in the workplace, we want to be sure you are aware of California Assembly Bill 685. This legislation, which takes effect on January 1, 2021, strengthens CAL/OSHA enforcement of infection prevention controls and requires timely notifications regarding any COVID-19 cases in the workplace.

California employers are already required to establish and maintain controls to limit employee exposure to COVID-19. Assembly Bill 685 (AB 685) gives Cal/OSHA the authority to shut down parts of a business or the entire operation if it determines an imminent hazard exists at that workplace due to COVID-19 exposure. In addition, unlike a typical enforcement action, advance notice and a waiting period are not required.

Most notably, the regulation also requires timely (one day) notifications to employees and union representatives who may have been exposed. This notification must include information on COVID-19 related benefits that may be available to an exposed employee as well as the employer’s plan for cleaning, disinfection, and safety to help prevent future exposure. Specific notification to employers of subcontractors who were at the worksite at the time of the potential exposure, is required within the same one-day time period.In addition, there are certain “outbreak” notification requirements to the local Health Department. It should be noted that the statute uses some specific definitions that govern when notice must be provided. You should review them carefully when determining when to notify employees. 

Each industry faces unique challenges in establishing adequate controls. To help employers with these challenges, please refer to the following guidance and other helpful resources:

Of course, the best way to avoid having to provide notice of COVID-19 exposure is to have good protocols in place to prevent workplace exposures in the first place. However, even with the best plans in place, there are no guarantees that workplace exposures can be completely eliminated in light of community spread of COVID-19. Because this new law has very detailed written notice requirements subject to enforcement, employers should work with legal counsel now to establish communication and documentation protocols ahead of the January 1, 2021 effective date. 

For general questions regarding employer obligations or Cal/OSHA compliance, please don’t hesitate to reach out to our office.

Thursday, August 20th

Webinars & Other Updates: August 20, 2020

Upcoming Webinars

Heat Illness Prevention
Presented by: State Fund
Recorded Webinar…View Anytime!

Talk about a heat wave! As temperatures rise, so does the risk of heat illness. California employers with any outdoor places of employment must comply with the Heat Illness Prevention standard. Due to the current state restrictions, many more employees may be working outdoors and might not be aware of the risks that can come with the heat.

Check out this webinar recording from State Compensation Insurance Fund to learn how to protect your employees from heat illness when working outdoors and maintain Cal/OSHA compliance.

Topics covered include:

  • Ways of preventing heat illness in outdoor workers
  • Signs and symptoms of heat illness and appropriate first aid/emergency response
  • The requirements of Cal/OSHA’s Heat Illness Prevention Standard, T8CCR Section 3395
  • What Cal/OSHA requires employers to include in a written Heat Illness Prevention Plan
  • Common Cal/OSHA citations related to work outdoors in the heat

More information can also be found via the Cal/OSHA Heat Illness Prevention eTool:

Plan and Prepare for Q4:Retail, Restaurants, and Health & Wellness
Presented by: Cal Poly CIE Small Business Development Center
August 25, 2020 | 9:00 am – 11:00 am PST

As the biggest revenue-making quarter of the year approaches, we are bringing together experts in strategy and digital marketing to make sure your business is ready for the upcoming holiday season.

  • 9 am – 10:05 am General Session
  • 10:05 am -10:10 am Break
  • 10:10 am -11:00 am Industry Break Out Sessions

This workshop is led by Lani Lott, expert consultant in economic revitalization and Steve Burnside, a digital marketing specialist.
Lott will lay out the “Road Map to Prepare for the Holiday Season,” including customer outreach strategies and the importance of collaborating with fellow business owners. Burnside will discuss in-practice tools and platforms to digitally market strategies. Receive a valuable policy and regulation update from Downtown SLO and participate in breakout sessions, specific to your industry.

The registration fee for this workshop is $10/person

Other Information and Updates

California Wildfire Smoke Regulations

As if the heat wasn’t enough, the smoke produced by nearby wildfires is now adding another level of concern for outdoor workers.

State Fund has provided information regarding Cal/OSHA requirements and other steps that can be taken to help protect yourself and your employees against wildfire smoke exposure.

You can also visit to check and monitor air quality.

If you have questions regarding safety compliance as a result of impaired air quality, please email our Loss Control Analyst, Michael Schedler at

Stay up-to-date with CDC Guidance

It is important to monitor your new safety practices and procedures for necessary changes, but staying up to date with the changing CDC guidance can be difficult.

For example, did you know the CDC made recent updates to when a person can discontinue home isolation?

Sign up for regular CDC newsletter updates by clicking the button below. Enter “COVID-19” in the search bar for applicable newsletters.

REMINDER: SLO City Small Business Relief Fund

Applications for the SLO CIty Small Business Relief Fund will be accepted until 5 pm on Monday, August 24. All for-profit businesses in the City of SLO are invited to review the eligibility criteria and apply. Applicants are eligible to receive a grant of $5,000 to help fill immediate financial gaps until they can resume normal operations.

Recipients will be notified of possible funding in mid-September. 

REMINDER: Paso Robles COVID-19 Small Business Grant Program

The deadline to apply for the Paso Robles COVID-19 Small Business Grant Program is August 23, 2020 with grant recipients being notified and funds allocated by mid to late September.

The program will assist 10 to 20 small businesses with micro-grants of up to $10,000 in one-time financial assistance for the purpose of relieving some of the costs caused by required closures/business interruption due to COVID-19. 

Businesses headquartered in the city of Paso Robles are invited to review the eligibility criteria and apply.

Wednesday, July 8th

SLO Office Open by Appointment

As our state and counties continue to advance through the reopening stages, we want to provide an update on the steps that Morris & Garritano is taking to ensure the safety of both our clients and employees while continuing to provide the services and assistance you rely on.

Our Offices and Employees
Starting July 8th, our San Luis Obispo office will be open by appointment only. While our staff is gradually returning to the office, many of our employees will still work remotely. We will continue to meet and communicate with you as we have through telephone and videoconference. Accommodations are available in our office to help facilitate meetings with a remote employee if needed. We ask that you reach out to your Advisor or Account Manager at 805-543-6887 to schedule a meeting. At this time, our Santa Maria office will remain closed to the public, but we will update you on any changes in the coming weeks. 

Safety and Cleanliness
We have made adjustments to our SLO office to allow for social distancing and remain diligent with our cleaning practices. We kindly ask that employees and visitors wear a mask while visiting our office. Single-use masks will be available for those who need them.

As time progresses, we will adjust these safety measures accordingly and will continue to communicate any changes with you as we have over the last few months. Responding to the needs of our clients remains a top priority and we appreciate your understanding as we adjust our operations to best serve you in this new environment.

Please let us know if you have any questions or concerns.

Thank you,

Morris & Garritano

Friday, June 26th

WCIRB Update: Eff. July 1, 2020

Insurance Commissioner issues Order resulting in workers’ compensation premium savings for California businesses affected by COVID-19

The order adopts emergency regulatory changes developed by the Workers’ Compensation Insurance Rating Bureau of California (WCIRB) effective July 1, 2020 to be applied retroactively. The Commissioner’s action mandates workers’ compensation carriers reflect in premiums the reduced risk of loss due to “stay-at-home” orders. 

The official notice from the Department of Insurance can be viewed here

The below video links will provide an overview of the notable amendments, but you can also visit the WCIRB’s full reference page for more information.

We encourage you to consider these changes as you assess the impact of COVID-19 to your estimated annual payroll (if on recurring billing), actual payroll (if billed on a reporting basis), or recent audit if applicable.

If you have questions, concerns, or need to make an adjustment to your policy, please feel free to contact your Risk Advisor or Account Manager for further assistance.

Uniform Statistical Reporting Plan

Experience Reporting Plan

Exclusion of COVID-19 Claims from Experience Modification
Section VI, Rating Procedure, Rule 2, Actual Losses and Actual Primary (Ap) Losses, was amended to specify that all claims directly arising from a diagnosis of Coronavirus Disease 2019 (COVID-19) shall not be reflected in the computation of an experience modification.

Tuesday, June 16th

Work Comp Webinar: AB5, Who is an Employee?

Do you work with or hire Independent Contractors?

If so, you won’t want to miss this webinar offered by State Fund. The webinar is designed to help you have a better understanding of Assembly Bill 5 (AB5) and the changes that have been made in determining employee status in California.

Experts will discuss what impact it may have on you, your business, and most importantly, what you can do now to prepare for the changes that will take effect on July 1, 2020 as it relates to your workers’ compensation coverage.

Not a State Fund policyholder? Not a problem, this webinar is open to the public.

Topics to be covered include:

• The Dynamex Supreme Court Decision
• New “ABC” Test• Prior Test – Borello
• Exemptions to the “ABC” Test
• New Labor Code Section 2750.3
• Potential Impact of AB5

Register here: