Leave Laws and Cybersecurity

At the 2025 SHRM National Conference, HR professionals gathered to tackle some of the most pressing challenges reshaping the modern workplace. Among the standout topics were two critical and fast-evolving issues: the transformation of employee leave laws and the growing prevalence of cybercrime.

From new state mandates and emerging trends in employee expectations to the importance of rigorous cybersecurity practices, HR professionals were entrenched in learning about these topics and how they can proactively adapt to keep pace. This included expert-led sessions by The Baldwin Group that gave attendees a deep dive into both trending areas, equipping employers with actionable insights to help them stay compliant, competitive, and prepared.

Let’s explore what the experts had to say:

Evolving Leave Laws

Employee leave policies are undergoing a sizable shift. Driven by the aftershocks of the COVID-19 pandemic, the normalization of remote work, and rising employee expectations, a wave of new legislation is reshaping how employers must approach leave. The result is a combination of federal, state, and local laws that demand both strategic oversight and operational agility.

State and local leave laws are expanding

Today, nearly every state mandates that employers offer some form of employee leave, whether for illness, family care, or civic duties. But many states are going a step further, introducing or enacting leave laws that expand federal protections and provide employees with additional options. In fact, many states have enhanced laws particularly around:

• Paid family leave –provides eligible employees with paid time off to care for a new child or a seriously ill family member
• Paid sick or disability leave –provides paid time off for employees to use when they are managing their own illness
• Parental leave –allows employees to take time off from work to care for and bond with a newborn or newly adopted child

Leave laws, however, can vary widely from state to state. So employers operating in multiple states need to be aware of local requirements to avoid compliance violations. For example, Minnesota’s Paid Family and Medical Leave Law (effective January 2026) provides up to 20 weeks of paid leave for personal or family health needs, bonding with a new child, or military-related absences. It’s funded by a 0.7% payroll tax shared between employers and employees. And Florida’s Paid Family Leave Insurance Act (passed in 2023) allows employers to voluntarily offer paid family leave as part of a group disability income policy to cover leave for childbirth, adoption, caregiving, or military deployment.

Federal leave laws remain a foundation

Despite the surge in state-level legislation, federal laws remain the cornerstone of leave compliance. Key statutes include:

• Family and Medical Leave Act (FMLA) – provides up to 12 weeks of unpaid, job-protected leave for family or medical reasons
• Americans with Disabilities Act (ADA) – requires reasonable accommodations, including leave, for employees with disabilities
• Pregnancy Discrimination Act (PDA) – prohibits discrimination based on pregnancy or childbirth
• Uniformed Services Employment and Reemployment Rights Act (USERRA) –  protects job rights for military service members
• Veterans’ Benefits and Transition Act of 2018 (VBTA) –  amends USERRA to require employers to provide job-protected leaves for returning service members and veterans

New trends are shaping leave benefits

As awareness grows for expanding leave benefits, so do employee expectations. Forward-thinking employers are responding with more inclusive, flexible leave policies that reflect broader societal shifts. These policies often include paid sick leave, such as Alaska’s new law requiring employers to provide paid sick leave to eligible employees starting July 1, 2025. Employers are also adopting predictive scheduling to help employees better manage their personal lives and minimize work-life conflicts. Additionally, leave policies are expanding to cover a wider range of circumstances, including civic duties, school activities, organ donation, and recovery from domestic violence.

Compliance is still a priority

Of course, managing a broadening range of leave laws can be complex, especially for employers with employees and operations in multiple states across the country. As laws change and evolve, experts suggest that employers take the following steps to remain compliant:

Compliance Roadmap
Step 1: Review federal lawswhich apply to all employers
Step 2: Assess state statutesin every state where you have employees
Step 3: Review and assess local ordinancese.g., county codes, city ordinances, etc.
Step 4: Createa compliance matrix to track obligations by location
Step 5: Monitor leave law changes on a regular basis to stay up to date
Step 6: Consult legal and insurance experts to help clarify requirements and validate your approach

Complying with leave laws is a complex process that requires understanding and navigating federal, state, and local regulations while also effectively managing internal leave operations within HR departments. Employers must evaluate which laws apply to each employee based on their location and job status, develop clear procedures for requesting and approving leave, and train managers about compliance and communication best practices. Accurate record-keeping of leave requests, approvals, and usage is essential, as is ensuring the privacy of Protected Health Information (PHI) by limiting its distribution to only essential individuals. Leveraging technology to track accruals and automate required notices can simplify processes, while considering third-party vendors for leave administration support can provide additional efficiency. Throughout, it’s critical to protect employee privacy when handling medical or personal information and seek expert support, as needed.

It’s important to note that failing to comply with evolving leave laws can have significant consequences for employers. These may include costly fines, ranging from hundreds to thousands of dollars per violation, restitution for denied or mishandled leaves, compensation for emotional distress, and legal damages accompanied by attorney fees to defend against employee lawsuits. Violations can also trigger audits, leading to further scrutiny, and may result in the reinstatement of wrongfully terminated employees.

Aside from avoiding legal implications, employers who offer robust and compliant leave benefits can attract and retain top talent, foster employee loyalty, and build a resilient, people-first culture.

How a trusted advisor can help

Navigating the current landscape for leave benefits doesn’t have to be overwhelming. Employee benefits advisors can be invaluable partners, helping employers interpret evolving laws, streamline administration, support employees through the leave process, and foster a positive workplace environment. With the right guidance, organizations can turn compliance into a competitive advantage and move forward with confidence in today’s increasingly complex business world.

What employers should know about cybercrime

Cybercrime has evolved from primarily an IT concern to an issue that can now affect all aspects of a business—from operations and finances to reputation and employee safety. As digital transformation accelerates and remote work becomes normalized, the threat landscape will continue to expand at a rapid pace. For employers, especially those in healthcare and other data-sensitive industries, the stakes are high.

Cybercrime = criminal activities involving computers or networks that include damaging systems, spreading malware or illegal content, and stealing data

At the 2025 SHRM National Conference, The Baldwin Group’s experts emphasized the pressing need for HR and business leaders to understand the evolving cyber threat environment and take proactive steps to help safeguard their organizations. Here’s what employers need to know:

Understand HIPAA’s security rule

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule sets national standards for protecting sensitive patient health information. It serves as a critical foundation for developing a broader cybersecurity strategy for any business that handles electronic protected health information (ePHI). The Security Rule provides a comprehensive framework for implementing administrative, technical, and physical safeguards that ensure the confidentiality of data by preventing unauthorized access, integrity of data by making sure it is not altered or destroyed, and availability so that data remains readily accessible when needed.

Realize the cost of cybercrime

Protected health information (PHI) is vulnerable to the fast-growing and expensive threat of cybercrime. Motivated by profit, cybercriminals use tactics, like ransomware, phishing, and data theft, to exploit vulnerabilities, leaving organizations to manage the fallout.

Adoption of digital technologies, expansion of connected devices, and the rise of remote work have all fueled malicious cyber activities, highlighting the growing need for organizations to develop, and adhere to, strong data protection and backup practices. Recent statistics tell a compelling story:

Cybercrime Stats and Facts

• In 2023, the average cost of a data breach was $4.45 million.[1]
  • In healthcare, that number jumps to $10.93 million.[2]
• Across the globe, cybercrime is expected to cost $10.5 trillion this year.[3]
• In healthcare, 20% of sensitive data is typically affected in a ransomware attack—compared to just 6% in other industries.[4]
• Overall, there’s been a 21% increase in reported ransomware cases and a 225% increase in associated losses.[5]

Rely on HIPAA as a cyber defense tool

While HIPAA is a compliance requirement, it can also serve as a strategic tool for helping employers defend against potential cybercrimes. By enforcing preemptive security measures, HIPAA equips organizations to better prevent, detect, and respond to cyberattacks. These proactive steps include conducting risk assessments and implementing a robust security management process, utilizing malware detection and prevention tools, providing user training to help employees recognize potential threats, and establishing access controls to limit exposure to electronic protected health information (e-PHI). These measures not only help ensure compliance but also strengthen an organization’s overall cybersecurity framework.

To prepare a comprehensive defense against potential data and environmental security threats, employers can implement a robust backup plan to safeguard data during cyber incidents, establish and regularly test disaster recovery and emergency operation plans to ensure readiness, and routinely assess the need for and importance of all applications that are used across the enterprise.

Form an incident response and recovery process

Even with the best defense plans in place, a cyber incident can still impact an organization. So cyber experts at the 2025 SHRM National Conference suggested that employers formulate detailed security incidence response procedures that are designed to:

• Detect and analyze the cyber event
• Contain and remove malware
• Correct and mitigate any vulnerabilities
• Recover lost data and restore normal operations
• Report incident to law enforcement (e.g., FBI) noting scope and timing of incident

When a breach occurs, organizations must quickly determine which systems, applications, networks, and devices were affected, the origin and scope of the attack, and the methods and tools used by the cybercriminal.

Follow notification guidelines

Under HIPAA, any unauthorized access, use, or disclosure of PHI is presumed to be a breach unless proven otherwise. And if a breach occurs, employers must notify affected individuals, the U.S. Department of Health and Human Services (HHS), and, if over 500 individuals are impacted, relevant media outlets.

Organizations should also assess the type and sensitivity of the PHI involved, whether it was viewed or acquired, the identity of the attacker, and if mitigation efforts were effective.

For malware-related incidents, determining both the scope and depth of the incident is critical for mounting an appropriate response that both complies with regulations and mitigates loss. This includes analyzing the malware’s behavior, its ability to spread across systems, the types of data it targets, whether it attempts unauthorized data transfer, if it installs hidden software for future access, and the potential impact on data availability and integrity.

Employ best practices

As cybercriminals grow more sophisticated, employers should adopt a multi-layered cybersecurity strategy to protect their systems, data, and employees. Implementing strong cybersecurity practices, like those featured in the list below, not only helps prevent breaches and strengthens cybersecurity posture, but it can also ensure regulatory compliance and business continuity.

Cybersecurity best practices

• Establish an organizational security culture through training, awareness, and employee knowledge assessments
• Protect mobile devices by requiring up-to-date operating and security software systems and frequent authentication
• Encourage good digital hygiene, such as screen lock usage, timely software updating, and strong password usage
• Use a firewall, which can be one of the best defenses against unauthorized access
• Install and maintain anti-virus software and perform regular updates
• Control physical access to your buildings, employing receptionists, security guards, cameras, automatic door locks, and other forms of “gatekeeping”
• Tightly control network access in physical and remote environments
• Require strong, frequently updated, user passwords that are less easy for cybercriminals to hack
• Use multi-factor authentication to control user access rights
• Plan for the unexpected, document incidents, and regularly test security systems and procedures

How a trusted advisor can help

Although no organization is completely immune to cyber threats, a trusted advisor can provide valuable support to help business leaders prepare for, respond to, and recover from the growing incidence of cybercrimes. By leveraging the latest tools, insights, and best practices, advisors can work with organizations to craft tailored solutions that strengthen their cybersecurity stance, ensure HIPAA and regulatory compliance, minimize operational disruptions, limit expenses, and facilitate a swift and effective recovery after an incident.

In closing

For today’s business leaders, the evolution of employee leave laws and the escalating threat of cybercrimes are two timely business trends that demand strategic foresight, operational discipline, and trusted guidance.

The experts at The Baldwin Group go beyond transactional support to help simplify the complexity of employee benefits and risk management, safeguard your business, and protect what matters most: your people and your organization.

Let’s work together to discuss these and other key trends to ensure your business is as prepared as possible.

[1] IBM Security – Cost of a Data Breach Report 2023

[2] IBM Security – Cost of a Data Breach Report 2023

[3] USA Today, “Cybersecurity statistics in 2024,” Sierra Campbell and Mehdi Punjwani, October 4, 2024

[4] Healthcare Dive, “Ransomware attacks on healthcare impact nearly five times more sensitive data: report,” Emily Olsen, April 30, 2024

[5] U.S. Department of the Treasury, “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” September 21, 2021