Even before the COVID-19 crisis, businesses were warming up to the benefits of remote working, or “telecommuting.” Allowing employees to telecommute can benefit the employer and the employee alike. Some of the benefits include:
- Lower rent and other overhead and operational costs.
- Broaden the geographic scope of hiring.
- Better work/life balance.
- Reduce commuting time and expense.
- Increase employee loyalty and morale.
Many states offer incentives for employers to allow remote working. For example, Georgia employers can claim a state income tax credit of up to $1,200 per employee for eligible telework expenses, including costs for computers, computer related hardware and software, modems, data processing equipment, and telecommunications equipment, incurred pursuant to a telework agreement that requires the employee to telework. Further, Georgia businesses can claim a state income tax credit of up to $20,000.00 for eligible expenses, including direct program development and training costs, raw labor costs, and professional consulting fees, incurred in preparing a “telework assessment” leading to the development of policies and procedures necessary to implement a formal telework program. See O.C.G.A. § 48-7-29.11.
With the recent onset of COVID-19, employers have gone from “coming around to” the idea of telecommuting to embracing it in order to survive. IT directors worldwide have become the best friend of CEOs, as countless dollars have been spent, often on an emergency basis, to install or upgrade remote access capabilities. Although businesses will eventually return to some version of the “old” normal, telecommuting will inevitably play an ever-increasing role in the “new” normal.
REDUCE THE RISK
Unfortunately, the unforeseen need to immediately move to a remote working environment has exposed thousands of businesses, for the first time, to the technical challenges and legal uncertainties associated with remote employees, while even early adopters of the offsite model will be challenged by the overwhelming, urgent need to expand it.
Every business that uses emails or the internet to do business is a “tech company,” which means that virtually every company is a tech company. Each one of these businesses should already have assessed its on-site cybersecurity and data privacy risks and obligations and implemented an Information Security Policy applicable to its on-site workforce and operations. This assessment should have identified the types and amount of data the company stores or accesses, analyzed the business’s legal obligations with respect to the data (contractual, regulatory,[1] or otherwise), evaluated the risk that the systems that house the data could be compromised, and determined the technical, physical, and administrative safeguards needed to minimize that risk. The Information Security Policy itself consists of written policies and guidelines that describe each of the required safeguards and provide a mandatory mechanism to put them in place.
Most of these businesses should now supplement their on-site Information Security Policy with a comprehensive Telecommuting Policy that (i) applies any necessary elements of the on-site policy to the remote setting (e.g., document shredding requirements); (ii) addresses the numerous federal, state and local employment law issues that may arise in a remote work setting;[2] and (iii) includes strict measures to address the increased cybersecurity and data privacy risks that arise each time a remote employee logs onto an employer network.
The basics elements of a Telecommuting Policy are:
- Criteria for employee eligibility to telecommute;
- Procedure to request approval to telecommute;
- Conditions under which approval may be revoked;
- Employee duties/expectations (hours, timekeeping, availability, communication, etc.);
- Employer support (technical support, equipment, expense reimbursement, etc.);
- Workspace setup, including ergonomics;
- Employer’s reasonable accommodation policy; and
- Employee work area and break times (to avoid liability for injuries occur outside the course and scope of employment).
KEEP HACKERS AT BAY
From a cybersecurity standpoint, the saying that “a chain is only as strong as its weakest link” has no greater application than with remote employees. For this reason, the goal of every Telecommuting Policy should be to ensure that the security measures in place for remote access are as strong as those present on the “mother ship.” Every Telecommuting Policy should contain rigorous data security guidelines and procedures to address the unique risks of remote system access, the basic of which are:
- Employees may only access the company network via an encrypted web connection over a virtual private network (VPN) or through a cellular “hotspot” (and never via an unsecured or public WIFI connection).
- Multifactor authentication for an employee to access the employer’s network.
- Employees must regularly update passwords on personal computers and other devices as well as home routers with robust, difficult to guess passwords.
- Firewalls and antivirus, anti-malware, and encryption software installed on remote computers should be current and regularly updated with all security patches.
- Remote access should be limited to only the data and portions of the network necessary for employees to perform their specific job duties.
- Remote employees should never:
- download unapproved software on a device used for remote access.
- save or download work related documentation or data to a personal device or hard drive.
- email work related documentation or data to or from personal email.
- IT should have access to employee devices that are used to access the main network and can erase data and terminate access through those devices.
Ideally, the elements of a company’s Telecommuting Policy, including the consequences of a violation, will be embodied in a formal agreement between the employer and remote employee.[3] In addition, every Employer utilizing remote workers should:
- Ensure that its IT department has adequate resources to provide increased support and security monitoring as teleworking demand increases.
- Conduct online and on-site employee training on the additional risks to data security associated with telecommuting, including coronavirus related email scams and “phishing” attempts and possible security breaches involving Zoom or other video-conferencing platforms.
- Review its cybersecurity/data breach insurance policy to ensure that amounts and types of coverage are appropriate and that its representations the original application are consistent with its current configuration and number of remote workers.[4]
Every Businesses should take a “belt and suspenders” approach to telecommuting by supplementing its on-site Information Security Policy with a separate Telecommuting Policy. Those that don’t may well get caught with their pants down.
[1] Applicable regulations could include, among others, the Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act (FCRA), the Family Educational Rights and Privacy Act of 1974 (FERPA), the Children’s Online Privacy Protection Rule (COPPA), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). Significantly, GDPR and CCPA can apply to a business regardless of its physical location.
[2] Employment law issues that may arise in a remote working environment relate to matters such as hiring requirements, non-discrimination, disability, vacation, unemployment benefits paid sick leave and other leave, work injuries, drug testing, payment of wages and overtime, employee privacy, meal and rest breaks, and required notices and disclosures.
[3] A formal agreement is required for businesses to take advantage of the Georgia tax credits discussed above.
[4] The Department of Homeland Security has provided further advice for companies with remote employees at the below link.
Cyber Insurance, Data Privacy and Cybersecurity at DEF
In today’s technology-driven world, the need for data privacy and cyber security are a concern for all businesses and individuals. At Drew Eckl & Farnham, we maintain a team of attorneys who focus their practice on Cyber Insurance and Data Privacy and Security Compliance. As part of our leading 35 year attorney insurance coverage practice, our cyber insurance team can handle claims and coverage disputes in this highly technical and specialized practice. Additionally, we also work together with our clients to develop and improve data privacy practices and incident response plans for Cyber Insurance, Cyber Privacy and Data Security Exposures.