TIPS FROM LEGAL, HR & CYBER EXPERTS ON RETURNING TO WORK
Returning to work is a topic on everyone’s minds right now as COVID-19 restrictions begin to lift. Last week, we spoke with three experts in their respective fields—Kevin Jackson, CISO of Vernovis, Keith Rummer, CHRO of PECO, and Greg Tapocsi, Legal Counsel of Dinsmore & Shohl—to provide integrated legal, HR and cyber guidance for you to consider as your build your reopening plan.
If you missed it, click here to view the full 45-minute Q&A session.
1. OFFICE SAFETY
If your company is considering reopening its office doors, there is a lot to consider from a health and safety perspective. You should utilize resources such as the CDC, WHO, and your local government websites as you build your plan. Keith shared that PECO is starting with a pilot phase, in which they let a limited number of employees return to the office. To do so, they have enacted the following precautions:
- Daily Questionnaires
- Temperature Readings
- Social Distancing in the Workplace
- Traffic Flow Patterns
- Disinfection and Cleaning
- HVAC System Updates
- Bathroom and Elevator Protocols
- Hand Sanitizing Stations
2. SENDING EMPLOYEES HOME
From a legal perspective, can an employer tell their employees to go home or stay home for health and safety purposes? Generally speaking, yes. Be sure to check the local mandates in your area. For example, local municipalities in Chicago have a separate order that requires employees to stay home if they have symptoms.
3. AMERICANS WITH DISABILITIES ACT
What if you have employees who fall into the higher risk category as defined by the CDC? According to the Americans with Disabilities Act, you cannot single them out because of their age or chronic conditions. You must be careful with person-specific decisions.
4. WAGE AND HOUR LAWS
Are you temperature testing employees before work? What happens when you ask an employee to wait in line so they can be tested? Do you need to pay them for that time? Generally speaking, yes you are required to compensate them.
5. PERSONAL TRAVEL
What are you allowed to ask employees regarding their personal travel? Under the Equal Employment Opportunity Act, you can ask if they’ve been to a Level 3 area or any areas where state or local authority has recommended self-quarantine.
6. SECURE BUSINESS CONTINUITY AND DISASTER RECOVERY
Did you have a BCP before COVID-19? If yes, be sure to track and document results. Capturing problems and pain points now will help you vastly improve your policy in the future. If you did not have any policies in place, it is critical to take advantage of this time to improve and get help from third-party resources if needed. Don’t let the lessons learned go to waste. You can click here to read how we helped a client complete their BCP in just two weeks.
7. DATA GOVERNANCE
Many companies were forced to get creative to facilitate collaboration which has led to further workarounds created by their employees. Does your policy state that they can only use approved communication methods? Have your employees been using their personal devices or unapproved social media platforms for communication while working from home? What data is this potentially exposing?
There are two areas to explore when talking about employee privacy. If you consider the scenario mentioned above where an employee may be using their own devices, are you now passively monitoring their personal information? Your policy needs to reflect that.
The second aspect to consider is the health data you may be collecting from your employees. If you’re collecting questionnaires and their temperature, that data needs to be treated the same as any other PII.
8. CLEAN YOUR MACHINES
Reports have shown that home networks are anywhere from 3x-5x “dirtier” than corporate networks. This means you’re 3x-5x more likely to have malware on your home networks that you’re not necessarily aware of. You need to have procedures and processes in place to ensure WFH devices are updated and scanned for viruses before they can access corporate data or assets.
9. EXCEPTION MANAGEMENT
Did you have to scramble to purchase VPN’s to enable collaboration? Do you have API endpoints you had to stand up to ensure your team could work from home? What kinds of allowances and permissions did you give? The attack surface remains even after you stop using them. Now is a good time to start thinking about how to undo some of the technical and operational changes you made, and secure the infrastructure you had to implement in a rush.
A cybersecurity program or Business Continuity Plan isn’t complete if your team isn’t properly trained on it. Have you taken the time to build additional extensions and implementation of your training policies? Topics should include work from home, return to work, technology factors, and human factors to successfully implement your BCP. One aspect to highlight is incident response policies. IT support can look very different in a work from home setting. Do you have remote incident response capabilities and end-user awareness training?
Again, click here to view the full 45-minute Q&A session., and don’t hesitate to reach out with questions. We want to help put Ohio back to work safely and securely.
Please note that all of the tips above are based on personal experiences and should not be considered legal or formal advice or consultation. If you would like specific guidance for your organization, we’d be happy to schedule a call.