We previously have described certain country-specific initiatives to re-open the economy, and we have provided insights on issues that employers should consider when employees are allowed to return to the workplace.  Over the past several weeks, some local governments around the globe have begun slowly to initiate progressive measures to revise and even rescind COVID-19 emergency legislation, orders and lockdowns.  These governments now are grappling with workplace-specific issues.  As such, employers must determine how to maintain their duty of care to all employees and to protect employees’ health and safety, while safeguarding employees’ privacy.

This inevitable and inherent tension underlies the discussion surrounding several workplace issues, including (i) COVID-19 testing, (ii) taking temperatures, (iii) requiring face coverings and (iv) disclosing COVID-19 exposure in employee return to work questionnaires.  The below analysis highlights some general themes and practices before providing some country-specific information.  Note, however, that this is intended as a high-level overview of the applicable legal issues in certain jurisdictions, and this country-specific information likely is not sufficiently comprehensive or exhaustive to address fact-intensive inquiries and concerns.

COVID-19 Testing

Assuming that COVID-19 tests are available and can produce accurate results quickly, certain countries, including Australia and Brazil, allow employers to require employees to submit to COVID-19 tests.  In such countries, the principle of protecting employees’ health is paramount in relation to employee privacy concerns.  Employers, however, may be required to support such a request with a lawful and reasonable purpose.  For example, employers must comply with privacy laws when requiring COVID-19 testing of employees and failure to do so may render such requests unlawful.  In addition, prior to requiring a COVID-19 test, employees may have to show or report COVID-19 symptoms.  Many countries also require employers to obtain employee consent in a certain form prior to mandating COVID-19 testing.  For example, in Luxembourg, Thailand and the United Kingdom, employee consent should be obtained in writing.  That said, some countries, including France and Germany, among others, do not allow employers to require COVID-19 testing of employees because, for example, (i) nasal swabs are invasive and employers unlikely are able to justify that such a test is necessary and proportionate, except in very exceptional cases, (ii) employers are not allowed to require employees to submit to any type of health check and/or (iii) employers cannot process any medical data of employees.  Some other countries, including the Netherlands and Singapore, do not allow employers to require COVID-19 testing, and instead only company doctors or medical professionals may assess whether employees should take a COVID-19 test.

Temperature Screening

Across international jurisdictions, assuming that thermometers are adequately cleaned and sanitized, employers overwhelmingly are allowed to require employees to have their temperature screened prior to entering the workplace.  Temperature screenings generally are considered the least drastic measure to maintain employees’ health and safety at the workplace.  Several countries, including China, Colombia, Indonesia and Malaysia, among others, legally require employers to screen employees’ temperatures as part of a standard health measure.  Other countries, including Japan, also allow employers to screen employees’ temperatures, but as a best practice, employee consent should be obtained in advance.  Furthermore, in Belgium, prior to screening employees’ temperatures, employers should consider obtaining the advice of the company doctor and health and safety committee.

Despite the international community’s broad support for allowing employers to screen employees’ temperatures, some countries, including Luxembourg and the Netherlands, do not allow employers to screen employees’ temperatures prior to entering the workplace because medical data, including temperature, is employees’ medical data that cannot be processed.  In addition, while France does not ban temperature screening, it is not recommended.  Instead, the French government recommends that all employees (i) measure their temperature if they believe that they may have a fever and (ii) self-monitor the appearance of symptoms suggestive of COVID-19.  Even in jurisdictions where temperature screening is not permitted, it always is possible to request employees to monitor their own temperatures.

Face Coverings

Generally, employers likely may require employees to wear face coverings in the workplace during the COVID-19 pandemic to protect all employees’ health and safety.  This is true even in countries that are highly protective of employees’ privacy rights, including France and Germany.  Indeed, many countries, including Chile, China, Italy and Singapore, among others, require employees to wear face coverings in the workplace.  Employers should consider who will provide the face coverings, and if employees must provide their own face coverings, who will cover the costs of the face covering.

Disclosing COVID-19 Exposure in Return to Work Questionnaires

Prior to returning to the workplace, employees in many jurisdictions, including, for example, Brazil, Germany and Singapore, may be required to certify responses to questionnaires that inquire about COVID-19 diagnosis, symptoms and close contacts with individuals who are or have been diagnosed with COVID-19.  Requiring employees to certify certain COVID-19 information places a premium on workplace safety because collecting such information allows employers and local authorities to carry out COVID-19 response measures (e.g., contact tracing).  If employees answer “Yes” or refuse to answer any such question, local law in China, Hong Kong, Japan and New Zealand, among other jurisdictions, allows employers to prevent such employees from entering the workplace.

But in other jurisdictions, employee privacy rights are paramount, even in the context of workplace safety.  Note that employers always must comply with data protection laws when implementing protocols such as return to work questionnaires.  In Singapore, for example, employers must comply with the Personal Data Protection Act and ensure that (i) reasonable security arrangements are in place for the protection of collected information, (ii) collected information will not be used for purposes not related to COVID-19 response measures without employee consent or legal authorization and (iii) collected information will no longer be retained as soon as it is reasonable to assume that the COVID-19 response measures cease to exist.  Indeed, in Ireland, employers also may be obliged to demonstrate a strong justification for requiring employees to certify such information based upon necessity and proportionality.  In addition, in some countries, including the Netherlands, employers cannot process any medical data of employees.  Rather, only a company doctor or other medical professional may ask these questions.  Other jurisdictions, including France, completely ban employers from inquiring about COVID-19 exposure in such return to work questionnaires.

These are just some of the concerns that employers must consider.  Stemming from these complicated issues, employers must determine (i) how to respond to inevitable violations of policies and requirements (e.g., whether to follow a progressive disciplinary procedure or to terminate the employment relationship) and (ii) how to maintain the confidentiality of employee medical information while still notifying the applicable government authorities and employees who have had close contact with employees who have been diagnosed with COVID-19 or are suspected COVID-19 cases.

Generally, it is crucial that employers communicate effectively with employees when managing the COVID-19 return to the workplace phase.  To alleviate employees’ fears when returning to the workplace, employers should provide employees with a COVID-19 Safety Policy/COVID-19 Return to Work Policy that sets out the precautionary and preventative measures and controls that employers are implementing to ensure all employees’ health and safety.  Such a policy should identify and implement employers’ measures to mitigate the risk of infection (e.g., social distancing measures, wearing face coverings and maintaining high standards of hygiene and cleanliness).

In the end, COVID-19 legislation, emergency orders and lockdowns are dynamic, fluid and changing rapidly.  As a best practice, employers should seek legal counsel for timely analysis and guidance on any COVID-19-related issue.  Obtaining legal counsel also will allow employers to appreciate the cultural differences and nuances that permeate the multi-national employer-employee relationship generally and affect employers’ strategies and responses to the current COVID-19 pandemic.

As numerous jurisdictions now mandate citizens wear face masks in public, many retailers have begun requiring customers to cover their faces as a safety measure to mitigate against the spread of COVID-19 among employees and fellow customers.  Retailers intending to enforce a policy whereby it will turn away customers who refuse to wear face masks should be mindful of abiding by Title III of the Americans with Disabilities Act (“ADA”), which governs retails stores as a place of public accommodation.

May a Business Have a Policy Turning Away Customers Who Refuse to Wear Face Masks?

Likely yes, for the time being.  The ADA generally prohibits eligibility/screening criteria that tend to exclude individuals based on a disability, unless the criteria are necessary for the business to operate safely in providing its goods and services.  Those requirements must be based on actual risks and may not be based on speculation, stereotypes, or generalizations about people with disabilities.  At this time, businesses concerned about the safety of their staff and customers should be justified in relying upon guidance from the Centers for Disease Control and Prevention (CDC), as well as state and local governments’ orders, to justify policies forbidding customers without face masks from entering their stores.  However, as guidance and state/local rules change regularly, retailers should regularly track developments so as not to rely on something that is no longer current and applicable.  Moreover, as a best practice, and to avoid unwelcomed situations at the store, a business choosing to enforce such a policy should clearly communicate it to its customers (including in advance, e.g., via its website).

May a Business Turn Away Customers Who Refuse to Wear a Face Mask, Even Without a General Policy Requiring Face Masks Be Worn in Stores

 It depends.  The ADA permits a retailer to deny goods or services to an individual with a disability if their presence would result in a “direct threat” to the health and safety of others, but only when this threat cannot be eliminated by modifying existing policies, practices or procedures or permitting another type of accommodation.  Whether a customer poses direct threat is an individualized, fact-sensitive inquiry. If a business does not have a clear policy of turning away customers who refuse to wear face masks, and turns away an individual for that reason, the business must be prepared to identify how/why that individual’s specific, observable, condition/behaviors made them a “direct threat”.  For example, if the person exhibited generally recognized symptoms of COVID-19 (such as aggressive coughing compounded with profuse sweating or visible difficulty breathing), refusal of service without a mask on an individualized basis may be justifiable.  Conversely, a business could be hard-pressed to successfully argue that a customer without a face mask posed a “direct threat” if he or she was asymptomatic or if there was some form of accommodation that would have allowed the person to be served (e.g., allowing someone to wear a scarf instead of a mask).  Upon refusing service on “direct threat” grounds, the store should contemporaneously document its actions and justifications in the event their decision is later challenged.

What If a Potential Customer’s Disability Is Uniquely Impacted Due to the Face Mask Requirement?

In limited circumstances, there could be a situation in which a customer cannot wear a face mask due to a legitimate health reason (e.g., a person with a respiratory condition who cannot have their breathing restricted).  In this case, pursuant to the considerations detailed above, a business may not need to alter their face-mask required policy, but in any event should attempt to accommodate that customer in an alternative manner that would continue to protect the store’s employees and other customers while also providing service to the customer (e.g., providing curb-side pick-up; no contact delivery; or assistance via online store services).

Face masks may also present communication barriers to individuals who rely on lip reading to communicate.  The ADA requires retailers to provide effective communication to individuals with disabilities through the provision of auxiliary aids and services that are appropriate for the nature, length, complexity, and context of the communication and the customer’s normal methods of communication.  Tools such as communication via text messaging, a disposable pen/pad, or a sanitized dry erase board could strike the right balance between achieving effective communication and helping to curb the spread of COVID-19.

The economic downturn caused by COVID-19 pandemic has resulted in an unprecedented number of layoffs, furloughs, and reduced hoursUnder the Consolidated Omnibus Budget Reconciliation Act (“COBRA”), when employment is terminated or hours are reduced and there is a loss of coverage, employers (generally those with 20 or more employees) must provide notices to covered employees and their covered spouses and dependent children explaining that they have the right to elect to continue receive health care coverage. In addition, when a covered employee dies, COBRA requires employers to notify the employee’s spouse and dependent children that they have the right to elect to continue health coverage.  On May 1, 2020, the Department of Labor (“DOL”) issued a new model general notice and election notice (“Notices”) for the purpose of providing more information about how Medicare and COBRA interact.  In Frequently Asked Questions, issued with the Notices, the DOL states that employers may use the Notices to satisfy their COBRA notice obligations.

The Notices, however, do not address the joint DOL and Treasury COVID-19 guidance issued on April 29, 2020, which effectively extends the deadlines for issuing notices and making elections  for certain health and welfare plan actions and notices, by excluding the “Outbreak Period,” – i.e., the period between March 1, 2020, (the beginning of the COVID-19 national emergency declared by the president) and 60 days after the announcement of the end of the COVID-19 national emergency (or such other date announced by the DOL in a future notice). Specifically, the April 29 guidance states that group health plans must disregard the Outbreak Period when determining:

  • The 60-day deadlines for individuals to elect COBRA continuation coverage;
  • The deadlines for individuals to make COBRA premium payments; and
  • The deadlines for individuals to notify the plan of certain qualifying events (such as divorce or a dependent child aging out of plan coverage) or determination of disability as it relates to COBRA coverage.

In addition, the April 29 guidance states that group health plan sponsors and administrators may disregard the Outbreak Period when determining the date for providing a COBRA election notice, which would normally be within 14 days after the plan receives notice of a qualifying event, or within 44 days where the employer is the plan administrator.

At this time, it is not entirely clear whether employers should revise their COBRA notices to reflect the extended deadlines set forth in the April 29 guidance, or simply use the Notices that the DOL issued two days later. Since the updated model notices were issued only two days after the April 29 guidance was released, it appears that employers may not be required to update their notices. Future DOL guidance may address this.

Meanwhile, in light of the massive unemployment and loss of health care coverage, caused by the COVID-19 crisis, COBRA coverage changes appear to be on the horizon.  House Democrats have proposed the Worker Health Coverage Protection Act, H.R. 6514, which, as explained here, seeks to provide a COBRA subsidy for up to 15 months to cover 100% of the health premiums owed by unemployed and furloughed workers and, if enacted, would require employers to provide notices that include information about the availability of premium assistance. The bill is currently in committee. If Congress adopts this legislation, the May 1, 2020 model notices may soon become obsolete.

Employers planning layoffs and furloughs should review the May 1, 2020 model Notices and the April 29 guidance with their third-party administrators, insurance providers, and legal counsel, and monitor the status of H.R. 6514, to ensure compliance. As discussed here, there has been a wave of class action lawsuits alleging that employers and health plans failed to provide adequate COBRA election notices to employees.

On May 7, 2020, the Equal Employment Opportunity Commission (“EEOC”) announced that it was delaying the collection of 2019 EEO-1 demographic data until 2021 because of the COVID-19 public health emergency.  Accordingly, the EEOC’s online filing portal for 2019 EEO-1 filings will remain closed for now.

Recognizing the substantial impact the public health emergency is having on businesses across the country, the EEOC determined that delaying collections would put employers in a better position to provide accurate data. It expects to begin collecting 2019 EEO-1 data along with 2020 EEO-1 data in March 2021.  The collection dates must still be approved by OMB under the Paperwork Reduction Act. The EEOC will notify filers of the precise collection period as soon as it is available.

As featured in #WorkforceWednesday: As employers continue to navigate the COVID-19 pandemic, many executives are taking pay cuts or forgoing pay to help businesses stay afloat. This is affecting executive contracts and compensation packages, and could result in significant changes in the future. Attorneys Gretchen Harders and Rina Fujii tell us more.

Video: YouTubeVimeoMP4Instagram.

On May 6, 2020, New Jersey Governor Phil Murphy signed Executive Order 138, in which he extended the Public Health Emergency by 30 additional days, until June 5, due to the continuing need to protect the health, safety and welfare of New Jersians from COVID-19.  Executive Order 138 also states that all Executive Orders and actions taken by any Executive Branch departments and agencies (including Administrative Orders) that were adopted in whole or in part based on the current Public Health Emergency will remain in full force and effect.

Gov. Murphy originally declared both a State of Emergency and a Public Health Emergency on March 9, 2020, in Executive Order 103.  He has explained that the State of Emergency will stay in place indefinitely, but the Public Health Emergency automatically terminates after 30 days, absent an extension.  Executive Order 138 is the second such extension, with the first having been issued on April 7, 2020, in Executive Order 119.

On May 5, 2020, and again on May 7, the Equal Employment Opportunity Commission (the “EEOC”) updated its technical assistance for employers, “What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws.”

The EEOC has updated its guidance multiple times since the beginning of the COVID-19 pandemic. Most recently, on April 17, the EEOC provided guidance on employers’ reasonable accommodation obligations under the Americans with Disabilities Act (the “ADA”) and included a section on “Return to Work” issues (discussed here). On April 23, the EEOC issued an update addressing COVID-19 testing by employers (discussed here).

In its latest update, the EEOC adds to its Return-to-Work guidance with Frequently Asked Questions (“FAQs”) addressing reasonable accommodation. The new FAQs will likely be particularly relevant with respect to employees who may be reluctant to return to the workplace because they are at higher risk for severe illness from COVID-19. Specifically, the newly-released guidance states:

G.3. What does an employee need to do in order to request reasonable accommodation from her employer because she has one of the medical conditions that CDC says may put her at higher risk for severe illness from COVID-19?

An employee – or a third party, such as an employee’s doctor – must let the employer know that she needs a change for a reason related to a medical condition (here, the underlying condition).  Individuals may request accommodation in conversation or in writing.  While the employee (or third party) does not need to use the term “reasonable accommodation” or reference the ADA, she may do so.

The employee or her representative should communicate that she has a medical condition that necessitates a change to meet a medical need.  After receiving a request, the employer may ask questions or seek medical documentation to help decide if the individual has a disability and if there is a reasonable accommodation, barring undue hardship, that can be provided.

Note: This FAQ confirms that it is the employee’s obligation to ask for a reasonable accommodation because of a medical condition, but the employee need not use the phrase ‘reasonable accommodation’ when making such a request. (The CDC has posted a list of high risk factors for becoming severely ill from COVID-19). The request, which may be oral or in writing, entitles the employer to ask questions and to seek medical documentation as part of the interactive process for determining whether and what reasonable accommodation may be provided.

G.4. The CDC identifies a number of medical conditions that might place individuals at “higher risk for severe illness” if they get COVID-19. An employer knows that an employee has one of these conditions and is concerned that his health will be jeopardized upon returning to the workplace, but the employee has not requested accommodation. How does the ADA apply to this situation?

First, if the employee does not request a reasonable accommodation, the ADA does not mandate that the employer take action.

If the employer is concerned about the employee’s health being jeopardized upon returning to the workplace, the ADA does not allow the employer to exclude the employee – or take any other adverse action – solely because the employee has a disability that the CDC identifies as potentially placing him at “higher risk for severe illness” if he gets COVID-19. Under the ADA, such action is not allowed unless the employee’s disability poses a “direct threat” to his health that cannot be eliminated or reduced by reasonable accommodation.

The ADA direct threat requirement is a high standard. As an affirmative defense, direct threat requires an employer to show that the individual has a disability that poses a “significant risk of substantial harm” to his own health under 29 C.F.R. section 1630.2(r). A direct threat assessment cannot be based solely on the condition being on the CDC’s list; the determination must be an individualized assessment based on a reasonable medical judgment about this employee’s disability – not the disability in general – using the most current medical knowledge and/or on the best available objective evidence. The ADA regulation requires an employer to consider the duration of the risk, the nature and severity of the potential harm, the likelihood that the potential harm will occur, and the imminence of the potential harm. Analysis of these factors will likely include considerations based on the severity of the pandemic in a particular area and the employee’s own health (for example, is the employee’s disability well-controlled), and his particular job duties. A determination of direct threat also would include the likelihood that an individual will be exposed to the virus at the worksite. Measures that an employer may be taking in general to protect all workers, such as mandatory social distancing, also would be relevant.

Even if an employer determines that an employee’s disability poses a direct threat to his own health, the employer still cannot exclude the employee from the workplace – or take any other adverse action – unless there is no way to provide a reasonable accommodation (absent undue hardship). The ADA regulations require an employer to consider whether there are reasonable accommodations that would eliminate or reduce the risk so that it would be safe for the employee to return to the workplace while still permitting performance of essential functions. This can involve an interactive process with the employee. If there are not accommodations that permit this, then an employer must consider accommodations such as telework, leave, or reassignment (perhaps to a different job in a place where it may be safer for the employee to work or that permits telework).  An employer may only bar an employee from the workplace if, after going through all these steps, the facts support the conclusion that the employee poses a significant risk of substantial harm to himself that cannot be reduced or eliminated by reasonable accommodation.

Note:  The EEOC first posted a FAQ on this topic on May 5, but removed it the same day after certain information was, according to the agency, “misinterpreted in press reports and social media.”  In reissuing this guidance on May 7, the EEOC clarified that the ADA does not allow exclusion of employees simply because they have an underlying medical condition that the CDC says might pose a higher risk of severe illness if the individual contracts COVID-19. This revised guidance makes it clear that employers must complete a “direct threat” analysis, which includes an individualized assessment based on factors relevant to the employee and the nature of the threat, and a determination of whether the threat can be eliminated or sufficiently reduced through a reasonable accommodation. In making this analysis, and considering potential reasonable accommodations, employers should refer to CDC guidance.

G.5. What are examples of accommodation that, absent undue hardship, may eliminate (or reduce to an acceptable level) a direct threat to self?

Accommodations may include additional or enhanced protective gowns, masks, gloves, or other gear beyond what the employer may generally provide to employees returning to its workplace. Accommodations also may include additional or enhanced protective measures, for example, erecting a barrier that provides separation between an employee with a disability and coworkers/the public or increasing the space between an employee with a disability and others. Another possible reasonable accommodation may be elimination or substitution of particular “marginal” functions (less critical or incidental job duties as distinguished from the “essential” functions of a particular position). In addition, accommodations may include temporary modification of work schedules (if that decreases contact with coworkers and/or the public when on duty or commuting) or moving the location of where one performs work (for example, moving a person to the end of a production line rather than in the middle of it if that provides more social distancing). 

These are only a few ideas. Identifying an effective accommodation depends, among other things, on an employee’s job duties and the design of the workspace. An employer and employee should discuss possible ideas; the Job Accommodation Network (www.askjan.org) also may be able to assist in helping identify possible accommodations.  As with all discussions of reasonable accommodation during this pandemic, employers and employees are encouraged to be creative and flexible.

Note:  Here, the EEOC provides various examples of accommodations that may mitigate a “direct threat” to an employee who is at increased risk for severe illness from COVID-19, and reiterates its advice to employers to be “creative and flexible” in responding to accommodation requests related to the COVID-19 pandemic.

The new FAQs, like the EEOC’s prior guidance, are anchored in traditional ADA principles, i.e., having a covered disability, engaging in the interactive process, and demonstrating flexibility in assessing reasonable accommodations. While this guidance can help provide some parameters for employers to consider, employers will need to individually assess their own workspaces, business needs, employees’ duties and responsibilities, and how they can best attend to requests by employees for reasonable accommodations. In order to do so, employers should analyze how to create safe workspaces, consider what modifications are feasible, and create solid processes to handle the inevitable requests for accommodations.

Many more millions of employees have been working remotely as a result of the devastating COVID-19 virus than ever before.  There is likely no going back.  Employers have been relying on a remote workforce by necessity in the short term and are realizing that in the long term they can operate efficiently and productively with their staff largely out of the office.  The public health risks will, for the foreseeable future, be the driver both on employers’ need for a remote workforce to achieve continuity of operations and employees’ demand for a safer work location.  The increased numbers of remote workers will no doubt be lasting.  But with this anticipated restructuring of work must come a comprehensive evaluation of the corresponding cybersecurity risks over the long term and how best to address them.  As employers look forward to the future of securing remote work in their organizations, they should review the following top ten considerations as part of their defense in depth.

No. 1. Think in terms of people, information and machines.  They are inseparable elements to accomplishing remote tasks and so are the associated cyber risks.  Remote employees can only communicate through their machines (e.g., computers and mobile devices) and associated software and protocols (e.g., browsers).  To be more secure, employers should think in terms of how information flows over the Internet from employee to employee, employee to customer, machine to machine, system to system throughout the communications process.  The information needs to be secured from the time of the employee’s keyboard strokes, up the information stack, to the applications and browser.  An employer must have confidence that the information will be securely exchanged between the remote workstations/mobile devices and servers and other computers, using different protocols and systems, over the Internet.  Unless you have comprehensively considered the particular job responsibilities of each remote job title, the types and sensitivity of information handled, the methods of remotely accomplishing tasks and the connected hardware and systems, and how they all interact and will be protected on a daily basis, you are missing something.  And if you are missing something, you are missing everything because one hole in your defenses is all that a hacker needs to deploy a devastating exploit.

No. 2. Develop a written risk assessment and information security plan for remote workers. If your organization has not conducted a thorough risk assessment and adopted a formalized information security program containing reasonable safeguards that has considered the threats to its remote workforce, depending on your industry, you are not in regulatory compliance with the applicable standards for safeguarding protected information (e.g., PII, PHI, financial information).  Only by writing down and addressing the likely threats and circulating the risk considerations among stakeholders for input and decision, does an organization achieve regulatory compliance and improved cybersecurity.  See, e.g., New York State Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).  Likewise, in order to effectively protect sensitive business information and trade secrets, the same planning tools should be used.  Ad hoc meetings and crisis management will simply not suffice over the long term to address remote worker cyber risks.

No. 3. Implement multi-factor authentication as the default authentication method for remote user access from the home.  Like Dorothy’s repeating “There’s No Place Like Home” in the Wizard of Oz, keep repeating “There’s Nothing Like Multifactor in the Home,” when it comes to the authentication of any user that remotely accesses sensitive information, or has remote administrative or privileged access.  It should come as no surprise that phishing is rampant, including COVID-19 scams to compromise credentials.  Personnel training is a preventative measure, but is not foolproof.  Consequently, multi-factor authentication (MFA) should be the default method for authentication for remote home-based roles with access to sensitive or protected information.  The same holds true for remote system or server maintenance.  If your system administrators will be routinely performing remote maintenance using Remote Desktop Protocol (RDP) or have remote access to other privileged accounts, multi-factor authentication should be the default authentication method.  Similarly, if more devices in your organization are now opening RDP to the Internet because of the increase in remote work, secure your RDP.  Shodan reports, for example, that of 70,000 devices it recently scanned using RDP, 8% remain exploitable by the BlueKeep vulnerability present on older Windows versions.

No. 4. Consider and address the risks of allowing employees to access organizational resources using company computers/devices v. personal (BYOD) computers/devices. Organizations should limit access to its systems to only authorized devices.  For example, are remote employees permitted to connect to organizational resources using their personal computers or by company computers or both?  There are vastly different cyber risks with each mode of device access.  Have you fully considered the risks of an employee who routinely handles sensitive information connecting to your network though a personal computer, if you lack the ability to scan the security posture of his or her computer?  If an employee can use an unknown personal device to connect to the organization’s network, you may lack visibility into the device’s security unless you institute technical measures to authenticate the device and address those risks before network access is permitted.  Organizations may want to consider implementing a mobile device management solution, network access control appliance or other technical tools to mitigate these risks.

No. 5. Consider and address the risk to permitting direct remote access to web based organizational resources.  Nothing new here, but the frequency and volume of this direct out of network connectivity will certainly increase with more employees working from home.  Employees may access web-based resources through credentials that do not require a connection through the organization’s network, but rather by directly accessing the hosting website.  Have you addressed the risks of permitting employees to connect directly to cloud based resources outside of your network from their homes?  If so, have you considered the sensitivity of the information they have access to and how to effectively monitor this access?  What logging configuration does the hosted services permit, and have you implemented a logging and monitoring plan that is supported by rigorous personnel policies that provide notice to employees of the monitoring?  Effective monitoring is critically important to be able to detect and respond to a breach of security involving a remote user with direct web based access.  Given the risks, employers may want to consider regulating, screening and protecting this traffic, using a Secure Internet Gateway or other technical tools.

No. 6. Consider and plan for the most likely threats. Well, we have to admit this is currently a challenge because of the proliferation of the threat landscape during a pandemic: e.g., phishing; Advanced Persistent Threat (APT) attacks on healthcare and pharmaceutical companies, education and research institutions, and organizations that handle PII; cyber threats posed by North Korea.; and the ubiquitous ransomware.  All the more reason to roll up your sleeves now and engage on this topic head on with a focus on those threats and threat groups relevant to your particular industry. The continued viability of your business and the health and safety of others may depend on it.

No. 7. If you use a VPN, make sure it is secure, properly configured and offers a sufficient number of connections for your business needs.  Make sure your VPN is and remains patched, updated, and configured using secure baselines. Vulnerabilities in common VPN services recently have been highlighted. As with any patching and secure configuration process, there should be a written policy and procedure that is enforced and audited.  Also, consider eliminating “split tunneling” – where employees can access their home printers and other resources, which may create a greater risk of compromise.

No. 8. Plan for the remote worker security incident.  Plan and train for the inevitability of a remote cybersecurity incident and effective response.  For example, does your organization have a breach response plan that considers how to handle a remote incident?  How will the organization manage a security incident remotely where the employee and the company devices are not in the office?  Frequently, by planning for the incident, an organization will institute changes that greatly improve preventative controls.

No. 9. Have employees sign strong confidentiality and acceptable use agreements and plan for the termination of remote workers.  When an employee is in the office for an employment termination, it is much easier to collect credentials and company resources/devices at the time of termination than it is for a remote employee.  To address the insider threat of remote workers stealing or keeping sensitive data after they learn of their employment termination, an organization should have written procedures that ensure that system access is cut off at or before the time of termination as a default.  Remote workers should be signing strong confidentiality and acceptable use agreements that provide for the preservation, safeguarding and return of company material, and sanctions for failure to do so.  A formalized insider threat program to include remote worker security issues should be a part of any effective information security management program.

No. 10. Encrypt laptops and mobile devices containing protected information or sensitive information. With full disc encryption, an organization can protect sensitive or protected information against loss or other physical compromise of the device.  Indeed, statutes like New York’s SHIELD Act (N.Y. General Business Law §§899-aa, 899-bb) exclude encrypted information from the definition of protected “private information,” providing that the cryptographic keys are securely managed and have not been accessed or acquired.  Thus, breach notification may be avoided in certain circumstances where the loss involves encrypted information.  At the end of the day, an organization needs to consider whether a burglary, car theft, or accidental loss of the physical device are risks that should be protected against by encrypting protected or sensitive data in the hands of remote workers.  Best practices strongly support these actions.

As we previously reported, the COVID-19 pandemic has significantly altered the global workplace and international employer-employee relations.  Over the past several months, many countries have enacted nationwide orders requiring billions of people to stay at home in an effort to reduce transmission of COVID-19.  While some countries remain locked down, others, have recently initiated progressive measures to re-open businesses and return employees to the workplace, with varying degrees of success:

  • Germany: On April 27 Germany began allowing shops as large as 8,600 square feet to re-open, as well as book stores, car dealerships and bike shops, provided that they continue to adhere to strict social distancing and sanitation rules.  Following a small spike in transmission, however, on April 30 German Chancellor Angela Merkel stated that Germany would postpone any decision to re-open fully schools until there is a greater understanding of the loosened restrictions’ effects on the spread of COVID-19.
  • India: India has extended its lockdown until May 17.  During this extended lockdown, India continues to suspend all domestic and international air travel, passenger trains, and interstate buses.  Schools, hotels, gyms, theaters, and places of worship remain closed.  Meanwhile, grocery stores and pharmacies are allowed to stay open.  Face coverings are required in all public places, and gatherings of more than five (5) individuals are prohibited.  India has announced a phased re-opening, under which health officials will designate areas as red, orange, or green zones, depending upon the concentration of COVID-19 cases in those areas.
  • Malaysia: On May 1, Malaysian Prime Minister Muhyiddin Yassin announced a conditional re-opening of the country beginning May 4, under which almost all industry and business activities will be allowed to restart operations, provided that such activities comply with relevant authorities’ standard operating procedures.  Employers are encouraged to continue to allow working from home or working on a rotating basis.  Schools, entertainment facilities, religious events that draw crowds, and beauty services are among those that are not permitted to re-open.  Some Malaysian states have elected not to participate in the re-opening measures.
  • Spain: Beginning May 2-4, Spain initiated a multiphase plan to re-open by the end of June, in which each phase will be implemented over the course of approximately two (2) weeks.  During the current first phase, individuals are allowed to exercise outside their home and to receive beauty services and restaurants may serve takeout, again provided that social distancing and sanitation measures remain observed.  Spain’s next phase will allow outdoor sections of bars and restaurants to open at 50% capacity and groups of ten (10) or fewer people will be permitted in public places and residences.

Multinational employers that are preparing for employees to return to the workplace should be prepared to implement new practices and protocols to maintain a safe work environment while the COVID-19 pandemic continues.  While there are no one-size-fits-all policies or practices when operating an international workforce, employers may begin to consider certain risk factors and precautionary measures in anticipation of employees returning to the office.

Mandatory Testing Upon Return to Work

Employers should consider whether to require employees to submit to precautionary COVID-19 tests and measures prior to entering the workplace.  In addition to requiring employees to have their temperature taken, employers may consider requiring employees to take one of the many different diagnostic tests that are emerging on the market.  Employers should be mindful of whether any tests that may be used have been approved by public health and safety agencies, such as the Food and Drug Administration or the European Medicines Agency. Additionally, before requiring COVID-19 testing, employers should be aware of many considerations, including but not limited to the following:

  • Assess the type of COVID-19 test that may be most suitable for the workplace. A less-invasive diagnostic test that analyzes whether an individual currently is infected may be more suitable than a serologic (or antibody) test that indicates whether an individual previously has had an infection.
  • Whether to limit any testing only to those employees who present symptoms of COVID-19. As a recent review by the Centers for Disease Control (“CDC”) suggests, COVID-19 may be spread from pre-symptomatic or asymptomatic individuals.  As such, employers may consider testing all employees prior to their returning to the workplace.
  • Whether to limit testing only to those employees who regularly work at the office, as opposed to those who regularly or exclusively work from home.
  • Whether to require testing to be completed onsite or to provide employees with the option to be tested at their personal healthcare provider.
  • Determine whether employees must consent to a COVID-19 test or whether labor unions or works councils must be consulted prior to implementing such a testing requirement.
  • Implement procedures if and when employees refuse to consent to required tests. In addition, employers should consider appropriate responses in such circumstances, for example, progressive discipline or immediate termination.
  • Develop a reporting and recordkeeping protocol. Employers should determine to whom positive COVID-19 test results will be disclosed, whether only to affected employees, other employees, and/or government entities.  Employers should consider the privacy implications of reporting and recordkeeping practices and should ensure adherence to applicable local law.

Employee Health Certification

Employers may consider requiring that all returning employees certify certain health information regarding exposure to COVID-19.  This may include requiring information as to whether employees have been diagnosed with COVID-19, whether they are exhibiting or have ever exhibited COVID-19 symptoms, and/or whether they have been in contact with someone who has been diagnosed with COVID-19 or exhibited COVID-19 symptoms.  Depending on the jurisdiction, such inquiries may not be legal or recommended.  Employers should develop processes to respond consistently to employees who respond to any COVID-19 health questions affirmatively (e.g., not allowing such employees to enter the workplace).  Similarly, employers that request employees to certify certain health information also should consider what procedures to follow in the event that employees refuse to answer such health-related questions (e.g., progressive discipline or immediate termination).  Employers also must comply with country-specific privacy requirements.

Wearing Face Coverings in the Workplace

 Another measure that employers may consider is whether to require returning employees to wear face coverings in the workplace.  Generally, such measures likely are permitted in most jurisdictions as a means to protect all employees’ health and safety.  When implementing face covering requirements, employers again should consider processes to follow should employees refuse to wear such protective equipment.  In some cases, terminating employees for an initial offense may not be reasonable.  Instead, progressive discipline, beginning with an initial warning and escalating in the event of additional violations of workplace policies, may be appropriate.

Refusal to Return to Work

As businesses begin to re-open, employers may find that some employees may refuse to return to the workplace.  As a best practice, employers should evaluate such instances on a case-by-case basis.  Employers should consider whether employees refuse to return to work based upon personal preferences, government recommendations, and/or information from healthcare providers.  Employers should also assess whether employees’ essential job functions require their working onsite or whether such employees may work remotely.  In addition, employers should consider those disciplinary procedures that should be taken in the event that employees refuse to return to work.  Depending on local law, as well as specific company culture, immediate termination may be too harsh a response, and progressive discipline may be more suitable.  Alternatively, it may make the best business sense to accommodate employees’ wish to work remotely or not to return to work where telework is not feasible.

Travel Considerations

While many countries’ re-opening plans include loosening restrictions on local travel, many employees, particularly those who commute via mass transit, may be wary of returning to the office.  As a practical matter, where workable, it may be best for employers to accommodate employees’ desire to work remotely, or not to return to work where remote work is not available. In addition, several jurisdictions are prohibiting international visitors and may require immediate quarantine upon arrival.  Given this, employers should limit non-essential business travel and should consider prohibiting international travel.

In the end, when evaluating how to respond to the challenges presented by the COVID-19 pandemic, employers should be pragmatic and practical.  The circumstances that have resulted from COVID-19 are, novel, and multinational employers of all sizes are attempting to cope with a complex, unpredictable and rapidly changing environment.  During this difficult time, employers should remain cognizant that many governments have enacted legislation and have issued guidance to support employers and employees.  As such, employers should contact legal counsel to localize policies and practices to ensure that best legal practices are maintained that still adhere to company culture and longstanding company practice.

We continue to monitor the global impact of the COVID-19 pandemic on employers, and we will provide updates as new developments emerge.

As we previously reported, on Monday, April 27, 2020, Texas Governor Greg Abbott announced Phase One of his much anticipated plan to reopen Texas while minimizing the spread of COVID-19.   In response to this plan to reopen, at limited capacity, retail establishments, restaurants, movies, shopping malls, libraries and museums, starting on May 1, 2020, many Texas workers are weighing the option of returning to work and earning a paycheck against the potential risks of exposure to COVID-19 and forfeiting unemployment benefits.

On Thursday, April 30, 2020 Governor Abbot addressed this issue by announcing that the Texas Workforce Commission (“TWC”) has issued Guidance to unemployment benefits claimants concerning their continued eligibility should they choose not to return to work.  While reinforcing that each claim is assessed on a case-by-case basis, the TWC Guidance outlines specific circumstances under which workers will still be granted unemployment benefits, even if suitable work is available.

Per the Guidance, a worker who refuses to return to work due to the following COVD-19 related reasons may retain unemployment benefit eligibility:

  • High Risk—If a worker is at “high risk.” defined by the TWC as individuals 65 years and older, as they are at higher risk for becoming very sick from COVID-19;
  • Household Member at High Risk—If a worker’s household member is at high risk. This includes household members 65 years or older;
  • Diagnosed with COVID-19—If a worker has been diagnosed with COVID-19, having tested positive for the virus by a source that is authorized by the State of Texas, and they have yet to recover;
  • Household Member Diagnosed with COVID-19—If a worker has a household family member with COVID-19, having tested positive for the virus by a source that is authorized by the State of Texas, the family member yet to recover, and 14 days have not yet passed;
  • Quarantined—If a worker is currently in 14-day quarantine due to close contact exposure to COVID-19; or
  • Childcare Needs—If a worker’s child’s school or daycare is closed, and there are no available childcare alternatives.

Continue Reading Texas Employees Refusing to Return to Work from COVID-19 Related Reasons May Still Be Eligible for Unemployment Benefits