LAST UPDATED: March 27, 2020
The COVID-19 (coronavirus) outbreak is impacting almost every aspect of our lives, and the legal landscape hasn’t remained untouched. There are legislative changes in the works as well as new applications of existing laws to changing circumstances. On this page, we present information and resources on a variety of legal topics relevant to our clients. We will update this page as new information becomes available and we identify additional topics of concern.
The information provided here does not constitute legal advice. You should consult with legal counsel about your particular situation before taking business and employment actions.
Employment-Related Issues
Q1. Can our business require or encourage employees to work remotely during the pandemic?
A1. Yes. The EEOC has opined that “telework is an effective infection-control strategy that is also familiar to ADA-covered employers as a reasonable accommodation.” Likewise, the Governor of Vermont has issued executive orders requiring all employers to implement work-from-home policies (unless an employer is considered to perform an “essential service”) wherever possible.
Considerations for employers who are unable to implement a remote work plan
Q2. Where can we find guidance for keeping employees safe at work?
A2: For those businesses still operating on an in-person basis, the Occupational Safety and Health Administration (“OSHA”) has published “Guidance on Preparing Workplaces for COVID-19.” The guidance outlines steps employers can take to protect employees based on various risk groups.
Moreover, according to guidance issued by the Centers for Disease Control and Prevention (“CDC”), any employee who exhibits symptoms of COVID-19 – similar to flu-like symptoms – should be sent home. The Equal Employment Opportunity Commission (“EEOC”) has confirmed that sending employees home under these circumstances is allowed under the ADA, and will not be considered disability-related if an employee is exhibiting such symptoms.
Q3: Can our business test for COVID-19 in the workplace?
A3: The EEOC has issued guidance suggesting that during the COVID-19 pandemic, it will not be considered a violation of the ADA’s rules on medical exams for employers to take employees’ body temperatures, though the EEOC has cautioned that some people with COVID-19 do not have a fever. Keep in mind that employers who require employees to submit to temperature checks should be sure that they are conducting such checks on a non-discriminatory basis (for example, not testing only employees of a particular nationality) and are being appropriately protective of employees’ privacy. Employers also should be aware of risks to those persons conducting the temperature checks and should implement suitable safeguards.
Additionally, employers can require employees to notify their supervisor if they are experiencing symptoms associated with COVID-19. Employers also should have a policy that employees experiencing symptoms should not come to work.
At this time, it is not clear whether employers may ask employees to disclose whether they have a medical condition that could make them particularly vulnerable to COVID-19 complications. Employers should consult with counsel when considering making such inquiries.
Q4: What if one of our employees at the workplace has contracted or been exposed to COVID-19?
A4 : Employees who have contracted COVID-19 or who is suspected to have contracted COVID-19 should be sent home for at least two (2) weeks. To the extent possible, employers should gather information from that affected employee to identify all other employees who may have had close contact with affected employee during the previous two (2) weeks. Those employees also should be sent home for at least two (2) weeks. When sending employees home, it is important not to disclose the identity of any individual who has been infected.
The CDC has issued guidance for non-healthcare businesses that have experienced infections.
Q5: I’ve heard Congress passed a law allowing employees affected by the COVID-19 pandemic to receive paid leave. What does that law require?
A5: On March 18, 2020, the U.S. Congress passed the Families First Coronavirus Response Act (“FFCRA”), a federal law that, in part, requires employers of 500 or fewer employees to provide up to two (2) weeks (80 hours) of paid leave to employees impacted by the COVID-19 pandemic. The FFCRA also amends the Family and Medical Leave Act (“FMLA”) to provide up to twelve (12) weeks of family leave for employees to care for children who are out of school or other child care for reasons related to the COVID-19 pandemic. Importantly, the FFCRA allows employers to claim refundable tax credits against their FICA taxes up to the amounts paid for both paid sick leave and paid leave under the expanded FMLA entitlement.
The federal Department of Labor is expected to adopt regulations implementing the new law, including a process for exempting some employers who have fewer than 50 employees. Although the regulations are not yet available, here are some basic points worth noting:
Paid Sick Leave Requirement
- Paid sick leave is available to all employees as of the effective date of the law, which is April 1, 2020.
- The leave is available to employees who are unable to work for any of the following reasons:
- The employee is subject to a Federal, State, or local quarantine or isolation order related to COVID-19.
- The employee has been advised by a health care provider to self-quarantine due to concerns related to COVID-19.
- The employee is experiencing symptoms of COVID-19 and is seeking a medical diagnosis.
- The employee is caring for an individual who is subject to a Federal, State, or local quarantine or isolation order.
- The employee is caring for child if the school or place of care of the child has been closed, or the child’s childcare provider is unavailable due to COVID-19 precautions.
- The employee is experiencing a “substantially similar condition” as specified by the Secretary of Health and Human Services.
- Full-time employees are entitled to receive up to 80 hours of paid leave, and part-time workers are entitled to receive the number of hours they work, on average, over a two-week period.
- Leave is paid at the employee’s FLSA “regular rate” for leave taken as a result of the employee’s own condition (i.e., the first three reasons described above), and at 2/3 of the employee’s regular rate for leave taken to care for another (i.e., the last three reasons noted above).
- Leave amounts are capped at $511 per day and $5,110 total for employees taking leave to care for themselves, and $200 per day and $2,000 total for employees taking leave to care for others.
- Employers cannot require an employee to use leave that is available under an existing employment policy before the employee is entitled to use the leave provided by the FFCRA.
FMLA Amendment
- The FFCRA amends the FMLA to allow eligible employees up to twelve (12) weeks of family leave if the employee is “unable to work (or telework) due to a need for leave to care for” a minor child “if the school or place of care has been closed, or the child care provider of such son or daughter is unavailable” due to a public health emergency related to the COVID-19 pandemic.
- Any employee who has been on the job for at least thirty (30) days is eligible for this leave.
- The first two (2) weeks (10 days) of the leave can be unpaid, though employees have the option to substitute accrued paid leave under existing policies during this two-week period.
- The remainder of the leave must be paid at a rate equal to at least two thirds (2/3) of the employee’s FLSA “regular rate,” but this is capped at $200 per day and $10,000 in the aggregate.
- Generally, employees who take this leave must be reinstated to their prior positions, though employers with fewer than 25 employees may not have to reinstate employees to positions that no longer exist due to economic conditions or changes to other operating conditions caused by the COVID-19 pandemic that affect employment. In such cases, employers must still make reasonable efforts to restore employees to equivalent positions, and must make reasonable efforts to contact employees if reasonably equivalent positions become available.
UPDATE: On March 26 and 27, 2020, the U.S. Senate and U.S. House of Representatives, respectively, passed the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act, which, among other things, amends the FFCRA’s paid leave provisions as follows:
- The CARES Act first extends coverage of the FMLA provisions to those who were laid off on or after March 1, 2020, had worked for the employer for not less than 30 of the last 60 calendar days prior to the layoff, and were rehired.
- Second, the CARES Act includes language allowing employers to obtain an “advance” on refunding of tax credits used to support the new forms of paid leave by withholding employment tax deposits. The IRS is expected to issue guidance on this change in the near future.
Tax Credits
The FFCRA allows employers to claim refundable tax credits against their FICA taxes up to the amounts paid for both paid sick leave and paid leave under the expanded FMLA entitlement.
Posting of Notice
All employers subject to the Act (i.e., those with fewer than 500 employees) are required to post a notice of employee rights under the FFCRA. DOL has prepared a form notice, which can be downloaded, free of charge, here. Employers must post this notice in a “conspicuous place” on their premises, or may email or direct mail notice to employees.
Q6: Unfortunately, my business needs to consider temporarily laying off/furloughing employees. What are some things we should be thinking about in carrying out layoffs?
A6: We recognize that many employers are struggling with how to keep their businesses afloat while keeping their employees employed. Here’s information about several important things to take into consideration.
Federal and State layoff notification laws.
Generally, if you are considering laying off fifty (50) or more employees in the following ninety (90) days, you may be required to comply with the federal Worker Adjustment and Retraining Notification (“WARN”) Act or Vermont’s comparable “mini-WARN” act. These laws generally require employers to provide employees and government agencies with advance notice of significant layoffs. The laws also include various exceptions, however, that may apply in the present circumstances. If you anticipate large layoffs – and particularly if those layoffs are likely to be permanent – you should consult with counsel to determine your business’ obligations under the federal and Vermont laws.
UPDATE: On March 21, 2020, the Vermont Agency of Commerce and Community Development posted: “The Department of Labor does not intend to enforce the provisions of Vermont’s Notice of Potential Layoffs Act against businesses who are forced to lay off employees due to the effects of the COVID-19 pandemic.” We are not currently aware of similar guidance under the federal WARN Act (which applies to layoffs of 100 employees or more).
Be aware of EEO/Discrimination issues.
In selecting employees for layoff, employers should be sure to rely on well-documented business considerations to avoid running afoul of anti-discrimination statutes such as Title VII, the ADA, the ADEA, and equivalent state laws. Employers should review demographic information of selected employees to assess the potential for disparate impact discrimination issues.
What if my workforce is unionized or we have employees with employment contracts?
For unionized workplaces, and for those where employees may have employment contracts, employers should be sure to take into consideration any layoff/reduction in force provisions in collective bargaining agreements or limitations on termination in employee contracts. Seek legal counsel as necessary.
How do layoffs impact an employee’s unemployment insurance benefits?
Generally, a layoff will allow an employee to become eligible for unemployment insurance (“UI”) benefits. Some UI considerations for employers include:
- On March 24, 2020, the Vermont Department of Labor (VT DOL) suspended all “official work search requirements” for laid-off employees, whether or not the employees have an official return to work date, “to mitigate the risk associated with work search efforts as they relate to the COVID-19 pandemic.” This means that, for the time being at least, employees laid off as a result of COVID-19 will no longer have to satisfy work search requirements to received weekly unemployment benefits (prior to the order, only employees with a return to work date falling within 10 weeks were exempted from these requirements).
- UI may be available employees whose work hours are reduced, depending on whether their weekly pay drops below the UI weekly benefit amount.
- The VT DOL provides a “mass layoff” form for employers who need to lay off ten or more employees.
- Currently, layoffs and UI claims from employees will impact the employer’s unemployment insurance rating, though the Vermont Legislature is currently considering making COVID-19-related layoffs exempt.
We anticipate changes to the UI compensation system as a result of federal and state relief efforts, and we will update this posting accordingly as more information becomes available. In the meantime, the VT DOL has published FAQ’s related to COVID-19.
Can we request a doctor’s note from employees returning to work after leave?
Yes, EEOC guidance provides that inquiries like this are not disability-related, and in any event would be justified under the ADA standards for disability-related inquiries. The EEOC has noted, though, that “[a]s a practical matter . . . doctors and other health care professionals may be too busy during and immediately after a pandemic outbreak to provide fitness-for-duty documentation. Therefore, new approaches may be necessary, such as reliance on local clinics to provide a form, a stamp, or an e-mail to certify that an individual does not have the pandemic virus.”
Do we have to payout accrued vacation/sick leave?
Vermont law requires employers to pay all wages owed to an employee within 72 hours of termination. If employees are laid off, this law will apply. Generally, Vermont law does not require payout of accrued, unused vacation or sick leave unless an employer’s policy provides for payout upon termination.
Can we continue to pay for employees’ health insurance while they are laid off?
Yes, though implications on UI benefits is not entirely clear. Employees who are separated from employment should be eligible for COBRA benefits. Employers may (but are not required) to maintain contributions to the employees’ plan under COBRA, and may even choose to pay entirely for laid off employees’ COBRA benefits. It is not entirely clear in Vermont, however, whether such payments would constitute “disqualifying” payments for purposes of UI benefits (such that employees’ UI benefits would be reduced). Employers should consult with counsel for detailed advice on potential issues.
Q7: We may not need to lay off employees, but may need to impose furloughs and cut hours. What considerations should we have in mind?
A7:
Wage and hour considerations.
If you are thinking of furloughing employees or reducing hours to save costs, there are a couple of things to keep in mind under the Fair Labor Standards Act (FLSA) and similar Vermont wage and hour laws.
For non-exempt (hourly) employees, you should be able to furlough or cut hours without running afoul of the FLSA so long as their regularly hourly rate exceeds the minimum wage (currently $10.78 per hour for most workers in Vermont). Of course, if your employees are working remotely, it will be important to maintain ways to accurately track hours to ensure compliance with minimum wage and overtime requirements.
Employers will need to be particularly careful, however, in furloughing or attempting to cut the hours of FLSA exempt (salaried) employees. The FLSA generally requires that such employees be paid their full salary for each week in which the employee performs any work. Therefore, with very limited exception, any furloughs of exempt employees must be for entire workweeks if the employer wants to avoid paying the weekly salary. Employers should also take steps to ensure that exempt employees do not work at all (as little as taking a single work phone call could suffice to trigger salary payment obligations for the week).
Finally, employers generally may reduce exempt employee salaries on a prospective basis (i.e., the reduction does not occur within a pay period in which an exempt employee has performed work, and applies only going forward), so long as the employee’s salary does not fall below the minimum required by the FLSA’s “salary basis” test (currently $684 per week, which corresponds to an annual salary of $35,568).
Can employees on furlough/reduced hours collected unemployment benefits?
Maybe. In Vermont, UI benefits are available for weeks in which an employee experiences “partial unemployment,” which is defined generally as any week in which the employee’s hours are cut to the extent that the employee receives less than the employee would receive in UI benefits if totally unemployed. This means that in some circumstances, employees whose hours are cut would be eligible for partial unemployment benefits. Salaried employees should also be able to collect unemployment for weeks in which they are furloughed. At present, it appears that the Department of Labor is taking the position that salaried employees whose salaries have been reduced are not entitled to unemployment benefits, but we understand that the Vermont legislature may be considering legislation to make partial benefits available to exempt employees as well.
What impact will a furlough or reduction in hours have on employee benefits?
Employers should consult their benefit plan documents for more information about the impact of contemplated furloughs or hours reductions on employee benefits plans. Generally, for example, benefits plans may include weekly hour minimums that qualify employees to participate in such plans.
In some cases, employees may not be able to pay their share of health insurance premiums. Typically, plan coverage would cease in such circumstances, though some insurers may voluntarily continue to provide health coverage during this emergency, or an employer may be able to make an arrangement to cover employees’ share of premiums until hours/pay can be restored to pre-pandemic levels.
Contract-Related Issues
Q8: With the COVID-19 pandemic and its impact on our daily lives, both at business and at home, our business is worried that we might not be able to meet certain contractual obligations. Does the current situation give us grounds to get out of these obligations?
A8: A business’s performance obligations could be considered “impossible” under certain circumstances. Whether the current situation would make your performance “impossible” usually involves a fact-specific analysis. Here are some things to consider:
- Generally, a party may be excused from performing the party’s contractual obligations if it is objectively impossible to carry out the bargain. This is a high threshold.
- On their own, neither a declaration of a State of Emergency nor a recommendation to maintain social distance from others rises to the level of impossibility; thus, these less restrictive suggestions would not be grounds to say that the contract is impossible to carry out.
- However, a “shelter-in-place” order (also known as a “stay home” order) by local, State, or Federal governments may be grounds to say the contract is impossible to carry out.
- Keep in mind that an “impossibility” determination most likely would apply to the deadlines of the contract instead of to the entire contract. This means that pausing the activity and delivering within a reasonable time after cause of the “impossibility” may be justified.
- Determinations on impossibility usually require a fact-specific analysis.
It’s also possible that your contract’s force majeure provision could come into play (see below).
Q9: Our contract contains a “force majeure” clause. Can we invoke this clause in light of the COVID-19 pandemic?
A9: A “force majeure” clause addresses when the contract might be disrupted due to factors beyond the control of the parties. Generally, if either party is unable to perform due to unforeseeable circumstances or acts beyond that party’s control, then either party may choose to terminate. Here are some things to consider:
- These provisions usually consider “acts of God” to be a force majeure event. Often contracts d o not define what constitutes an “act of God,” although sometimes they provide examples.
- It’s possible that the COVID-19 pandemic could fit into the catchall “acts of God” term.
- Check the provision in your agreement because it could include specific information.
- For new contracts, we recommend explicitly including “pandemics” in the Force Majeure provision.
- A force majeure clause does not provide for automatic termination; the parties have to decide to terminate or excuse the performance.
- Right now, it may be most effective to communicate with the other parties in your contracts. The impact of COVID-19 is wide-ranging and almost everyone is feeling the impact, which could create an honest and open basis for discussing how to navigate contract issues arising from the COVID-19 impact.
Insurance-Coverage Related Matters
Q10: Should I contact my insurance agent if I I’m not sure if I have a viable claim?
A10: Yes. The insurance company can always deny a claim in full or in part, but the timeliness of the claim is important to retaining your rights under your policy(ies).
Q11: Does my Business Insurance cover any losses my business might sustain from either voluntarily shutting down to protect our employees or shutting down based on the Governor’s March 24th “Stay Safe, Stay Home” order suspending all non-essential in-person operations?
A11: Depending on the scope of coverage, your business’s insurance policies could help pay the cost of property damage, law suits, lost business income, and other losses more specific to the unique requirements of certain businesses.
Check to see what insurance policies your business has. Some businesses might have one policy, whereas other businesses might have a suite of coverages (possibly combined into one policy) including property, general commercial liability, and business income.
When dealing with insurance policies, the important thing is to carefully read the text of the policy itself. Your insurance agent should be able to point you to any provisions that would be helpful in this unprecedented time, but here’s brief overview of some areas to look for:
- Interruption Insurance. Business Interruption Insurance allows businesses to recover revenue lost as a result of a direct loss usually due to physical or property damage. Similarly, Contingent Business Interruption Insurance is a less prevalent form but covers indirect losses, such as when a third-party is unable to provide services or products to your company so that your company is unable to provide services of products. Coverage from such Interruption Insurance can be used to support payroll, rent, utility payments, and other expenses that continue even when the business itself has stalled.
If your policy contains Interruption Insurance, it is important to read the policy carefully to see if the coverage extends to circumstances related to a pandemic. For instance, insurers faced a number of claims after the Severe Acute Respiratory Syndrome (“SARS”) outbreak in 2002-03 and have since included language in policies to exclude similar outbreaks from Interruption Insurance coverage.
See the “Resources” section for helpful information.
- Event Cancellation Insurance. Event Cancellation Insurance can be part of a broader group of policies provided on an annual basis or can be purchased on a per event basis. This type of coverage can include: costs incurred prior to cancellation/ postponement of an event, related contractual guarantees, loss of profits or revenue (supported by evidence), and costs for rescheduling the event. Similar to Interruption Insurance, there may be exclusions to coverage, and losses related to the COVID-19 pandemic may not be covered. Since such policies can be specific to the events they are covering, however, terms can vary from policy to policy if you have multiple Event Cancellation policies, and it is worth reaching out to your insurance agent and reading each policy carefully to determine whether the COVID-19 pandemic is a covered loss.
- Workers’ Compensation Insurance. This type of insurance generally covers only illnesses and injuries that are “work related.” Work related usually means illnesses or injuries that are contracted or occur in the work place (so long as they are related to performance of work) or while performing activities outside the work environment in the course of performing their work. Accordingly, an employee who comes down with COVID-19 could be covered under Workers’ Compensation Insurance if they contracted the illness in the performance of their work or in the work place.
- Umbrella Policy or Excess Insurance. Umbrella Policies or Excess Insurance can be helpful to cover costs over the liability limits of primary policies. To be covered under an Umbrella Policy, however, the underlying claim must be covered under the primary policy. For example, if the Business Interruption Policy excludes disease outbreaks from coverage, the Umbrella Policy also will not cover any losses.
Q12: What if our business is unable to pay insurance premiums?
A12: On March 23, 2020, in response to Governor Scott’s executive order declaring a state of emergency in Vermont, the Department of Financial Regulation (“DFR”) requested “that all insurance companies provide their policyholders with a reasonable grace period to pay insurance premiums to avoid policies being cancelled for nonpayment of premium due to the COVID-19 public health emergency.” While this is not mandatory or enforceable, it is helpful to have the agency’s support. If your business is unable to pay your premiums in full or in part, it is a good idea to contact your insurance agent as soon as possible.
With many employees working remotely during the COVID-19 outbreak, it’s important that your business take steps to protect data containing confidential, proprietary, personal, and sensitive information.
Data Privacy and Security Related Matters
Q13: What information does our business need to protect?
A13: You should take steps to protect confidential, proprietary, personal, and sensitive information, such as:
- confidential business information
- financial information
- customer information
- trade secrets
- marketing plans
- protected intellectual property
- work product
- employee information
- personnel records
- medical records
- financial records
We refer to this type of information as “Private Information.”
Q14: Why is it important to take steps to protect Private Information at this time?
A14: While it’s always important to protect Private Information, with the outbreak of COVID-19, there has been (and likely will continue to be) an increase in activity by criminal entities seeking Private Information. The US Department of Justice (DOJ), Federal Trade Commission (FTC) and Federal Communications Commission (FCC) have identified several ways scammers will use COVID-19 to target people:
- Vaccine and treatment scams, where scammers advertise fake cures, vaccines, and advice on unproven treatments for COVID-19.
- Shopping scams, where scammers create fake stores, e-commerce websites, social media accounts, and email addresses claiming to sell medical supplies currently in high demand (such as hand sanitizer, toilet paper, and surgical masks).
- Medical scams, where scammers call and email people pretending to be doctors or hospitals that have treated a friend or relative for COVID-19 and demand payment for treatment.
- Charity scams, where scammers ask for donations for people and groups affected by COVID-19.
- Phishing and Malware scams, where scammers attempt to gain access to your computer or to steal your credentials.
- Malware is malicious software (such as spyware, ransomware, or viruses) that can gain access to your computer system without you knowing. Malware can be activated when you click on email attachments or install risky software.
- Phishing happens when a scammer sends false communications from what appears to be a trustworthy source to entice you to share sensitive data (such as passwords or credit card information).
- For example, there have been fraudulent emails that look like they come from the World Health Organization (WHO), the Center for Disease Control (CDC), but actually were phishing emails designed to trick the recipient into downloading malware or providing personal and financial information.
- App scams, where scammers create mobile apps designed to track the spread of COVID-19 and insert malware into the app, which compromises users’ devices and personal information.
- Investment scams, where scammers offer online promotions on things like social media, claiming that products or services of publicly traded companies can prevent, detect, or cure COVID-19, which could cause the stock of such companies to increase in value as a result.
Additionally, significant data privacy laws recently have gone into effect in several areas (including the GDPR in Europe and the CCPA in California), and many others are in the works throughout the US. These laws require stringent handling of personal information and implementation of reasonable security measures, with consequences for noncompliance.
Q15: What security steps should our business take to protect Private Information when employees work remotely?
A15: The following security steps will help your business and your employees better protect Private Information.
- Install security software on any devices that employees use to work remotely. Make sure to include firewalls, antivirus software, and anti-malware. If already installed, make sure they are up to date with all necessary patches.
- Consider having a virtual private network (VPN) for your business. If you have a VPN, require your employees to use the VPN whenever they access the internet to work and access company information systems remotely.
- Implement two-factor or multi-factor authentication (MFA).
- Encrypt data both in transit and at rest. Make sure employee devices are set up to encrypt data in emails and attachments, as well as stored data.
- Consider using Mobile Device Management (MDM) and Mobile Application Management (MAM). These tools can help your business manage and secure mobile devices and applications. For instance, they can help you remotely implement security measures such as data encryption and malware scans, and they can help you wipe data from any lost or stolen devices.
Q16: What security measures should we have employees take when working remotely to help protect Private Information?
A16: There are technology-based and physical security measures that employees can take to help protect Private Information when working remotely (outlined below). But simply providing them with a list of steps to take isn’t sufficient; we recommend you provide training to convey the importance of protecting Private Information, help them identify possible vulnerabilities such as scams, and instruct them how to best implement the security measures.
Inform employees about possible online scams and steps to take to avoid them:
- Provide examples of recent COVID-19 related scams.
- Employees should not to reveal personal or financial information online.
- Employees should not answer calls from unknown numbers; they should hang up on robocalls and not press any numbers.
- Employees should not answer text messages from unknown numbers.
- Employees should not reply to emails from unknown senders.
- Employees should not click on links, download apps, or download attachments from unknown senders.
- Before making an online purchase, employees should research the company to determine its legitimacy.
- Before donating to a charitable organization, employees should verify the organization’s authenticity (visit the Federal Trade Commission’s website for more information about verification).
- Employees should not respond to communications about COVID-19 vaccinations. At this time, there are not any approved drugs or vaccines to treat the virus. Both the FDA and the FTC have sent warning letters to sellers of products claiming they treat or prevent coronavirus.
- Employees should be wary of texts, emails, and phone calls from sources claiming they are with the government or agencies.
Consider requiring employees to take the following technology-based security measures:
- If using the internet for work purposes in public, use the business’s VPN or a personal hotspot from a dedicated device or phone. Do not use public wi-fi.
- Use a USB data blocker when charging up at a public phone charging station.
- Secure home routers.
- Make sure cell phones are up-to-date by having settings set so software updates automatically.
- Use passwords:
- Use passwords on all devices
- Make sure passwords are strong
- Change passwords regularly
- Disable any “remember password” functions when logging into company information systems and applications from personal devices
- Use a secure password manager
- Enable and use two-factor and multi-factor authentication
- Encrypt data when transmitting (including both the body of the communication and any attachments) and storing data
- Back up data regularly
Technology-based solutions can be invaluable, but don’t overlook the importance of physical security measures. Some of these may seem like common sense, but it’s a good idea to remind employees to take the following physical security measures:
- If working in the presence of non-employees, make sure any Private Information is not viewable by others
- Secure home routers
- Access work data only from work devices (and not from public or shared devices)
- Don’t share work devices (even with family members)
- Keep devices in secure places
- Do not leave devices in the car
- If using thumb drives, make sure to know where they come from (don’t use a thumb drive that an employee happens to find)
- Use a USB data blocker when charging at a public charging station
Top
Q17: How can we mak e sure our employees know what to do?
A17: Provide employees with written (including electronic) copies of your policies and procedures.
Consider having remote training for your employees. Training would give you the opportunity to explain why security steps are so important at this time as well as provide guidance and address questions – for instance, you could help them learn how to detect phishing attacks and other compromising communications involving remote devices and remote access to company information systems. You also could address password basics, including how to keep passwords strong and the importance of not using the same one over and over again.