CYBER RISKS & LIABILITIES – Penetration Testing Explained

Image

Keeping workplace technology up and running is vital to any organization’s success. While this task seems feasible, it’s growing harder and harder each year as cybercriminals expand their reach.  It’s not enough to simply protect workplace technology with software and security protocols. It’s also critical for your organization to test the overall effectiveness of these protocols on a regular basis. That’s where penetration testing can help.

Essentially, penetration testing consists of an IT professional mimicking the actions of a malicious cybercriminal to determine whether an organization’s workplace technology possesses any vulnerabilities and can withstand their attack efforts. Conducting a penetration test can help your organization review the effectiveness of workplace cybersecurity measures, identify the most likely avenues for a cyberattack and better understand potential weaknesses.

Review this guidance to learn more about what penetration testing is, the benefits of such testing and best practices for carrying out a successful test within your organization.

What Is Penetration Testing?


Put simply, penetration testing refers to the simulation of an actual cyberattack to analyze an organization’s cybersecurity strengths and weaknesses. This testing usually targets a specific type of workplace technology, such as the organization’s network(s), website, applications, software, security systems or physical assets (e.g., computers and smart devices). Penetration testing can leverage various attack methods, including malware, social engineering, password cracking and network hacking, among others. Generally speaking, penetration testing is often performed by a professional from a contracted IT firm who is not associated with the organization being assessed in any way. This helps the cyberattack simulation seem as authentic as possible. Penetration testing is typically either external or internal in nature. The primary differences between these forms of testing are as follows:

  • External penetration testing requires the IT expert to attack an organization’s external-facing workplace technology from an outside perspective. In most cases, the IT professional won’t even be permitted to enter the organization’s physical establishment during external penetration testing. Rather, they must execute the cyberattack remotely—often from a vehicle or building nearby—to imitate the methods of an actual cybercriminal.
  • Internal penetration testing allows the IT expert to attack an organization’s internal-facing workplace technology from an inside perspective. This form of testing can help the organization understand the amount of damage that an aggrieved employee could potentially inflict through a cyberattack. 

In addition to these testing formats, there are also two distinct types of penetration tests. How much information an organization provides the IT professional prior to the cyberattack simulation will determine the penetration test type. Specifically:

  • An open-box test occurs when the IT expert is given some details regarding the organization’s workplace technology or cybersecurity protocols before launching the attack.
  • A closed-box test occurs when the IT expert is provided with no details other than the organization’s name before conducting the attack.

Ultimately, the penetration testing format and type should be selected based on the particular workplace technology elements or cybersecurity measures that an organization is looking to evaluate.


Benefits of Penetration Testing

Penetration testing can offer numerous advantages to your organization, including:

  • Improved cybersecurity evaluations—By simulating realistic cyberattack situations, penetration testing can help your organization more accurately evaluate its varying security strengths and weaknesses—as well as reveal the true costs and of any security concerns.
  • Greater detection of potential vulnerabilities—If any of your workplace technology or other cybersecurity protocols fail during a penetration test, you will have a clearer picture of where your organization is most vulnerable. You can then use this information to rectify any security gaps or invest further in certain cyber initiatives.
  • Increased compliance capabilities—In some sectors, organizations are legally required to engage in penetration testing. For example, the Payment Card Industry Data Security Standard calls for organizations that accept or process payment transactions to execute routine penetration tests. As such, conducting these tests may help your organization remain compliant and uphold sector-specific expectations.
  • Bolstered cybersecurity awareness—Mimicking real-life cyberattack circumstances will highlight the value of having effective prevention measures in place for your employees, thus encouraging them to prioritize workplace cybersecurity protocols.

Penetration Testing Best Practices

Consider these top tips for executing a successful penetration test within your organization:

  • Establish goals. It’s crucial for you to decide what your organization’s goals are regarding the penetration test. In particular, be sure to ask:
  • What is my organization looking to gain or better understand from penetration testing?
  • Which cybersecurity threats and trends are currently most prevalent within my organization or industry? How can these threats and trends be applied to the penetration test?
  • What specific workplace technology elements or cybersecurity protocols will the penetration test target?
  • Select a trusted IT professional. Consult an experienced IT expert to assist your organization with the penetration test. Make sure to share your organization’s goals with the IT professional to help them understand how to best execute the test.
  • Have a plan. Before beginning the penetration test, work with the IT expert to create an appropriate plan. This plan should outline:
  • The general testing timeframe
  • Who will be made aware of the test
  • The test type and format
  • Which regulatory requirements (if any) must be satisfied through the test
  • The boundaries of the test (e.g., which cyberattack simulations can be utilized and what workplace technology can be targeted)
  • Document and review the results. Take detailed notes as the penetration test occurs and review test results with the IT expert. Look closely at which cybersecurity tactics were successful during the attack simulation and which measures fell short, as well as the consequences of these shortcomings. Ask the IT professional for suggestions on how to rectify security gaps properly.
  • Make changes as needed. Based on penetration test results, make any necessary adjustments to workplace technology or cybersecurity protocols. This may entail updating security software or revising workplace policies.
  • Follow a schedule. Conduct penetration testing at least once every year, as well as after implementing any new workplace technology.

If you are a Risk Manager or Principal of a PEO and want to learn how you could help protect your client company’s interests through our affordable Master Cyber Liability program, eMail James Buscarini, Fl License #A036520 at jbuscarini@libertateins.com to find out more. The Master Cyber program is written through Axis, an A rated carrier, 250K in coverage, no underwriting, and a revenue generator!

Food For Thought Friday: Employee Retention and Attracting New Talent

Our hopes with this Friday post is to tantalize a different aspect of our business brains! We’re pulling together a few interesting pointers on employee retention and attracting new talent.

Small businesses continue struggling to retain and attract team members. Did COVID really unleash a population of, “I don’t really want to work!”? Quite possibly, but here are some thoughts on how to incentivize your assets, your work force.

One size NEVER fits all, tailor benefits offerings in a way that attracts and retains the best employees. Start this process is by surveying existing and potential employees. Ask your team what types of benefits would interest them the most. Use this data to make better benefits decisions. Business owners put substantial energy and time into these plans, why not create Boutique Style and customize a plan that excites your employees!

While each workforce will have unique needs and interests, there are some commonalities seen among small business employees. Here are six of the most popular benefits that small businesses are using to attract and retain employees.

First Up is the dreaded but, “Oh So Necessary” Health Care Coverage. Good health coverage is important but also expensive! This will likely be an important benefit to your employees with families or those further along in their years of experience. Some employees need a plan to cover same sex spouses. Consider doubling down on health coverage rather than picking up expenses for ancillary benefits that may not be of interest to the majority of your team. Going to work every day knowing that your employer cares about your health and the health of those important to you could be a game changer in the candidate pool.

Leave benefits vary by workplace, but typically include paid time off (PTO), vacation days and sick time. These types of leave usually come with specific use requirements. For employers looking to attract and retain employees, expanding these benefits could be a great leverage tool. This may include allowing faster PTO accrual, providing more sick days or allowing for flexible scheduling. Implement a remote work policy for those employees that can handle it. Let them know that they have earned your trust and are valued enough to allow them to work efficiently and effectively at home.

The third incentive on our list is the always exciting, Performance Bonus. Employees want to be recognized for their hard work. Failing to do so can lower morale and affect retention. Introducing performance bonuses as an employee benefit can be a way to combat this. Performance bonuses will vary, but the general idea is to compensate employees in some way for a job well done. How this looks in practice will depend on the employer. For instance, employees might receive incentives such as gift cards, cash, additional PTO or other perks, depending on their achievement. However, before implementing such bonuses, employers should ensure compliance with any applicable workplace laws regarding employee compensation.

Financial security is very important to employees, and that sentiment grows as employees near retirement age. It’s also top of mind for those struggling financially thanks to the COVID-19 pandemic. Employees invest their time and energy into their work. As a tradeoff, many employees want their employers to invest in their retirements in return for years of service. Offering a 401(k) with contribution matching can be a powerful attraction and retention tool, as it demonstrates an employer’s investment in their workers in the long term. 

Surveys suggest employees have been putting off job changes during the COVID-19 pandemic, meaning a wave of turnover may be coming soon. Employers may want to think proactively about ways to keep employees around. In other words, when it comes to top performers, employers should be reluctant to let these employees go. That’s where professional development comes in. YES! Some employees are driven by more than just compensation! Generally, this involves cross-training employees on other positions or otherwise preparing them to take on additional responsibilities. This helps provide the employee with more growth opportunities while still keeping them within the business. Offering such development opportunities also signals to prospective employees that a workplace has upward mobility and is willing to help workers along with their career goals—two factors that can weigh heavily in recruiting conversations. This one will actually work well for your business; cross-training provides security in your foundation and non reliance on any one individual for any one function.

Last up! Wellness is a hot topic these days, and employees are looking more and more for employers who take wellness seriously. This can be especially true in the wake of the COVID-19 pandemic, where health consequences are interwoven with everyday decisions. In fact, through the lens of the pandemic, ignoring wellness initiatives may be interpreted as ignoring overall health—something employers obviously want to avoid.  

Different workplaces will offer different wellness benefits, but the purpose of any of them is generally to increase employees’ overall well-being. For instance, benefits may include mental health counseling, healthy breakroom snacks, gym memberships, fitness trackers, yoga sessions or other perks. When it comes down to it, employees want to feel like their employers care about them as individuals. This means prioritizing well-being.

Remember, you do not need to implement all of these suggestions. Survey your team, understand what is important to them, contact your benefits provider or PEO and start customizing your benefits package.

Thinking about a PEO and how your small business can benefit, Libertate Insurance can help.

The Week in Review

We hope you had time this week to review some great posts by Paul Hughes and James Buscarini. 

On Tuesday, James shared with us some great tips on how smaller employers can attract and retain talent when competing with larger firms.  Check out his post on 6 Benefits to Attract and Retain Small Business Employees.    

On Thursday, Paul reminded us of the ongoing trends which are playing out in the realm of cyber Insurance.  According to content sourced from AM Best, we are witnessing an increase in both frequency of events as well as average cost per event in the cyber space.  This trend will, no doubt, bring about not only marked increases in cyber insurance premiums, but more rigorous requirements in cyber security by carriers willing to continue offering products in this space.  For full details, check out his post Annual Growth of Cyber Claims is Double Growth of Cyber Premiums.  

On this day, June 11th in 1776 the Continental Congress created a committee to draft a Declaration of Independence with Thomas Jefferson, John Adams, Benjamin Franklin, Roger Sherman, and Robert R. Livingston as members.  Thomas Jefferson primarily penned the original draft which was dived into five sections, including an introduction, a preamble, a body (divided into two sections) and a conclusion.  While the body of the document outlined a list of grievances against the British crown, the preamble includes its most famous passage: “We hold these truths to be self-evident; that all men are created equal; that they are endowed by their Creator with certain inalienable rights; that among these are life, liberty and the pursuit of happiness; that to secure these rights, governments are instituted among men, deriving their just powers from the consent of the governed.”

The Continental Congress reconvened on July 1.  The process of consideration and revision of Jefferson’s declaration continued on July 3 and into the late morning of July 4, during which Congress deleted and revised some one-fifth of its text. The delegates made no changes to that key preamble, however, and the basic document remained Jefferson’s words. Congress officially adopted the Declaration of Independence later on the Fourth of July (though most historians now accept that the document was not signed until August 2).

What would Thomas Jefferson think of our cyber insurance woes of today?

Happy Friday everyone!! 

Insurers Are Waking Up to Multi-Factor Authentication

Please enjoy this excellent article by Steven Kaye which was originally posted on the Carrier Management website. The original post can be found here.

Insurance use cases for multi-factor authentication (MFA) include distributor access, external user access (e.g., claims vendors, financial advisers), internal user access and policyholder access.

Legislation and regulators are increasingly mandating MFA to ensure greater security as well as to reduce identity theft and other forms of fraud. Examples include the New York State cybersecurity regulation and the NAIC Insurance Data Security Model Law. Insurers have traditionally balanced security against expense and inconvenience to their users, especially if their coverages are marketed to older demographics (e.g., final expense policies). Regulatory mandates combined with growing digital adoption and criminals turning their eyes to life and annuities account takeover means the calculus has changed.

Despite these regulatory mandates, 80 percent of insurers say that risk management, rather than regulatory compliance, is driving their adoption of MFA.

There is minimal variation between size and sector of company when it comes to deployment rates, with the exception of large life/annuity/benefits insurers, which are much more likely to use MFA for policyholders than is any other class of insurer. A low deployment rate of MFA for policyholders among smaller property/casualty insurers reflects the fact that few small P/C insurers offer direct policyholder access at all.

Midsize P/C insurers lag behind other sizes and sectors in deployment of MFA for both distributors and policyholders but are ahead of large life/annuity/benefits insurers in deployment for other external parties. Midsize P/C insurers are also ahead of midsize life/annuity/benefits insurers in deployment internally.

How MFA Helps

As many knowledge workers moved from the office to home during the pandemic, securing infrastructure became another key driver. Hybrid work models that blend office and home working environments are gaining traction, and the need for MFA becomes more crucial to validate that users are actually employees.

In addition to security needs, carriers are obtaining policyholder emails and cellphone numbers as part of the MFA process. These bits of data, which are often difficult to obtain, can provide insurers with the opportunity to digitally connect with customers in their preferred channel.

There is no mandated number of identification methods for MFA, but the consensus is to have two at a minimum. Insurers are starting to use multi-factor or its equivalent for any interaction where an external network is accessing information behind a firewall. Some are taking this a step further to include role-based authentication for internal access as well.

The best defense is a layered approach, combining multiple authentication methods with secure and documented business processes and other security solutions. Some insurers are offering security audit services to agents they work with, while others are working with their distribution executives to change distribution agreements to mandate MFA and other security measures.

Insurers should ensure that MFA processes are documented and that solutions generate auditable logs. Some wholesale brokers require attestations from insurers they work with.Some insurers are offering security audit services to agents they work with, while others are working with their distribution executives to change distribution agreements to mandate MFA and other security measures.

For consumer-facing use cases, depending on the age of policyholders, insurers may wish to opt for MFA methods that are more straightforward (e.g., less complex knowledge-based authentication, voice print). Final expense and Medicare supplement are two lines of business where voice signatures are well established. Many solutions support establishing different access policies based on risk assessment, such as requiring MFA for new devices, or conversely accepting password-free authentication for low-risk access requests.

Types of Authentication

MFA relies on several of the following authentication methods:

  • Physical objects (e.g., laptops, mobile devices, security tokens) in possession of users.
  • Knowledge-based authentication (e.g., answers to questions, passwords or PIN codes, randomly generated authentication codes from authenticator apps).
  • Location (e.g., GPS or IP address).
  • User characteristics (behavioral or biometrics-based).

Some authentication methods are more secure than others. For example, sending codes or passwords via email or SMS runs the risk of interception by man-in-the-middle attacks. With many employees working from home, phishing and other identity theft methods are on the rise. Several solutions support adaptive authentication, with less risky access requests requiring fewer authentication methods than riskier ones, as determined by system-generated risk scoring and predefined security policies.20 percent of CIOs surveyed by Novarica said they are planning to require MFA for distributors and policyholders within six months, adding to 30 percent that already do so.

Novarica recently conducted a survey of insurer CIOs to understand their deployment of MFA, including business drivers, authentication methods and use cases. It is important to keep in mind that solution providers typically offer a range of authentication methods.

Only 30 percent of participants currently require MFA for distributors or policyholders, but another 20 percent are planning to require MFA within six months. Roughly 80 percent of participants require MFA for most or all internal systems users.

Deploying MFA

The most common authentication methods deployed are mobile authenticator apps, used by 80 percent of participants. More than half of participants use SMS. Email and security keys are used by roughly 40 percent and 33 percent of participants, respectively. Behavioral authentication, voice-based authentication, IP location and knowledge-based authentication are used by fewer than a third of insurers.

Note that only 16 percent of insurers report using just one method; overall, insurers said they use an average of 2.8 different authentication methods.Sending codes or passwords via email or SMS runs the risk of interception by man-in-the-middle attacks.

The security threat landscape continues to grow in number and impact. Although many carriers are not currently considering MFA, regulatory scrutiny and enforcement of IT security will only increase. The ability of most solutions to offer different levels of authentication for different access use cases means there is less of a tradeoff between customer experience and security. Many solution providers offer MFA as part of a broader portfolio of identity and access management and IT security solutions.

Insurers should consider MFA approaches as part of a broader IT security strategy.

CONTRIBUTOR

Steven Kaye, Novarica

Steven Kaye is Vice President of Research at Novarica and lead editor of the firm’s Business and Technology Trends in Insurance series. He has managed a wide range of research projects since joining the firm in 2008. Previously, Kaye worked for Accenture as an insurance researcher focused on the U.S. life and property/casualty markets. He also served in both knowledge management and research roles at Gemini Consulting (now part of Capgemini) for several of the firm’s industry practices. Kaye holds MILS and BA degrees from the University of Michigan at Ann Arbor. Reach him directly at skaye@novarica.com.

10 Workplace Safety Considerations for Small Business Owners

Image

Content utilized to create this post was from Forbes Magazine’s Human Resources Council (includes Megan Leasher, Nicole Smartt Serres, Sameer Penakalapati, Tracy Cote, Chris Stanzione, Subhashree Chaudhuri, Courtney Peterson, Tina R. Walker, Kristin Fowler & Madhukar. Govindaraju)

The vaccines have arrived and the numbers are trending up, down and all around depending on what network your watching and who you are speaking with. The fact is small, midsize and enterprise level businesses are considering what approach they should take for getting their staff back to work in an office environment. The majority of small and mid-sized employers are looking at using a blended approach, meaning they plan on implementing more work from home flexibility with their existing in office staff. 59% of those that are working from home support a work schedule that allows working from the office and at home. We wanted to provide 10 impactful considerations for employers as they forge forward.

TEN WAYS TO CREATE A SAFE WORK ENVIRONMENT


  1. There is no one-size-fits-all approach

Have a plan that fits your cultural goals and direction. Your plan should be a blend of meeting all safety & risk management guidelines from a legal perspective along with proper consideration for what the organization and its people need.

2. Communication is not a one way street

Involve trusted staff to carry the message of your risk & safety policies. Encourage employee participation in the development process. When your employees feel that their input is valued your office will be engaged in carrying your message. Design the process to be sustainable at all levels of your organization.

3. Proper work-life balance impacts mental health

Employees may be asked to get used to another new normal. Whether that means coming back into the office on a more regular basis or permanently, try and remember that by and large employee mental wellness suffered throughout the pandemic. As you take steps to protect the safety and health of your workforce, do not overlook mental health and wellness. Everybody has unique circumstances that may adversely impact their mental well being so little adjustments like extending flexible work hours can go a long way to employee satisfaction.

4. Play by the same set of rules – that means everybody

It is easy to become disregardful of even the most sensible of guidelines that have been established for the greater good of the group. Implementing common-sense guidelines supported by your state or OSHA need to be followed by everybody. Consistency is the key for resonating the message. Send out reminders as often as necessary and echo your message firmly. Somebody who refuses to abide by clearly defined rules may need to be sent home. Be relentless about making sure everybody is playing by the same set up rules.

5. Be mindful of each other’s responsibilities

Small to mid-sized businesses need to be aware of the risk and safety management responsibilities and the varying degrees the employer and the employee are responsible for. When it comes to providing a safe working environment, provide safety options, consider alternative ways of doing a job safely, and engage employees in a mutually agreeable way. Remaining open-minded and reserving judgement is crucial as well.


6. Tap into available consultative and training resources

Shameless self-promotion is coming in five, four, three, two and one; do you have access to safety and health resources through an agency, consultant or expert… such as a Libertate Insurance for example? Inquire about the available voluminous resources that your reliable partners posses when it comes to evolving environments, laws and compliance requirements! Leverage your partnerships especially those involved in your firm’s best interest and you will be amazed at what “we”, I mean they will be able to help you with.

7. Put safety policies front and center

Do you remind employees about the ongoing safety and mask campaign? Chances are safety policies are not necessarily the primary thought running through your employees minds while racing from desk to printer and back. Your firm’s culture needs to foster regular engagement to the point it becomes second nature. Emotional intelligence goes a long way in the delivery of your message. Remind employees of the care and concern leadership has for their well being, it will be appreciated.

8. Make health and safety part of your organization’s culture

It is all of our responsibility to protect each other and minimize risks. When you see something, say something. Avoid expecting somebody else to see and say something. Every member of the organization can play an active role and should.

9. Do they understand your expectations

If you create a health and safety culture with team members that own the message and every member of the organization is singing the same safety tune, you have won the expectation battle. Do not allow the loose ends or the uninformed be the squeaky wheel. Be consistent, be vigilant and be clear about what is expected.

10. Get creative about getting input from office and field staff

Companies have implemented daily check-ins, reporting processes and employee task forces to encourage information about risk and safety to flow in daily. Create a safety game, make sure managers are listening, remember one voice and one message. Make safety and risk management happen.

Ransom seeking hackers taking advantage of server flaws

Image

Content was taken from Reuters, Mr. Raphael Satter click here for original article from The Insurance Journal’s Mr. Jeff Mason click here for original article.

Since Microsoft announced a series of vulnerabilities in it’s widely used mail server software on March 2, 2021 the biggest threat has been from hacker groups holding users hostage by preventing access to their data unless large sums of money are paid. One security firm had counted 10 separate hacking groups taking advantage of the flaws – with ransomware targeting being the most serious of the threats.

On Sunday, The White House urged computer network operators to “take further steps to gauge whether their systems were targeted?” Despite a recent software patch concerns over remaining vulnerabilities continued to loom. The remedy still leaves open a so-called back door that can allow access to compromised servers and perpetuating further attacks by others. The back channels for remote access can impact credit unions, town governments and small business, and have left U.S. officials scrambling to reach victims, with the FBI on Sunday urging them to contact the law enforcement agency.

CNN reported that the Biden administration was forming a task force to address the hack. The White House official, in a statement, said the administration was making “a whole of government response.” A Microsoft representative said that the company is working with the government and others to help guide them accordingly. Secondly, Microsoft has urged the impacted to install patch updates as soon as possible.

Neither the company nor the White House has specified the scale of the hack. Microsoft initially said it was limited, but the White House last week expressed concern about the potential for “a large number of victims.” So far, only a small percentage of infected networks have been compromised through the back door, the source previously told Reuters, but more attacks are expected. We will continue to monitor the situation as it develops.

COVID-19 Vaccine Workplace Planning

Employers can play a key role in COVID-19 vaccine distribution and should prepare for when vaccine access reaches the general public. Educating employees on ways to avoid COVID-19 vaccine scams and helping to build confidence in the safety and effectiveness of the vaccine are important elements to a successful plan.

While vaccination details are getting worked out, here are three ways to avoid COVID-19 vaccine scams:

1.) You can’t pay to put your name on a list to get the vaccine. That’s a scam.
2.) You can’t pay to get early access to the vaccine. That’s a scam.
3.) Nobody legit will call about the vaccine and ask for your Social Security, bank account, or credit card number. That’s a scam.

Ignore any vaccine offers that ask for personal or financial information.
Learn more at ftc.gov/coronavirus/scams consumerresources.org/beware-coronavirus-scams

Building confidence in COVID-19 vaccines is equally important to getting us back to enjoying safe and productive workplaces. Here are a few things any organization can do to help build employee confidence in the vaccine.

·      Start at the top; encourage leaders and managers within your organization to champion the vaccine.

·      Talk about it. Provide an environment where employees can ask questions and discuss concerns openly in a constructive manner.

·      Provide information about safety, side effects, benefits, development and herd immunity through multiple channels which are both trusted and familiar to employees.

·      Celebrate the act of receiving the vaccine. Make employees feel proud about getting vaccinated and doing their part.

Click below to download a thoughtful COVID-19 Vaccine Workplace Planning Checklist developed by Zywave.

Employees getting vaccinated across all sectors of industry and business can be a driving force for a safe return to work for all Americans.

Managing COVID-19 Vaccine Policies

THIS ARTICLE IS BEING REPOSTED BY LIBERTATE INSURANCES JAMES BUSCARINI. THE ORIGINAL CONTENT WAS WRITTEN IN THE FEBRUARY 2021 EDITION OF RISK MANAGEMENT MAGAZINE. ARTICLE WRITTEN BY JODY MCLEOD, ESQUIRE AND GARY PEARCE

As COVID-19 vaccines become more available and companies return to the office, employers may want to protect their workforce by mandating vaccinations. However, it is essential that they keep in mind certain risks and how to mitigate them, including the legal limits of what they can ask of employees.

When approaching mandatory vaccinations for workers, the legal rules are reasonably established. Employers can mandate vaccinations as long as they have processes to deal with exceptions. The key exceptions concern medical disabilities covered by the Americans with Disabilities Act (ADA), and bona fide religious objections covered by Title VII of the Civil Rights Act of 1964. Because a vaccination is not a medical examination, it does not inherently trigger certain aspects of the ADA.  But beware of violating ADA obligations in the course of asking pre-screening questions or securing proof of vaccinations. Unvaccinated employees—particularly those who refuse or are unable to take a vaccine for medical or religious reasons—may be excluded from the workplace if they pose a direct threat, subject to ADA and Title VII ­obligations to pursue a reasonable accommodation. The ADA accommodation standard is somewhat more favorable to the employee than the Title VII standard. Determining whether an unvaccinated employee poses a direct threat requires a fact-specific determination, considering the duration of risk, the nature and severity of potential harm, and the likelihood and imminence of potential harm.

Excluding an employee from a workplace because they pose a direct threat does not automatically mean termination is justified. The employer first needs to determine whether there is a feasible alternative arrangement that would not impose undue hardship, such as remote work. There remains a general duty under the federal Occupational Safety and Health Act (OSHA) to provide a workplace free from serious recognized hazards, and COVID-19 exposure will typically qualify. Of course, organizations that expose the general public to COVID-19 risk being sued.

If a company imposes a vaccination mandate, it must consistently administer exception processes regarding reasonable medical accommodations and religious objections.  It will need to understand what constitutes business necessity, and must be able to identify reasonable accommodations on a fact-specific, individualized basis. The company will need to decide whether to assume the risks and obligations arising from self-administering vaccinations, or instead depend on collecting evidence of third-party administration. Lastly, it will need to minimize the prevalence of medical inquiries—including medical details unexpectedly proffered by the employee—and preserve the confidentiality of any protected information that may thereby be received.

Other potential issues include whether there is a union contract that the company must consider, or whether any state or local laws forbid mandatory vaccination policies.  

Risks of Vaccination Mandates

If an employer requires vaccinations, it must administer the mandate consistently and consider whether the additional risk is justified. If the employer imposes the mandate for only certain categories (e.g., for customer-facing staff but not home-based workers), it will need a rational basis for its determinations. Also, a mandate could bring any adverse reactions into the realm of compensability for workers compensation, and time spent receiving a mandatory vaccine is most likely compensable for purposes of wage and hour compliance. Data privacy and retention of medical records also need to be considered in the record-keeping process as the relevant regulations and laws are quite demanding. If the company provides financial incentives to encourage compliance, income may need to be reported and taxes owed as well.

Changing and Varying Rules

It was not until December 2020 that the Equal Employment Opportunity Commission issued substantial additional guidance regarding COVID-19 obligations under prominent employment laws. As of this writing, OSHA has yet to issue any rules specific to COVID-19, but the Biden administration is expected to issue a broad rule in the coming months. States and municipalities issue executive orders and ordinances at a pace that only specialists can keep up with. Even if all the written rules are known, there is no assurance that they will be administered in alignment with what governed parties might expect. “Guidance” may become a de-facto obligation.

For all these reasons, companies cannot base their protection and recovery program solely on compliance with current legal requirements. Nor can a static “one and done” determination be sufficient. In light of all these issues, duties and uncertainties, companies should determine whether a vaccine mandate is an effective use of their administrative resources.

Business Expectations

Requiring vaccinations does not mean employers can forego the rest of their COVID-19 management protocol. Employers need to keep in mind that there is no proof that vaccinated people cannot transmit the virus to others, the vaccination seems likely to be less than 100% effective, and some people either will be unable to get the vaccine or at least will not yet have received it. Worry about a new pandemic episode will persist for years.

Many employees likely regard safety as the highest organizational priority and will look to their employer to provide reliable information about COVID-19 risk management. Failure by the organization to respect these new expectations could trigger negative social media reactions, unwanted attention from plaintiffs’ attorneys, and difficulty attracting and retaining valuable talent. While this may be a threat to some managers, it is an unprecedented opportunity to strengthen the bond of trust between employee and employer. 

As a practical matter, legal regulations tend to react to changing circumstances.  This makes it likely that any rescinding of temporary standards will occur in a somewhat tardy fashion. To date, the volume of litigation related to COVID-19 has been less than feared. However, do not take too much comfort in this. Courts have been shut down, causal connections are likely to be better understood as experience accumulates, and plaintiffs’ attorneys may surmise that juries will be more sympathetic after the worst of the crisis has passed. 

Employees Who Refuse

Surveys show that a significant portion of the population would choose not to take a COVID-19 vaccine. Some may eventually be persuaded, while others have deeper objections. Some may be uncomfortable as long as deployment is under emergency use authorizations. This unease reinforces the need to be collaborative in pandemic management and transition planning, and to communicate the reasoning behind critical decisions or policies.

The entire workforce will never agree on how best to emerge from the pandemic. Although communication is important and stakeholder feedback is necessary, securing unanimity is unrealistic. On the other hand, if a significant number of workers refuse to accept a vaccine, even in the face of an employer mandate, is the organization prepared to redeploy or replace these workers?

There is no risk-free path to a post-COVID environment. Employers must continuously assess conditions and be prepared to act promptly despite incomplete information, changing circumstances and inherent uncertainties.