As states begin the process to open up their economies and employees return to work, general counsel should update their company policies on handling health information if they choose to screen employees and map out what kind of data may be on employees' personal devices to mitigate the risk of a hack.

In an email to Corporate Counsel, Susanna McDonald, the chief legal officer of the Association of Corporate Counsel in Washington, D.C., said she expects one of the challenges general counsel will face will be "the balance of keeping employee's health information private, while also notifying other employees if someone in the office tests positive, and if they might have been exposed."

Michelle Reed, a partner at Akin Gump Strauss Hauer & Feld in Dallas, said she has been fielding questions on how to best handle health data that employers may collect.

"If you send an employee home because of a fever and then have some kind of a data breach, you can only imagine what that kind of backlash that could have," Reed said.

Generally speaking, the best thing to do is collect as little data as possible and retain it for the least amount of time, Reed said. She said general counsel should begin focusing on updating their employee privacy policies to inform employees what kind of data the company is holding on to.

"The best advice is to make sure you have a consistent policy to apply across the board," Reed said. "If you're consistent, you're less likely to face regulatory scrutiny. That's not to say that you won't be sued, but if you limit the risk you can nip that kind of litigation in the bud."

McDonald said general counsel should be looking at the guidance that the Equal Opportunity and Employment Commission and the Centers for Disease Control and Prevention on employees returning to work.

"GCs will need to be prepared with mitigating costs by having their policies closely align with these guidelines and document how the organization made its decision," McDonald said.

Back And Forth

Michelle Hon Donovan, a partner at Duane Morris in San Diego, said companies will likely stagger schedules when they allow employees to come back into the office.

"There you have all of the security issues of still working from home plus the issues of transferring files," Donovan said. "This poses an increased risk."

She explained that cyberattacks have gone up during the pandemic as employees use more personal devices or work on unsecured networks.

Christopher Ghazarian, general counsel of Los Angeles-based DreamHost, said in an email to Corporate Counsel that legal leaders should note what kind of information is on employee personal devices.

"Today, lots of people use their personal laptops and phones for work. It's much harder to mitigate these risks when devices are not managed by a company's [information technology] department, but rather by the individual employee," Ghazarian said.

He said company files and credentials should be deleted from personal devices when employees come back to the office.

"It's possible that your employees downloaded company files or saved credentials on these personal devices that have not been updated and aren't managed by your IT department," Ghazarian said.