The COVID-19 pandemic has struck the real estate industry especially hard with a portion of commercial tenants in the retail space unable to pay their rent. Cedar Realty Trust Inc. general counsel Adina Storch says she's using her legal prowess to reassure a successful rebound for her company after the coronavirus dust settles.

Cedar Realty Trust, a real estate investment trust based in Port Washington, New York, uses a grocery-anchored business model, meaning most of its properties are situated around the pandemic's go-to essential business. But the impact of the novel coronavirus has not totally immunized Cedar Realty Trust from a heavier legal workload. Storch, also the executive vice president, chief compliance officer and corporate secretary at the helm of the six-member legal department, says the pandemic is rife with lessons that she's already tackling in order for her company to recover as quickly as possible.

"I would say one of the principal challenges in our industry is to try and predict what the landscape of retail is going to look like on the other side of this crisis. Are we in a struggle for survival? Who are going to be the winners? Who are going to be the losers? And who will emerge from this in a radically different form?" she said. "Right now, there is a tremendous push to try to mine data that is out there, try to anticipate where the needs are going to be, and to configure our business model to respond to the needs."

Cedar Realty Trust is allowing tenants to request forbearance relief due to COVID-19 hardship.

All 73 employees are working remotely, according to Storch, as Cedar Realty Trust formed a Return to Office Task Force that takes surveys from employees to determine when they're ready to head back into the offices while following local stay-at-home orders.

"We're relatively small in terms of head count, so we can tailor a solution according to our workforce needs," said Storch, who's been general counsel since 2014. "It's an evolving task, and there are many considerations. It's still very much a work in progress."

Storch predicts cybersecurity may produce the highest pandemic-induced risks with many companies having employees currently log into private workplace tools via their personal home internet connections. Cedar Realty Trust recently started an employee education campaign on cybersecurity.

"The No.1 driver of cyber risk is end-user behavior," she said. "One wrong click could put the company's most sensitive data at risk. The two most dangerous words in the English language are 'Click Here.'"

Corporate Counsel interviewed Storch about her experience working under COVID-19 conditions, how she's prioritizing cybersecurity education for her workforce, and the meaning of the general counsel role in a time of crisis. The conversation has been edited for clarity and brevity.

Corporate Counsel: How has your role as general counsel and the role of your legal department evolved since the pandemic started?

Adina Storch: I have to say that attorneys wear many hats in an organization. Because of the powerful cloak that we carry of the attorney-client privilege, we're really privy to many conversations. In boom cycles, we tend to be sounding boards for new ideas and the implementation of those ideas, so we act more as architect-implementers. And in times of crisis such as now, we tend to be more of the defensive positioners for our organization, or guardians of the gate if you will, so we're not so much architects as we are fortress builders.

So translating into which legal skills we're leaning on at different times in different markets, we're leaning on transactional skills more in bullish markets and in bear markets such as this we're leaning on litigation expertise. Really we are just at the core managing risk in these times of adversity with the guiding principles being supplied by the law, which tells us how risk has been allocated in similar circumstances previously. We are constantly assessing risk allocation and advising our business leaders on how best to document our positions so that we can preserve them.

CC: From your point of view, how has corporate governance and compliance evolved during the coronavirus crisis?

AS: I have to say that we at Cedar are never lax about compliance. Because if there is a compliance procedure in place, that means there is a regulatory framework that supports having one. If there is a regulatory framework, it's because we as a society decided it was important enough to have a protocol for that, and these protocols are no less important in a crisis than otherwise. We still have our compliance calendar, and we're constantly keeping our procedures and protocols up to date.

Where compliance gets tricky in this pandemic environment is that you're seeing these massive bodies of law just frontally colliding with one another and sorting out rights and responsibilities in this environment is very challenging. I can give you an example. Right now, employees' right to privacy under various statutes—such as [Health Insurance Portability and Accountability Act], [Americans with Disabilities Act], etc.—has to be balanced against the employers' obligation to provide a reasonably safe work environment under [Occupational Safety and Health Administration].

That inevitably spawns a compliance conversation because employers are figuring out what the return to work will look like, and we have to sort of navigate all these different rights and responsibilities and make sure we're not tripping any wires. So that has been a very big challenge in this emergency pandemic environment. There's the benefit of a lot of legal analysis out there which tries to anticipate how courts are going to construe those rights, and various administrative agencies of the government have provided some guidance, but it's still very much in the broader landscape ahead to be sorted out.

CC: We have been covering the cyber risks around employees working from home and what to expect when they come back to work in the office. What cyber risks are the highest concern for you?

AS: That's a great question, because you really can't afford to be complacent about cyber risks in this environment. The incidence of cybersecurity breaches has exponentially increased since we've moved to a remote working environment. I think the guiding principle of cyber is you're only as secure as your least secure portal. And right now you have a proliferation of endpoint users working off of their own independent WiFi networks with varying degrees of security, so it's the proverbial Trojan horse, and that's lurking everywhere.

I think that cybersecurity may conceivably turn out to be one of the major blind spots of this period because everyone is focused on hedging risks and trapping cash and reducing exposure first and foremost. But cyber is a very big area of concern. Everyone is leaning on their mobile fleet of devices, which were in varying degrees of preparedness when this crisis hit. So a lot of companies are finding themselves in a position where their mobile fleet wasn't completely configured with up-to-date security patches and spyware to be impressed into action the way it has been.

Fortunately, at Cedar we were relatively well-prepared compared to some. We just recently rolled out our employee education campaign on cybersecurity, which is a critical component because making employees vigilant about cyber risks is one of the best defenses that you can mount to counter cyber threats. I would urge companies who haven't yet done it to put that into place and to even roll it out in this remote working environment. It's relatively easy to do.

There are some very good vendors out there offering packages, modules that can be pushed out to employees for education. There are simulation exercises that can be done to run a diagnostic on how secured your employee users are against cyber threats. I think it's critically important while people are working on their own WiFi where you're toggling constantly between work and personal uses on the same devices. It's fraught with potential penetration risks. I think the more you arm your workforce with information on how to identify threats, the more secure you can be.

CC: Overall, how has the pandemic affected workflow? 

AS: All of the in-house departments I imagine are struggling with bandwidth issues. There's just an enormous flurry of paper right now, letters flying in the door from all directions, from lawyers pounding the table for their clients. We have to sift through those and advise the organization without a whole lot of budget for outsourcing. Everyone has constrained budgets, so we're repatriating work in-house and trying to service a tremendous volume. So we're constantly reshifting priorities in my in-house team to focus their efforts on the best use of their time. We have to clear some of the debris out of the business team's way, so they can keep focused on their mission and not get distracted by the legal arguments coming in the door full of sound and fury but, to a legal reader, signifying nothing.

There's a lot of rhetoric being tossed around. For example, a letter comes in the door from a lawyer stating a position with three pages of case law cited and you have a businessperson running into your office, figuratively speaking, asking what to do about this. And as the lawyer, informed by knowledge of the legal doctrine who is reading this letter, you realize it's all sound and fury, signifying nothing, and you say, "Take the two sentences in paragraph 12 containing the substantive proposal. You think about that and let me deal with the rest," because you realize that there's not a whole lot of basis for the argument and it doesn't have enough merit to survive a motion to dismiss if put to a challenge. So you have to sort of be able to sift through the enormous volume of legal rhetoric that's being circulated in order to carve out the real core issues that are being framed and present that in distilled form as a proposal that needs to be considered and clear the path for [the business team] to be able to do what they do.

A lot of the drill right now is steering. It's a process of coordination to define work circuits, task ownership, so everyone is at their post knowing in which direction to launch at the start of the day. It's process and substance together; both are critical. Someone can have a great idea, but if she's cloistered in a room somewhere literally where she has no platform to be heard, there's no way to convert that thought into a goal for the enterprise. You need to create these fora, virtual fora, for people to come together and brainstorm and then you need to carve out protected space for your staff throughout the day so they can chop the wood and get the work done. It's an act of coordination. We're doing it very well.

People have really risen to the challenge in my organization, and it's just been impressive to watch, people just coming to the table with ideas and performing at the top of their game. It's been very energizing to work in this environment, but we are definitely reaching for skills and drafting to blank pages. Our templates are not serving us in this unprecedented environment, but legal doctrines are older than we are. They're older than collective memory. If you look into the case law and the research, you'll find that this isn't the first time that this has happened in human history. The 20th century had several pandemics and many cases that evolved from that era, so there is guidance, there is precedent out there to inform our understanding of how risk will ultimately be allocated when this cloud is cleared. The more we educate ourselves about the law and risk allocation the better we can advise our organizations.