Print Page   |   Contact Us   |   Sign In   |   Join the VBA
Summary of Live Chat 13 from June 12

(The VBA thanks LPMD Chair Cliona Mary Robb for compiling this summary.)

 

The 13th COVID-19 Law Practice Live Chat at 10 a.m. June 12 featured these speakers and topics:

 

  • Ellen Marie Hess, Commissioner of the Virginia Employment Commission, on unemployment claims and how the VEC will respond as the economy continues to reopen,
  • Sharon Nelson and John Simek from Sensei Enterprises, Inc., on late-breaking developments in cybersecurity in the work-from-home world, and
  • Steven D. Brown with Isler Dare, chair of the Labor and Employment Section, on Phase II reopening hurdles and fielding your questions.

Executive Summary

Cyber Security Tips

  • Perform a security assessment.
  • The Clark Hill law firm has published a post called “Work At Home And Remote Access: it's time for a security review.” It contains a pretty good list of things that you want to look out for.
  • EDR (endpoint detection and response) is more robust than regular anti-virus malware products and is cost effective.
  • The trend is to move away from VPNs to a zero trust model, but if you do use a VPN, Nord VPN is always one of the highest ranked with the least vulnerabilities.
  • Citrix ShareFile is the top-used file-sharing collaboration tool among lawyers
  • Sensei and other cyber security firms offer a free one-hour security assessment. Sensei also will respond to quick email inquiries without charge.

Employment Tips

  • Make sure you do some kind of health screening to comply with OHSA and general HR purposes:  This can be done via Outlook voting, with responses going directly to HR.
  • Consider having a manager walk around the office and write up a daily report. Having an excellent policy does not help unless it is implemented.
  • You can access church materials that can readily be morphed into employer handbooks, etc., by going to the Virginia Conference of the United Methodist Church website, vaumc.org, and clicking on a room called “Return to in person worship.” The direct link is https://vaumc.org/return/.

Ellen Marie Hess, Commissioner of the Virginia Employment Commission

VEC’s Response to Onslaught of Unemployment Claims and how the VEC will Respond as the Economy Reopens

Experience

Ms. Hess is a graduate of the University of Richmond and an active member of the VBA’s Administrative Law Section Council. She has more than 28 years of experience doing policy, legal and regulatory work for the commonwealth of Virginia. Just after law school she worked for the Department of Taxation and then had a brief stint in private enterprise working for Heilig-Meyers furniture company in credit operations. She then moved to the Department of Labor and Industry in the labor law division of the Department of Motor Vehicles. Just after Governor McAuliffe was elected, he asked if Ms. Hess would take over as commissioner of the VEC.

Onslaught of Unemployment Claims

The VEC was swamped during 2008 and 2009 but that doesn’t begin to describe the current level of work.  

  • In 2019 the VEC had approximately 11,000 claims.
  • The week before the pandemic, the VEC had a little more than 1,900 claims
  • In the 12 weeks since, the VEC has had over 800,000 claims, about 300,000 claims per month.

Federal Pandemic Unemployment Programs

  • Pandemic Unemployment Assistance (PUA). This is paid to those who would not ordinarily qualify for unemployment, such as gig workers, the self-employed and independent contractors. VEC developed this program this from scratch and got it up and running and paying by April 19.
  • Federal Pandemic Unemployment Compensation. This is the $600 additional benefit paid to anybody who is getting any amount of either a state or federal benefit. VEC had that up and running on April 10.
  • Pandemic Emergency Unemployment Compensation. This pays an additional 13 weeks to anybody who has exhausted benefits. The VEC is still programming this and expects it to be up and paying at the beginning of July.

Staffing

  • Increases. Before the pandemic, the VEC had about 432 staff assigned to working on unemployment claims. That has changed to 640 and growing. The VEC call center staff has increased from 82 to 379 and that's also growing. The VEC has augmented its call center staff with a third-party call center solution.
  • How increases were achieved. The VEC did not simply hire many new positions. Instead, it reallocated the positions within the VEC and allocated more of its existing employees to handle the Unemployment Insurance staffing. Back in the day, everyone did everything at the VEC, but over time employees became specialists. Because the agency had some veterans with a lot of tenure, there were folks working in Workforce Services had Unemployment Insurance history. They were reassigned to Unemployment Insurance. Also, in the call center itself, the VEC was heavily dependent on wage employees who were limited to 20 hours a week. They immediately went to 40 hours a week. The VEC also hired classified staff and wage staff to bring the staffing levels up.

Response as the Economy Reopens

  • Benefits will end for those returning to work. Under unemployment law, if you are called to work, you're called back to work. You have to go. And your benefits will end whether or not you return to work. If you believe you have good cause not to return to work, you can tell the Employment Commission that and VEC will have a hearing, but your benefits are on hold until that determination is made.
  • Waiver of requirement to search for work. At the outset of the pandemic, the governor asked VEC to waive the requirement to search for work. As the VEC reopens its workforce centers, the VEC will turn the work search requirement back on. This means that folks who are on unemployment, whether it's federal benefits or the state benefits, will have to certify to the VEC what they have done to look for a job. And if they don't, they will lose their benefits.
  • Employers reporting that employees are back to work. The VEC will have a portal up that enables employers to report that they have called their employees back to work. That will help the VEC identify claimants who have not told VEC that they have gone back to work and terminate benefits.
  • Projections of unemployment claims in the coming months. The VEC does not have a definite idea of the number of claims in the coming months. The VEC has made projections on state trust funds that have an awful lot of assumptions. Over the past few weeks, claims have been coming down. They're still at historic levels, but they're coming down. The VEC sees the recovery probably being not a “V” in shape, but instead being a steady, but long, upward trend in employment.

Hearings

The VEC had been conducting most of its hearings via telephone for a while, even before the pandemic. The VEC has a third-party vendor that handles everything except the decision. They'll go through the file and get all the facts ready for the hearing officer to make the determination. The VEC also has tax reps who typically will be talking to employers about what their tax rate should be and how many employees they have, and they make determinations. The VEC has taken all the tax reps and assigned them to doing entry level hearings, the first level hearings.

In 2019, about 59,000 hearings were conducted. As of now, the VEC has conducted about 80,000 hearings in 2020. Every day the VEC is conducting hundreds of hearings.

Funding

In response to questions about funding, Ms. Hess responded that the money won’t run out.

There are two different funding streams.

  • For the federal benefits, including that additional $600, the gig worker/independent contractor benefit, and the extended/emergency benefits, those are all being paid through federal funds. The federal government is making a deposit into the trust fund so that the VEC can pay those benefits.
  • For regular Unemployment Insurance, there are a lot of people who were actual employees of operations that had to shut down, such as restaurant staff. Those employers paid taxes into the Unemployment Trust Fund, and that's where they're being paid from.

The VEC will, at the rate it’s going, will have to borrow. The VEC borrowed during the Great Recession in 2009. If Congress does not act, there will be an impact to taxation affecting unemployment taxes next year for employers.

Advice for Lawyers Assisting with Unemployment Claims

The one thing that VEC would advise is that claimants who are monetarily ineligible under regular Unemployment Insurance should file for PUA, the federal Pandemic Unemployment Assistance.

Closing Remarks Regarding VEC’s Efforts

Regarding news reports on how many phone calls folks keep having to make, Ms. Hess said a tremendous number of people trying to call, and the VEC is getting to everybody as fast as it can. The VEC has paid nearly $4 billion in benefits. The VEC first went after the issues that would pay the highest number of people the most money as fast as possible.

Sharon Nelson and John Simek from Sensei Enterprises, Inc.

Late-breaking developments in cybersecurity in the work-from-home world

Overview of current economic developments

These days Sensei always seems to be the purveyors of gloom and doom. There are three non-cybersecurity things that Ms. Nelson mentioned at the outset.

  • The Bureau of Labor Statistics announced that the legal industry lost 64,000 jobs in April. The expectation is that that will increase for May.
  • On June 8, the National Bureau of Economic Research, which officially declares whether we're in a recession, declared that we had entered a recession in February 2020.
  • The World Bank followed that up by saying this will be the deepest recession since World War II.

Ransomware Attacks Against Law Firms

An unnamed hacker group, using ransomware dubbed “REvil,” got into the Grubman Shire Meiselas & Sacks law firm in New York City. It’s not known yet how they got in. The law firm represents a lot of celebrities, including Madonna, Lady Gaga, and Bruce Springsteen. The hackers initially asked for a $21 million ransom, and Sensei had never seen a law firm ransom that big. Grubman said no. Then the hackers claim to have gotten data about President Trump, which is weird because Grubman has nothing to do with President Trump or any of his businesses. Then the hackers raised Grubman's ransom to $42 million, which of course the law firm was still not going to pay. The bad guys released some of the data about Lady Gaga, and they now have Madonna's information up for sale with a starting price of $1 million. And they announced that they had a buyer for President Trump's data—they didn't say who, but they've made a separate deal about all that.

The biggest takeaway here, because we don't know how they got in, is to consider the size of the ransom. The average ransomware today is about $134,000. Forty-two million dollars? That's nuts.

Another takeaway is that the ransomware attacks are morphing. They used to encrypt the data and demand a ransom to access the data. Now they are going beyond that to offer the data up for auction to the highest bidder on the dark web. Sometimes they demand two ransoms: one to get your data back, and the other to destroy whatever data they may have stolen. These new types of hacks are known as “Maze” attacks, and the payment is almost always demanded in the form of Bitcoin.

Sensei also knows that three more law firms were breached by REvil. There is no point in saying their names, but they're not happy. It’s under wraps what they are doing about the ransom demands.

Two days ago, reports came out about Dark Basin. It was covered by The New York Times with the underlying report coming from Citizen’s Law. Several environmental groups noticed they were receiving suspicious emails with fake Google news articles and other links related to their climate change campaign against Exxon Mobil. The phishing emails came from accounts that impersonated their own colleagues and lawyers. This resulted in a federal criminal investigation into what seems to be the largest hacking-for-hire operation in the last four years. This has targeted a lot of people: lawyers and law firms were specifically mentioned in the report. The other thing that was mentioned in the report is that the company apparently was hired through a series of intermediaries such as law firms and private investigators to mask the ultimate clients and give them plausible deniability.

There are two things to note about all of this. We are under attack more than we perhaps knew prior to this week, and that apparently some law firm may have been involved in negotiating this ransomware for hire. There's never been anything as big as this particular hacking-for-hire operation. It really is astonishingly huge, and apparently has been operating full speed for four years. One of the founders was already found guilty in another operation back in 2015, and officials have tied it to a specific company in India.
Ninety-four percent of those who do pay the ransom do get their data back, but you never have a guarantee as to whether they have destroyed the exfiltrated data. Also, with everybody working at home, it's no surprise to have seen a 25% increase in ransomware over the first quarter.

Phishing is still the biggest way that they get in. So, you can't give up on employee training, even now that they are remote. They need employee training more so now than ever. And of course you can accomplish that via Zoom, via GoToWebinar. There are lots of things you can do. Only one in four victims decides to pay the ransom, and most often they have a cyber insurance company that actually pays the ransom. If they didn't give you the keys and allow you to get the data back, then of course the ransom model wouldn't work. But we worry because these are not honorable people. They may get you the data back, but Sensei doubts that they destroy the data because it's still valuable.

2020 Verizon Data Breach Report

The 2020 Verizon data breach report was just issued recently. 45% of the breaches came from hacking, with 70% of those perpetrated by external actors and 30% involving internal actors (sometimes breaches by the internal actors involves stupidity, not a criminal intent). The good news is that 81% of the breaches were contained in a matter of days rather than months. It used to be six months or more. Now there is so much monitoring and so many systems in place. It's all about the money. Eighty-six percent of breaches are financially motivated. We do have state-sponsored espionage and business espionage, but most of them were financially motivated. Cloud breaches now represent 24% of all breaches, and that's certainly of interest: Most of us have data in the cloud. And if you want to read a very brief alert that is useful with having a list of things that you should have, you should be having a security assessment now, of all times, because none of us have ever operated this way using work at home all the time. Clark Hill, which is a law firm that a friend of ours is in, has published an alert and you can Google it, it's called “Work at Home and Remote Access: It’s Time for a Security Review,” and it contains a pretty good list of things that you want to look out for.

Mobile Apps for Banking

The Crime Complaint Center, which is a group within the FBI, sent out a notice warning folks about the surge of mobile apps for banking. There's been a 50% surge in use since the start of the year. The warning focuses on their being a lot of fake banking apps in which cyber criminals are trying to get your banking credentials. So, some of the obvious things to mitigate that is to obtain the apps from trusted sources, call the bank certainly if you have suspicious apps and be wary of any links in emails or text messages.

Preventing Cyber Attacks

  • Password Security. Password security includes using a strong password and two-factor authentication. One thing Sensei never stops talking about is two-factor or multi-factor authentication. You’ve got to turn that stuff on. Your biggest protection comes from that. It stops 99+% of attacks. You have got to tell your folks: “I don't care how much you don't want to do it; you're going to do this.” And then a lot of times you can implement it without any cost.
  • New security products. New security products that are getting a lot of buzz now are systems called EDR: Endpoint Detection and Response. It's a little more robust than regular anti-virus malware products. With these tools, an agent that sits on your machine and monitors the baseline of the activity that goes on. If there's any suspicious activity, it blocks that activity and sends alerts. So, it's a combination of software and technology in conjunction with SOCs, security operation centers. They get these alerts and they can act on it. They correlate all these events. It's very complex. It's very cost effective now. It's really helping up the game and stopping ransomware and even to the point where, if you do get a ransomware infection, you can actually roll back to a point that was pre-infection within minutes. Some good EDR products include CrowdStrike, which tends to be a little expensive. The one that Sensei uses is from SentinelOne, but there are a lot of them out there.

Work From Home Environment

A study done in March, at the beginning of this pandemic, analyzed over 41,000 businesses. The study found that home networks are 3.5 times more likely to have malware infections than a business network is. Already 45% of companies had malware from the home networks that were already connecting to their business networks, as opposed to only 13% of malware internally within the business network itself. The story there is that we need to make sure that we up our game and certainly secure our home networks much, much more, primarily because ours are not administered by professionals.

Everyone thinks that VPN is the bee's knees, and you should be using them today, certainly, but VPNs are not 100% bulletproof. And because of how things are operating today, VPNs assume that the employee is a trusted source when they go external, and therefore they use that virtual private network to connect up. That's not true anymore based on the architecture of businesses. Folks are using more third parties and using more cloud services. Within the next two years or so there will be movement into what's called a zero trust model. In other words, we don't trust anything that's out there, and everything has to be validated. There’s a prediction that by 2023, 60% of businesses will no longer be using VPN; they'll be doing zero trust. But that's good for strategic planning right to know that you need to move from VPN to zero trust. Sensei does recommend that if you're going to right now be using VPN, and you wonder about what's a good one, we recommend Nord VPN, which is always one of the highest ranked with the least vulnerabilities.

Zoom

By the end of May, Zoom implemented AES-256 encryption. This is good enough: it's basically what everyone else was using for webinars. It's important to note that the National Security Agency has approved the use of Zoom for all communications except for classified communications: That's a big stamp of approval.

Sharing Documents

Whenever you're securely sharing documents, encryption is your friend. You want to make sure that that data is encrypted. And you can encrypt the format's encryption: You put a password on a Word document and a WinZip file or a PDF file that will encrypt the contents. If you need to collaborate and share documents, Citrix ShareFile is the No. 1 used file sharing collaboration tool among lawyers, but also if you're using a practice management system that's in the cloud, any client portal is going to keep those documents secure as well, because it's effectively behind a wall when the lawyer and the clients are connecting up to it. And then finally securing mobile devices. It's really, really easy and it's no cost.  With any modern-day mobile device, if you put a password, a lock code, some sort of pin, anything like that on it, it encrypts the contents. And then you're secure from there. Now that's different from doing secure communications.

Help with Security Assessments, Questions

Many cyber security companies including Sensei offer a free one-hour security assessment. It does not take long for Sensei to figure out if there are issues. This could be a full-blown assessment or if you just want a proposal and an estimate on how to fix some stuff. The assessment is the important thing in cyber security and you need someone with specific cyber security certifications to be present. In many cases the IT folks who work for law firms do not have cybersecurity certifications. A lot of folks also have called with individual problems at home. Every IT company in the state is doing the same thing. If somebody just has a quick question and needs just five minutes, Sensei provides that without any charge at all. Just email us to tell us how we can contact you, and we'll give you a call or do whatever, and try to help you out.

Cyber Security Insurance

Most firms do not have cybersecurity insurance. It is expensive, and often is written so that you cannot understand it. You must ask very specific questions about what it will cover. There are so many court cases challenging denials of coverage that we can't even keep track of them all. Business interruption is a big issue right now, but business interruption is not going to be covered because almost all contracts with cyber insurance companies are meant to cover property damage, and most of them have specific exclusions for the pirates. We have seen a lot of battling in the courts over cyber insurance and regular insurance as it pertains to cyber security and business interruption.

Sensei has 15 to 16 employees and its cyber insurance rider costs roughly $10,000 a year.

The VBA’s insurance subsidiary, Virginia Bar Association Insurance, offers some cyber security products.

Biometric Access

How secure is signing onto an account with fingerprints? It really depends. Generally, it's OK. Sensei is not a big fan of using biometric access to unlock your device initially, but once you're in the device, and you've authenticated, it's fine to be using those biometrics to access the application itself. But be aware of the fact that if law enforcement is interested in you, for whatever reason, they will have the right to get you to biometrically authenticate onto your phone, whereas they do not necessarily have the right to get your password, which is knowledge. And we have seen a lot of divorce cases where if wives think their husbands might be philandering, they wait until the spouse falls asleep and take their thumbprint and put it on the phone and that's how they find out for sure what's going on. So biometrics are not as secure as a PIN would be. Also, Customs and Border Patrol agents have been known to, if you don't want to unlock your phone, just hold the phone up to your face to log in.

Steven D. Brown with Isler Dare, chair of the Labor and Employment Section

Phase II reopening hurdles and fielding your questions.

EEOC updates from 6/11/2020

Yesterday the EEOC posted a couple of additional questions regarding its COVID-19 technical assistance publication. Find it here.

  • Train your work force and deal with harassment. A Q&A in this publication dealt with pandemic related harassment and what you should be doing as an employer. Make sure you're still managing your work force, even though they're remote. Just because you have remote employees doesn't mean that your managers get a pass. There should be regular weekly meetings. There should be a variety of things that your managers are doing to ensure that these folks are being managed and that includes training. So employers should be doing Zoom-related training, if you've got folks still off site, which many folks do, and making sure that you remind folks of all the discrimination, harassment and retaliation issues that you will not tolerate. It does not go by the wayside just because we're remote. The way you deal with a teleworking employee sending harassing emails to other employees is the exact same way you handle it if they're on the worksite. Make sure that you're actually policing that.
  • Interactive conversations. The interactive process still should continue to happen about employees returning to work. You should still be talking to your employees about flexibility.
    • If you can be flexible, be flexible.  Allow people to work remotely if you can do it. Don't be as rigid as I'm seeing a lot of clients be with mandating and requiring everybody to come back because it just feels better to make everybody come back. That's going to get you in some hot water down the road.
    • If you can't by flexible, that's fine. But make sure you're weaving into that remote work piece the essential functions of the job and do require them. If it's not true, re-evaluate your job descriptions.  
    • Remote lawsuits are starting to percolate all over the country. There's one that just got filed in Massachusetts (if you want the case, email Steve). It's very short, but it's about an engineer, age 65, with high blood pressure. His mother, who has a heart condition, lives with him. The employer required him to come back to the worksite even though he tried to request that he be allowed to stay home. That's going to be litigated there and can be litigated here as well.
  • Medical screenings as folks come back. Be flexible in how you do these to accommodate disabilities or religious accommodations. Just be sensitive to it. You can screen temperatures during a pandemic. You can ask health-related questions. But be careful. If somebody asks for an accommodation, it doesn't mean that they don't have to answer the question. There might be a more creative way to do this to make sure that you get the information you need. You don’t get to exclude folks over the age of 65 in the workplace just because the CDC says they are more at risk for COVID-19. They're still protected by the ADA, and you need to make sure that you're not just excluding them because you think you know better, and you don't want these folks that you believe are vulnerable in the workplace to claim age discrimination. You've got to be careful about doing that. And make sure you actually talk with them about whether or not they can come back into the workforce and be productive. The same is true for pregnancy, and these are all contained in the new EEOC guide.
  • Reluctance to provide health information.  You should be getting people to acknowledge their health information. Companies are starting to get pushback now for a variety of reasons. One, we're hearing that they're don't want to have to provide their health information anymore. They think that there's no COVID-19 anymore because they don't know anybody who has it, or they're upset because they believe we're a branch of the government basically asking for their information. You still get to ask the question, so there are a variety of ways to do it.
    • One is to use a form that’s filled out: you should be asking for symptoms of COVID-19, you should be asking about contact they've had with people with COVID-19, and whether they've been tested.
    • There's a fillable form that you can have that goes right to HR. If you want to see one that works, go on the Virginia Conference of the United Methodist churches website. You will find there's a whole wealth of information about returning people to in-person worship, which I've been working on. There's a fillable health form on there that actually goes only to certain people. You can do that for HR.
    • Another creative way to accomplish this is via Outlook. Some clients are using surveys before you sign on to your computer that requires you to acknowledge your health. That's a great way to do it, but the other and simpler way is to go to Outlook and use the voting button option. You can use voting buttons and then click on custom, which will allow you to customize an email that goes to your employees and is returned to HR. It allows you to ask a question like providing yes or no to the following questions: Have you had contact with anybody experiencing COVID-19 symptoms in the last 14 days? Have you had contact with anybody being tested for COVID-19? And you can get instant understanding on a daily basis for each employee, if they still have any health issues. I encourage you to keep doing it. If you don't want to use the health form, use the vote button.
  • Do some kind of screening. You need to make sure for OSHA purposes, and for just general HR purposes, that you're monitoring the work force. A lot of my clients are using managers of the day. Make sure you tell them to get up and walk around, because you're supposed to be looking at the work force to determine if everybody's fine. Are they using a proper social distancing? Are they following your guidelines and your plan that you put in writing? Do not get caught, like employers do when they write a good harassment, retaliation and discrimination plan. They write great stuff and then they never implement them or manage them. When you write good return-to-work policies and you talk about how you care about the safety of your employees, you have to actually mean it, and meaning it means you get up and you walk around and then put it in your report each night. Each manager of the day should be filling out a report of what he or she saw during the day. If he had to send somebody home because they were ill, how did the manager handle it?

VBA Conference on Labor and Employment Law

The 50th annual conference will be held in Richmond Sept. 10-12. It will be an in-person meeting with a virtual option. If you want to learn about all the laws we've been talking about for the last 13 weeks, we're going to talk about COVID-19 for two and a half solid hours on Saturday.

In-person meetings at professional service firms

What we're advising clients to do and what we're doing at our firm is when you're coming in, we've got a box of face coverings at the front desk. If you don't bring one, we are requiring anybody coming to our office to wear a face covering and also use hand sanitizer. We're propping the door of the conference room open, so nobody has to touch it, and then we're socially distancing ourselves in the conference room. Documents prepared for clients or others sit at one part of the table, and then we're at the other part. This will protect us both and we've had no real pushback other than "this is uncomfortable."

Sample documents

The website with sample documents, including a handbook, is the United Methodist Church website: VAUMC.org.  You'll be able to click on a room called “Return to in person worship.” When you click on that room, you will find under Latest News a variety of things we've put up that your business or churches can use.

Association Management Software Powered by YourMembership  ::  Legal