Newsletters

Labor & Employment Newsletter - March 2022

Date: March 28, 2022

State Tax and Withholding Consequences of Remote Work

By: Herman B. Rosenthal and Alexander Ashrafi

One of the most sweeping economic changes arising as a result of the pandemic is the shift from in-person to remote working. Although many employees have returned to working on location again, factors indicate that the labor market has changed to more permanently accommodate remote workers. With this shift comes state tax and other employment issues employers must now contend with.  This article focuses on some of the state tax issues.

Prior to COVID-19, certain state tax credits or reciprocity provisions were already in place to account for individuals working in one state while residing in a neighboring state, while multi-state businesses “apportion” their income among the states in which they do business based on apportionment methods that vary from state to state. Additionally, states through formal or informal policies allowed for varying amounts of de minimis work within the state from nonresident workers without triggering tax consequences. However, the shift to remote work opens the possibility of employees working beyond those geographic boundaries for longer periods of time, thereby creating potential tax consequences in states employers previously had little to no contact with.
 
Taxes in the Employee’s Place of Work; Where Employers are Subject to Tax
Employers must take measures to identify where their employees are working and residing in order to make sure they properly allocate compensation and comply with any income tax reporting and employer withholding requirements in each jurisdiction. Most preferably, accounting for employees’ work locations can be done through open and periodic communication between the employer and employees, though employers can also use digital indicators (IP addresses, payroll software, etc.) to keep track of where their employees are performing work

Businesses have noted the ongoing issue of employees not self-identifying their work locations. To remedy this problem, employers can encourage employees to be upfront about their remote work, making sure to affirm that such information is required simply for tax and compliance reasons—rather than as an indirect way to discourage employees from working remotely. Other considerations, such as employee benefits or the requirements for a business to register or qualify in order to legally transact business in a given state, may also become relevant with employees working remotely in various states, thereby warranting careful examination of employees’ work locations.
 
The “Convenience of the Employer” Rule
States that temporarily changed their tax and withholding rules have already lifted such policies, as other COVID restrictions and policies are in the process of being lifted. There is a broader discussion to be had of how states might rethink their traditional approaches to taxing (i.e., determining whether “nexus” or jurisdiction to tax exists based on the presence in the state of remote workers) and allocating or apportioning income, in the face of the enduring change in the nature and prevalence of remote work. However, it is unlikely that states will permanently amend their laws in the immediate future to account for this boom in remote work, which could create tax-related issues for both employers and employees.

For example, New York, among certain others states, uses the “convenience of the employer” rule, whereby it only allows allocation of income to another state with respect to a nonresident employee if that employee works in that state for the convenience of the employer, not the employee. With the substantial increase of remote, out-of-state work, continued application of this rule has foreseeable problems, such as determining whether any given case of remote work in this new landscape of remote vs. in-person working is necessary for the employer, especially in light of the initial mandates requiring at-home work.
 
Conflicting State Rules
Additionally, conflicts could arise between two states claiming the same income from a remote employee. Indeed, this issue arose in New Hampshire v. Massachusetts, when New Hampshire sued Massachusetts over its emergency rule requiring employers to source employee wages to the employee’s place of work before the pandemic, having the effect of Massachusetts claiming that the income of employees whose place of employment was in Massachusetts but who were physically working in New Hampshire was earned in, and therefore taxable in, Massachusetts. The U.S. Supreme Court denied it had original jurisdiction to hear the matter, so the issue will likely continue to be litigated in the years to come.

In the meantime, employers must learn to adapt to the switch to remote work while the legal framework lags behind. As a result, employers must pay close attention to and comply with states’ withholding rules, while staying up-to-date on any legal developments in the courts and elsewhere with respect to resolving differing rules among states.

Mitigating Risk and Establishing Expectations through Remote Work Agreements

Throughout the pandemic, most employers allowed and/or required employees to work remotely as a temporary measure to mitigate against the risk of contracting COVID-19 in the workplace. As we ease into a return to the physical workplace, employers should expect that their workforce will seek to continue to work, in some capacity, remotely. Notably, many positions which were previously thought to require an in-person presence, have been performed remotely over the past 1-2 years. This “new norm” will certainly increase the number of  requests for continuity of this arrangement. As remote work becomes an employer provided benefit as opposed to an emergency response, employers should require employees, who will be permitted to continue to work remotely, to enter into a Remote Work Agreement, if this has not already occurred. At a minimum, remote working agreements should address the following:
 
  • The nature of the remote working relationship
    • Is it full time or hybrid? Is it temporary as part of an accommodation request? Is it fixed for specific days per week? 
  • Core days/hours
    • Will there be core days that employees are required to be in-person and core hours that employees must work, whether remote or in person?
  • Equipment
    • Who is providing the computer and related equipment? If the company is providing, what is the process if equipment is damaged and who is responsible for repair? Who is responsible for the costs of supplies such as printer ink, paper, and pens? If the employer is providing equipment, set forth the specific equipment being provided and an agreement to return the equipment upon separation of employment with penalties for non-compliance.
  • Security
    • Employers take care in ensuring its computer systems at work are secure. This must include equipment at home, particularly if the employee is providing their own equipment. If the employee handles confidential files that would require lock and key at work, the same requirements should be followed if files are home.
  • Suitable work space
    • The agreement should require a safe, suitable work space, free from distraction. This does not necessarily require a special room/office as this could result in a disparate impact for employees with smaller homes. The work space must be safe and comply with OSHA requirements.
  • Right to inspect
    • While the company may not ever choose to inspect the home working environment, it should reserve the right to do so.
  • Prohibition on meetings in the home
    • Employees should not be holding meetings in their home.
  • Address of home office
    • Require the employee to provide the address and to notify HR of any changes to that address.
  • Not a substitute for day care, elder care or sick leave
    • Make sure the agreement is clear that remote working is not a substitute for dependent care and that the employee will not provide dependent care during work hours.
  • For the employee’s benefit
    • With remote working comes the risk of “doing business” in other jurisdictions with potential to subject the employer to jurisdiction of other state courts. Ensure that the agreement is clear that the arrangement is solely for the employee’s benefit and that the employee agrees that working from home does not subject the employer to jurisdiction in that state.
  • At-will
    • Unless the employee is a contracted employee, the agreement should be clear that it does not alter the at-will nature of the employment relationship.
  • Interruption in service
    • What happens if the employee’s internet is not working? Are they paid? Do they need to take PTO?
  • Requirements for meetings/calls
    • When working remotely, are employees required to attend meetings via zoom with cameras on? Are they required to participate in-person for certain meetings?
  • Termination of arrangement
    • The agreement should provide that the remote working arrangement can be terminated at any time. 

Fortunately, employers can now craft policies and agreements with hindsight to address lessons learned through the temporary remote working that occurred during the pandemic to ensure that business needs are met while remaining competitive in the workplace and allowing employees to continue this flexible option. Before entering into any contract with an employee, however, it is best practices to have the agreement reviewed by counsel to ensure that the agreement is clear, legally binding, and minimizes risk to the organization. 

Data Privacy and Security in the Remote Work Era

By: Bruce F. Martino, CIPP/G, CIPM, Director of Privacy, Data Security and Compliance

Employees have been working remotely[i] since at least the mid-2000s. The COVID-19 pandemic, starting in March 2020, forced employers to permit employees with certain types of jobs, usually white collar, to work remotely on at least a part-time basis. IT departments were overwhelmed by the pressing need to provide employees with remote access in a very short time. That need may have, in some cases, overridden established processes and procedures around data security.
 
We are nearing the end of Q1 2022. Safety concerns relating to the original COVID-19 virus and variants have decreased relative to reported lower average daily infection rates and fewer hospitalizations. Senior executives and human resources professionals are now studying their organizations as they plan for the post-COVID-19 workplace. Indications are that a larger number of employees, who have jobs compatible with a remote work environment, will be working remotely on a full- or part-time basis than those who worked remotely prior to March 2020.  
 
Employers have presumably improved upon their remote work data security processes and procedures since the early days of the pandemic. However, they may still have questions about the extent of their legal obligations to secure data and the best practices that can be used to meet those obligations. The remainder of this article will focus on those areas.
 
Security Standards - Employers’ Obligations
There is no universally inclusive data security standard required by federal law[ii]. If an employer is not the type of organization covered by a specific federal standard, the employer must look to state standards.
 
There are a number of states which require organizations to take reasonable measures to protect against the unauthorized access to, and acquisition, use and disclosure of personal information. Maryland, for example, has adopted the reasonable measures standard. Maryland’s law says
“. . . a business that owns or licenses personal information of an individual residing in the State shall implement and maintain reasonable security procedures that are appropriate to the nature of the personal information owned or licensed and the nature of the business and its size and operations.”[iii] California, Delaware, the District of Columbia, New York and Virginia (effective January 1, 2023) are included among the states that apply the reasonable measures standard.
 
Most legislators and regulators use the reasonable measures standard because one size does not fit all, nor is it appropriate for all situations. The data security program implemented by, for example, a global financial institution does not need to be the same as that implemented by a local pizza shop. An organization has flexibility to implement a program that is risk-based and otherwise appropriate and tailored for its unique circumstances.
 
Massachusetts law gives more specific guidance on what is reasonable. Massachusetts regulations[iv] require each organization to which the regulation applies to maintain a written information security plan. The plan must describe the safeguards the organization uses to protect personal information. The safeguards must be appropriate to the size, scope and type of business, the organization’s available resources, the amount of data stored and the need for security and confidentiality, i.e., the sensitivity of the stored data. Activities that must be part of the security plan include, but are not limited to, appointing an employee who is responsible for administering the plan, conducting risk assessments and reviewing the safeguards annually.
 
For an employer trying to determine what is reasonable, the author suggests that it review Massachusetts law and perhaps adopt its standards. Regulators would likely look favorably on the argument that an organization modeled its security plan on an actual state law even if the employer is not subject to that state’s law. Similarly, a potential adverse party would have a difficult hurdle to overcome in arguing that the employer did not act reasonably.   
 
Controls an Employer Can Implement
Employers must evaluate and re-evaluate their data security programs to account for larger numbers of full-time or part-time remote workers. The following are some of the physical, administrative and technical safeguards which can be used as a part of an employer’s reasonable security measures[v]:
 
1. Require employees to use complex passwords of at least 8 characters with a combination of upper and lowercase letters, numbers and symbols. Establish a standard to change passwords at least every 90 days. Use best practices for password management.
 
2. Make multi-factor authentication mandatory. A second log-in credential greatly decreases the ability of threat actors to infiltrate an employee’s account.
 
3. Keep all software updated with the latest patches and security configurations.
 
4. Raise employee awareness of threats such as phishing, spear phishing and ‘deep fakes’ via periodic messaging and mandatory training.
 
5. Issue corporate-owned devices to employees. The devices are generally more secure and likely to utilize methods such as encryption to secure data in transit and at rest.
 
6. Establish a written incident response plan. Assemble an incident response team, including an IT forensics resource, which is available at the ready to carry out the plan in the event of a data incident. Test the plan periodically via a table top exercise.
 
7. Remind employees to not share a company-owned device with a family member. Children, in particular, are susceptible to downloading malware.
 
8. Procure and renew cyber insurance. Be certain it covers incidents caused by remote workers.
 
9. Train employees to be wary of working in public spaces using public WiFi and hot spots.
 
10. Remind employees to observe the ‘clean desk’ concept even if at home. Persons other than family can be present in a home.
 
11. Documents containing sensitive information that are printed away from the office should be returned to the office for shredding or via disposal by other secure methods.
 
Conclusion
A written information security plan should include physical, administrative and technical safeguards appropriate to the business. It must cover all employees, whether working at a physical office location or at a remote location. Remote work is likely to continue as we are seemingly emerging from the worst of the COVID-19 pandemic. In fact, it is likely that a larger number of employees will be working remotely, whether full-time or part of the time, relative to pre-pandemic numbers. Employers need to use reasonable measures to secure the data they handle, and to give particular attention to the challenges posed by more employees working remotely.   
[i] ‘Remote’ incudes work at home. Home can be geographically close to the employee’s office location or many miles away. Home can be a second home or a vacation destination. It can be anywhere with an internet connection.
[ii] There are federal laws that set out security standards. Their application is limited to certain types of businesses. For example, the Security Rule adopted under HIPAA sets out security standards for safeguarding electronic protected health information. However, with limited exception, it applies only to healthcare providers, healthcare clearing houses and healthcare insurers. The Federal Trade Commission adopted the Safeguards Rule to protect consumer information. The rule applies only to certain financial institutions.
[iii] MD Code, Comm’l Law § 14-3503(a).
[iv] 201 Mass. Code Regs. 17.01 – 17.05.
[v] These are not listed in order of importance. All are effective. 

Insurance Considerations for Employers with Remote/Hybrid Employees

By: Daniel A. Griffith

Many businesses have found that having employees who work from home, which was a necessity during the pandemic, has become a benefit since employees tend to prefer remote or hybrid work and productivity has not suffered. However, the rise of remote work comes with potential liability, requiring employers to examine the scope of their existing insurance coverage and to explore additional options for coverage.

Remote working generally implicates three forms of business and employer-liability insurance: (1) worker’s compensation; (2) cyber-insurance; and (3) commercial property insurance.
 
Workers Compensation
Almost all states require businesses with employees to maintain workers compensation insurance covering, among other things, lost wages and medical bills for employees who are injured or become ill on the job. Generally, this insurance covers employees regardless of their location, so long as they are “in the course and scope of employment” when they become injured and/or their illness is job-related. However, if a remote/hybrid employee is injured at home and files a claim, it is that employee’s burden to prove that the incident occurred during business hours while performing work duties.
 
Cyber Insurance
The risk of a cyberattack increases dramatically with virtual employees. In fact, 74% of organizations attribute recent cyberattacks to vulnerabilities created by remote working.[1] An adequate cyber liability insurance package includes both first-party coverage (for damages resulting from a breach on your own systems) and third-party coverage (for damages resulting from a breach compromising your clients’ systems and information).
 
Commercial Property Insurance
If your company has remote workers, they are likely using laptops or other equipment which belong to the business but are being used offsite. Commercial property insurance reimburses the company for business property that is lost, damage or stolen.

Standard commercial property insurance generally covers property on the premises of the business but may exclude or reduce coverage for property away from the office. It is critical for businesses with hybrid/remote employees to secure commercial property insurance that covers business property used offsite by remote/hybrid workers.
   
In sum, the business world has discovered the benefits of employees working remotely. Employers are well-advised to make sure they maintain the appropriate insurance to address this new environment.

[1] Forrester, Beyond Boundaries: The Future Of Cybersecurity In The New World Of Work (September, 2021)

Time To Consider a Remote Work Mini-Handbook?

By: Steven E. Bers

By March 2020 the COVID-19 pandemic caused an unprecedented emergency in every American workplace. Overnight, literally millions of employees became remote workers with employers scrambling just to keep the doors open. There was no time to prepare guidelines describing the expectations and unique challenges of the new remote environment. But there is time now, and the well-advised employer should do so. 

We are assisting employers in preparing remote-worker mini-handbooks, especially limited to the special circumstances and legalities of remote work. The issues recommended in the mini-handbook format can generally include:
  • Accountability Expectations: Remote work is not “flex-time.” A specific schedule should be established, describing expected response times for e-mails, texts and phone calls.
  • Clarity as to Competing Commitments: For most employees, remote work should not be a substitute for adequate childcare, or a green light for unlimited performance of extended personal activities. The concept of a “day’s work for a day’s pay” should find some subtle level of articulation.
  • Equipment Care and Protection: Guidance should be provided for addressing technical issues and equipment care. Clarity should be provided explaining that provided equipment should only be used for business purposes and not used for downloading outside programs or personal information.
  • Confidentiality: With information outside of the brick and mortar protection of a traditional office, commitment to confidentiality should be stressed. Screens should not be left open for viewing and equipment should be  protected from theft. Caution should be offered concerning the use of unsecured public internet connections.
  • Equipment Return: With employees being provided thousands of dollars of hardware equipment, strong language is necessary to enforce immediate equipment return upon termination, especially in adversarial situations. An employer does not have an automatic legal right to withhold final paychecks in most States without express language to that effect in the event of failed equipment return.
  • Choice of Law: With the advent of multistate employment, and different employment laws in each state, it is absolutely necessary to affirmatively state which State’s law will apply in determining the rights and obligations of the employee. By example, different states have different laws concerning non-competition, leave time entitlements and employee record inspection rights.
  • Choice of Forum: Finally in the context of multistate employment, it is highly advisable to affirmatively state that any litigation arising out of the employment will occur in the employer’s most convenient state. By example, an employer should not place itself in a position to have to travel to California or Alaska if successfully employing an employee in one of those states.
     
Remote work is here to stay, accelerated in its inevitability by COVID-19 by at least a decade. Now is the time to consider a consolidated guidance – a mini-handbook for remote workers – responding to this new and unique modality. Our Labor & Employment section can assist you in this project.
The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.