Duty of Care is a broad term that encompasses some of the most important responsibilities a business can take on today. It might sound foreign, or even a bit vague, but duty of care is an element every workplace has to consider on a constant basis. With many workplace norms changing in the wake of the pandemic, the conversation around whose duty it is to care continues to be up for debate, even if the protections it offers should never be.
What is duty of care?
According to Scott Goldsmith, SVP & General Counsel at HiveWatch, duty of care is a legal term that can be applied to and defined differently depending on the industry, people at play, and subject of intention. From the context of an employer, there are typically two areas in which duty of care is top of mind:
- What duties are owed to employees? This is typically governed by different regulatory agencies such as OSHA, which operates to protect employees from recognized hazards that could lead to serious personal injury or death.
- Owners or occupiers of a property. In this sense, there is a duty of care that is owed to protect and or warn visitors of that property against hazards that are known or reasonably should have been known to the property owner.
Overall, duty of care is fact-dependent, and sources multiple definitions across business sectors. Although the technical definition of duty of care hasn’t changed, the evolution towards remote and hybrid work models has exponentially increased the complexity of the topic for organizations, and how they go about delivering on protecting themselves and their assets.
Protecting data security
Duty of care plays an integral role in the world of physical security, but it’s also a crucial part of protecting data security. This applies to what duties are owed to the data that’s in a business’ possession. In this case, data security duty of care is governed by law, which means businesses are constantly thinking about how they can protect their data, their servers, and how they can keep their promises towards confidentiality obligations.
What does duty of care mean to different leaders?
Chandler Bondan, Interim CPO at BuzzFeed, explains duty of care as “a cross functional responsibility amongst HR, People, Facilities, Legal, Security, IT, and even InfoSec.” It plays a role in company morale, recruiting, and especially recently, employee retention. Moreso, duty of care means increasing support from a mental health perspective, making sure people have a work/life balance, and helping people actually sign off their email even when they work from home. In this way, Bondan challenges her employees to think differently about what flexibilities they need, especially around things like child care and COVID-caused school closures. Surveys and polls are sent out frequently to gauge what employees really need, vs. leadership arbitrarily adjusting internal policies or time off.
After hearing directly from employees, BuzzFeed launched mental health days where people could take a day for themselves that wouldn’t come out of PTO.
They provide competitive offerings by incentivizing candidates with benefits and parental leave rather than just pay, as well as working directly with vendors who provide mental health services and childcare services. At the end of the day, it's an endless list of offerings that, in turn, have built a sense of feeling and community amongst a remote workforce. Overall, duty of care means providing your population with what they need.
For Caleb Sima, Chief Security Officer at Robinhood, duty of care means “preventing danger or ensuring someone’s information is safe.” Recently, Robinhood pivoted to a fully remote workforce, drastically changing the way duty of care is provided. With everyone working from home, the quandary with how to protect customers’ data from at home networks has become incredibly complicated. Robinhood abides by the “Zero Trust Model,” which means that employees and their machines are assumed to be involved in malicious networks. Through that assumption, Robinhood expects the worst, and works to prevent data leaks before they even begin. However, without that assumption, it becomes tricky balancing how far duty of care should go when protecting an employee within their home network. According to Sima, “an overreach of preventative measures could mean a lack of privacy for employees who have every right to not have their networks monitored by employers after hours. This results in a gray area around what is good vs. good enough. It also sheds light on the question of who’s duty of care is more important: the privacy of an employee, or the data of a customer?”
Mike Jude (Research Director, IDC) said that “some duties of care can go overboard, crossing the line from supportive to oppressive.” This happens when employers think they are protecting their workers when they’re actually infringing on personal privacy and rights.
After sending out a poll to customers as to why they were buying security equipment, Jude found that “the #1 reason was to enable the business, and #8 was keeping employees safe.
However, employee resistance was cited as the most common barrier as to why security equipment wasn’t implemented to begin with. This was most notable with video observation, which has recently been used for thermal imaging to detect people’s viral state. But even with the best of intentions, people don’t like such an intimate way of being watched. Just the mention of duty of care can create a morass. There are all sorts of competing objectives and desires, and at the end of the day the people you want to protect may not lend themselves very well to being protected.
Protecting IP through protecting real people
Most often, people perceive their homes to be more safe than their office place, but what about when a business is trying to protect intellectual property? Especially if that IP comes from a specific employee, such as a journalist? Especially over the last 2 years, a traditional workplace environment has threatened the ability to create IP. More people are working from home, but when you push people off campus, how do you protect the data you're mining to begin with?
For Caleb Sima, it's about “assessing the context level that you’re in vs. the risk level that you’re at.”
Security leaders need to be able to dynamically shift the measures they use on a case by case basis. For example, when an employee is working from home, or traveling, but near a dangerous event like a shooting or a weather event, there’s a potential risk for that employee to get injured, or for the business’ continuity to be disrupted. This means “the environment becomes the paramount indicator for the type of duty of care that needs to be implemented (Sima)”.
When it comes to protecting IP, Mike Jude recalled when companies used to take out insurance policies for certain employees. Though it may not be reasonable at scale, protecting that one employee with a really good idea, could mean protecting the future of the company.
For Bondan, protecting real people and their IP means building out a risk management team to provide constant support. According to Bondan, “this is crucial for reporters who work in warzones or cover events of civil unrest.” On insurrection day, BuzzFeed had exit plans for their journalists and even supplied them with body armor. They asked their employees what they were personally comfortable with, and even deployed security guards to be with them at The Capital that day. Bondan recalls that it was a “moment of constant agility”.
Detectable Pre-Event Indicators
Detectable pre-event indicators found through monitoring social media, deep web traffic, and the dark web can be used to predict threats before they happen. In this case, Goldsmith explains that duty of care applies to what a company knows or should have known when it comes to danger. However, if a company or government entity has ample information on an impending threat, but refuses to act on it, the risk for that business skyrockets. This is largely due to the fact that people have become much more demanding on organizations to act preventatively. After watching television shows like CSI and the like, people expect companies to use state of the art technology at all costs.
Ryan Schonfeld of HiveWatch makes an important distinction when it comes to self-reported threat apps like Citizen. With apps like this on the rise, security leaders must question the practicality of relying on this kind of data to act preventatively. These apps often provide a constant badgering of data and threats that may seem threatening to employees when working from home. But at what point should an organization step in to protect an employee when they are near reported danger? According to Schonfeld,
“Apps like Citizen only provide unverified information, as well as information overload, which HiveWatch refers to as “noise”.
It becomes crucial then to differentiate between what is noise, and what is intelligent information which can be researched and found viable.
Duty of care: it’s a team effort
Duty of care covers a broad range of responsibilities that an organization owes its employees. Whether it's protecting the physical safety, the cyber data, or the mental health of an employee, businesses must remain agile in order to provide the highest level of protection for their employees, whether they chose to work from campus or at home. And though the intention of protecting people outside of work can be well-meaning, it’s critical that businesses probe their communities about their comfort level when invading their privacy in order to protect a company asset.
What’s most important is that all businesses find support from their C-Suites in order to get proper funding for security initiatives. Security leaders must be able to tell the right story about how certain security measures could prevent disaster, so that they can be prepared when a security threat arrives at their doorstep. Whether an organization decides to treat full time, freelancers, contractors, or office visitors differently, it's imperative that the context and environment surrounding duty of care be looked at individually so that a business can fine tune security to those unique needs on a case by case basis.