Shelter-in-Place Orders: Five IT and Cybersecurity Questions to Consider in Light of COVID-19

Cybersecurity and Privacy Alert

Client Alert


This is the second alert in a series of Bradley installments on privacy and cybersecurity issues that may arise during the current COVID-19 pandemic. This installment focuses on IT issues that may impact businesses that are located in shelter-in-place jurisdictions. Click here to read the first installment on disclosure of personally identifiable health information under state government disclosure obligations and covered entity obligations under HIPAA.

In the wake of COVID-19, cities, counties and states across the nation are issuing “shelter in place” and “stay at home” orders (SIP Orders) to curb nonessential movement of residents. States and local authorities are invoking powers to evacuate residents through statutes that have historically been used for natural disaster evacuations. While the ability to order and enforce such evacuations is not in dispute, the orders in this context raise many questions.

Most likely the order contemplates that some “essential” businesses can continue to operate. The authorities issuing these orders have leeway in what they consider “essential” businesses during this crisis. However, generally, employees of businesses considered “critical” or necessary for health, safety, and for essential services or providers are exempt from these orders.

For example, the Dallas County “Stay Home Stay Safe” Order (SHSS Order) issued on March 22, 2020, orders residents to shelter at their place of residence between March 23 and April 3 –allowing residents to leave their residences only for essential activities, to perform essential governmental functions, or to operate essential businesses, as defined in the Order.

Because the Dallas SHSS Order is not directed to evacuating a physical area due to an environmental threat like a hurricane, it has some features that differentiate these SIP Orders from other historical orders. For example, it requires non-essential businesses to “cease all activities at facilities located within [Dallas] County” but notes that “businesses may continue operations consisting exclusively of employees or contractors performing activities at their own residences (i.e., working from home).” This raises a question as to what extent a business that can shift its operation to “working from home” can maintain its own infrastructure. For example, if a server needs manually rebooted is the company violating this order by having IT personnel go to the office just to address that issue and support others working from home?

These types of orders can affect a business’ ability to continue to operate, even when those employees could continue to operate from home. Below are five questions to consider when evaluating how a SIP Order affects your business:

  1. Is your business a type specifically identified as essential and excluded from provisions of the SIP Order?
  2. Does the SIP Order exclude the 16 critical infrastructure sections as identified by the National Cybersecurity and Infrastructure Agency (CISA) and, if so, does your business qualify as one of those?
  3. Are there exceptions in the SIP Order for employees to be physically present on the business premises and do they need to follow certain COVID-19 protocols to do so?
  4. If your business or IT employees’ activities are not excluded from the SIP Order, does your IT have a contingency for not being physically present?
  5. Is it arguable that the SIP Order implies the ability to maintain work-at-home operations for non-essential businesses even if it means occasional access to the physical facility for that purpose alone?

One final note to consider is that because of the source of authority on these issues, enforcement mechanisms and guidance on interpretation are unclear. The statute referred to in the Dallas SHSS Order has few provisions on enforcement, primarily addressing enhanced penalties for crimes committed to discourage looting in evacuated areas and stating that individuals can be forcibly removed from the area. If there is ambiguity and potentially large business disruption risk, it may be possible to seek clarifying guidance. Whether the orders are issued by courts or the governor, state and local health departments are often involved as well and may have contacts that can provider further clarification.