Should we train our contractors in security awareness?

glenn-carstens-peters-190592-unsplash.jpg

We're often asked "Should we require our company's contractors to complete our security awareness training?" This is an important question - the short answer is YES, but you need to be careful in how you present and roll out your training, to avoid running afoul of employee classification laws.

If contractors have access to the company's sensitive data and systems, it seems logical to make sure they have the same grounding as your employees do in cyber security best practices, the specific risks in your environment, and the company's policies and procedures when it comes to security and compliance.

It's also likely that your company (through its contractual and legal obligations to customers, partners, and regulatory bodies) is required to ensure that all people with access to sensitive data have completed cyber security awareness training.

However, there are some important legal and HR ramifications of requiring contractors to undergo training - if you approach this without careful planning, you could run afoul of taxation and labor laws governing the classification of employees vs. independent contractors.

This can present a bit of a Catch-22 for security awareness practitioners. Read on to understand the details, along with some advice on how to navigate this issue safely.

Employee vs. contractor classification

In the USA, the IRS (Internal Revenue Service) and the Department of Labor look very carefully at how companies use contractors in their business, to ensure that companies are not mis-classifying de-facto employees as contractors (and therefore avoiding responsibility for paying benefits and payroll taxes for its workforce).

Recently, with the huge popularity of "gig economy" startups like Uber, Lyft, and GrubHub, we have seen some high-profile court cases play out; including Razak vs. Uber Technologies Inc. (in which Uber drivers claimed that they should be treated as full-time employees) and Lawson v. GrubHub Inc., a similar case involving GrubHub delivery drivers, and most recently the important 82-page decision from the California Supreme Court in Dynamex Operations West, Inc. v. Superior Court of Los Angeles which places further restrictions on how companies use independent contractors.

For companies who rely heavily on independent contractors as part of their business model, this is a huge area of compliance risk. If the IRS or Department of Labor determines that a company has mis-classified independent contractors, the company could be forced to pay a huge penalty on back taxes and benefits costs for those employees.

Each state also has its own rules on contractor status, which complicates the picture even more. No one legal test exists for determining a worker’s classification regarding all legal obligations.  Different federal and state laws define such classification differently based on their own statutes, lead cases, and agency interpretations.  Which test applies depends on the nature of the legal obligation, whether it be wage-and-hour requirements, non-discrimination, workers’ compensation, taxes, or other legal requirements.

Factors in determining employment status

Nonetheless, most of the tests under these laws ultimately involve an analysis of who has the right to control the manner and means by which work is performed.

Generally, if it’s not clear on the face of the relationship who has this “right of control” then additional factors are considered to help make this determination.  Although training may be considered as one factor, it is not specifically identified as a factor in all legal tests and it is not determinative by itself.

For example, California laws often follow the common law “right of control” definition of worker status, evaluating eight factors to make this determination.  These factors are:

  • Whether the one performing services is engaged in a distinct occupation or business;
  • The kind of occupation, with reference to whether, in the locality, the work is usually done under the direction of the principal or by a specialist without supervision;
  • The skill required in the particular occupation;
  • Whether the principal or the worker supplies the instrumentalities, tools, and the place of work for the person doing the work;
  • The length of time for which the services are to be performed;
  • The method of payment, whether by the time or by the job;
  • whether or not the work is a part of the regular business of the principal; and
  • Whether or not the parties believe they are creating the relationship of employer-employee.

Many Federal labor and employment laws use an “economic realities” test, to determine right of control, analyzing:

  • Is the work performed, an integral part of the employer’s business? If integral, it’s indicative of employee status.
  • Does the worker’s managerial skill affect the worker’s opportunity for profit or loss? If a worker exercises managerial skill that affects his profit and loss, it’s indicative of an independent contractor.
  • How does the worker’s relative investment compare to the employer’s investment? If the worker’s investment is relatively minor (e.g., supplies), it suggests that the worker and the employer are not on similar footings and that the worker may be economically dependent on the employer and thus an employee.
  • Does the work performed require special skill and initiative? A worker’s business skills, judgment, and initiative, not her technical skills, will aid in determining whether the worker is economically independent.
  • Is the relationship permanent or indefinite?  Permanence or indefiniteness are indicative of an employee as compared to an independent contractor, who typically works one project for an employer and does not necessarily work continuously or repeatedly for an employer.
  • What is the nature and degree of the employer’s control? An independent contractor must control meaningful aspects of the work performed such that it is possible to view the worker as a person conducting her own business.

And the Internal Revenue Service analyses 20 separate factors to determine a worker’s classification, weighing all factors and evaluating the entire relationship to determine status as an employee or independent contractor.  Factors considered are:

  1. Instructions. The more instructions that are given, the more likely employee status.
  2. Training. The more training, the more likely employee status.
  3. Integration. The more closely integrated the work is with the company’s business, the more likely employee status.
  4. Services rendered personally. If worker must personally do the work, employee status is likely.
  5. Hiring, supervising, and paying assistants. A person who does these things will often be an independent contractor.
  6. Continuing relationship. The longer the arrangement’s term, the more likely employment status.
  7. Set hours of work. Set hours indicate employment status.
  8. Full-time required. Working full-time indicates employment status.
  9. Doing work on employer’s premises. Working on the company’s premise suggests employment status.
  10. Order or sequence set. Performing services in a particular order or sequence set suggests employment status.
  11. Oral or written reports. Required reports to the company suggests employment status.
  12. Payment by hour, week, or month. Payment by the hour, week, or month suggests employment status.
  13. Payment of business and/or traveling expenses. Payment of business and/or traveling expenses suggests employment status.
  14. Furnishing of tools and materials. Furnishing significant tools, materials, and other equipment suggests employment status.
  15. Significant investment. A worker’s significant investment suggests independent contractor status.
  16. Realization of profit or loss. A worker’s potential to realize a profit or suffer a loss suggests independent contractor status.
  17. Working for more than one firm at a time. Working for more than one firm at the same time suggests independent contractor status.
  18. Making service available to the general public. Making services available to the general public on a regular and consistent basis suggests independent contractor status.
  19. Right to discharge. The right to discharge a worker suggests employment status.
  20. Right to terminate. A worker’s right to terminate the relationship without incurring liability suggests employment status.

Based on these authorities, training may be just one of many factors considered to determine a worker’s classification.  Although training may have an impact on classification, it’s not definitive.  The nature of the training would be considered, for example whether it’s mandatory, whether it instructs how to do the work, whether it’s specific to the company, and how extensive it is. 

How should we do awareness training for contractors?

To summarize - if you are considering training your contractors in cyber security awareness, you should work closely with your HR and legal teams to ensure that the training is presented as a general industry resource regarding best practices, and not a company directive to perform services in a particular way. This way, the training will have significantly less weight in indicating employee status.

Generally speaking, companies are allowed to provide basic orientation training to contractors without impacting their employment status (e.g., here are the office hours, here is where to park, here are the basic security procedures and best practices). Make sure to audit your training to avoid anything that goes too far in the direction of "detailed procedures on how to do your work".

There's a big difference between requiring your contractors to attend basic awareness training on things like phishing risks, choosing a good password, acceptable use policies, etc. versus, say, requiring your software development contractors to attend a secure coding workshop. The former is more basic orientation (generally OK), while the latter starts to look like "Detailed training in how to do your job" (a no-no).

Summary

Courts and agencies will consider the entire relationship.  If training is provided to instruct how to perform the contracted services, and if other factors similarly evidence the company’s right to control how a worker performs services, then this would support an employee classification.  If, however, an analysis of all factors (including training) supports that, overall, the worker and not the company has the right to control how services are performed, then an independent contractor classification would be supported.

To summarize, the legal determination of worker status will depend on which party has the right to control how work is performed.  Many factors will be analyzed in making this determination, with factors being given different weight depending on the entire relationship between the parties, and with no one factor standing alone.  If your client companies provide Habitu8 training videos to their independent contractors this could be considered in determining status, but would not, alone, define the outcome.  If other facts identified above are present, such as the training as optional, not extensive, and not company specific, then it would be less likely to indicate employment status.  Such facts, together with other client company-specific facts indicating a bona-fide contractor relationship, would support a finding of independent contractor status.

Chad Loder