Unbelievably it has been almost five years since the world undertook one of the largest work-from-home experiments ever. Ready or not, in the days and weeks following the World Health Organization’s March 2020 declaration that COVID-19 was a pandemic, employers throughout the world grappled with how to securely and productively have their workforces work remotely.

Now in 2025, many organizations and governmental entities continue to weigh the pros and cons of when, if, and how to bring their workforces back into offices – whether hybrid or even full-time. While this is happening, regulators, in particular at the state level, have busily developed their own guardrails or standards to which employers must adhere for any financial services, including collection agencies, and employees working remotely. The remote work issues remain challenging because study after study shows that employees want to continue to work remotely (and are productive working remotely), even if only part of the time.

State regulators regard each employee’s work-from-home (“WFH”) location to be an extension of the employer’s approved principal place of business for purposes of licensing and oversight. As a result, any employer providing WFH opportunities for members of its workforce must be familiar with a wide range of state and federal remote work, privacy and data security laws and regulations that could be applicable. The integrity and confidentiality of consumers’ data is highly important to state regulators so any effective WFH program should rest on a sound key data protection and information security foundation.

Whether you allow your employees to work remotely full-time or in some sort of hybrid arrangement, the following is a checklist of key compliance topics you may want to review to ensure your WFH program is compliant. The checklist below is not legal advice but is a summary compiled after a review of many key states’ WFH laws and regulations and applicable data security standards – notably Maryland, Massachusetts, Nevada, and Washington. It is important to review both federal and state laws and regulations that, depending upon the unique nature of your business, may be relevant to your WFH program.

The WFH Agreement: Training, Readiness, Knowledge of Your WFH Program

To ensure a member of your workforce is ready to work from home, many regulators expect your employee to enter into a straightforward, written agreement spelling out all the key terms and conditions of an employer’s expectations for a successful WFH arrangement. The WFH agreement should, per state laws, include topics that are appropriate for the type of work your company does as well as the following:

a. An explanation for how long a new WFH employee will be expected to train and work in one of the company’s physical offices before being permitted to work in an approved WFH location. Note that states may require employees to work in the office subject to the direction of existing members of the workforce for specific periods of time before they may be approved for WFH. Other states may impose geographic limits on how far from a company physical location a WFH employee may live, a limitation on working from outside the United States, or in the case of some states, a strong regulatory preference that certain employees such as the company’s compliance officer, actually work from a company physical office.

b. A description of the type of work you expect your employee to do – perhaps even attaching a copy of the job description unique to each employee’s role at your company. You may want to ensure that you describe exactly what work your employee is authorized to do from home and any work that may only be performed in an employer’s office – and that regardless of where your employee works, each and every company policy and procedure applies with equal force.

c. A listing of all computing, telephony or other key equipment the company is making available to the employee to perform their work for your company, which, should the employee separate from employment, would be the employee’s responsibility to return to the employer in good working order. Also included in each employee’s inventory list should be any credentials for using software or other applications provided by the company (or its clients). Ideally as company equipment is issued to an employee, Human Resources or Information Technology folks would catalogue resources assigned for each WFH employee’s use. Upon delivery, the WFH employee would be expected to have read and confirmed compliance with all the company’s policies, including without limitation, the company’s security policies and any other company policy to protect the safety of the equipment the company is authorizing the employee to use in the conduct of business.

d. Confirmation and certification of a specific location as your employee’s approved WFH site. Your WFH agreement may offer details to your employees on how to get permission to relocate their WFH site and what criteria will render a site “approvable” or “not approvable” such as:

• quiet, distinct and safe location where only one company employee will be conducting your company business (no working from coffee shops with free Wi-Fi and lots of foot traffic);
• reasonable utilities such as Wi-Fi, electricity, surge protection for electronics;
• office setups that do not allow other household members to view monitors or other work information or overhear calls and video conferences;
• securing of company resources at end of every work day;
• subject to ongoing monitoring and oversight by the employer (potentially including site visits to verify terms of the WFH arrangement are being upheld);
• free from distractions and interference (e.g., other people, televisions, and other distractions);
• be fully connectible to the employer’s technology systems including any computer system in the employer’s offices;
• subject to full recording of all calls to and made from the remote location and monitoring of calls to and from the remote location in real time;
• unique user identification, password and other credentials to access all of the employer’s telephony and computing systems; and
• subject to the employer’s written information security program.

Privacy and Data Protection

a. Sharing is not caring when it comes to either consumers’ nonpublic information or your company’s proprietary information. You may wish to have your employees’ WFH agreement clearly describe the WFH employees’ responsibilities to safeguard the integrity, availability, and confidentiality of any consumer or your company’s information entrusted to their care. State and federal privacy and data protection laws are applicable to the work WFH employees do – whether at an employer’s offices or at an approved WFH site.

b. See something, say something. The flip side of confidentiality expectation is that it is critical for your company to have “who to contact” information in the WFH agreement encouraging employees to “see something, say something” if they become aware of any potential uses or disclosures of consumer (or your company) information in a way you do not expect.

c. Clarity around exactly what data concerning consumers may and may not be maintained by employees in their WFH environment. You may want to establish a role-based matrix that clarifies whether any of the members of your workforce need print capability or the need to have consumer data, consumers’ financial information, your company’s proprietary information, or other resources in a physical form in their home workplace.

d. No consumer in-person visits by WFH employees whether at the employee’s home or the consumer’s. If conducting collections, state laws generally prohibit WFH employees from disclosing to consumers that they are working remotely, that the remote location is a place of business for the company, and they may neither invite consumers to their homes to conduct business or vice versa.

Written Information Security Program (“WISP”)

Under a wide range of federal and state laws, companies handling consumers’ nonpublic information are expected to maintain a written information security policy or plan and to enforce it. The features a WISP must contain include, but are not limited to, the following:

a. Access to any technology systems must be through a virtual private network or similar that uses multifactor authentication, data encryption, frequent password changes (and complex passwords), and automatically lock an employee out of their account if suspicious activity is detected.

b. Updates and repairs to the security network or system must be accounted for and procedures must be documented to assure current security technologies are used;

c. Any consumer data must be stored on designated drives that are safe, secure, and expandable;

d. Antivirus software and firewalls, and other reasonable software and hardware protections must be incorporated in any electronic devices WFH employees use;

e. Employees should be prohibited from accessing any company data, systems or resources with electronic devices used for personal purposes;

f. Any unusual, suspicious, or unexpected uses or disclosures of consumer or company data must be reported immediately to the employer, especially if such a circumstance is required by law to be reported;

g. Protection for data during a natural disaster or other emergency that has the potential to impact the data or devices of the company at a remote location – and the recovery of such data after the disaster or emergency has passed;

h. Specific procedures for the secure retention of and destruction of data consistent with applicable laws and regulations;

i. Commitment to performing regular risk or gap assessments concerning the protection of consumers’ data and plans to implement updates and improvements based upon the results of the risk or gap assessments; and

j. Controls to assure that specific employees’ permissions or access to particular data, systems, and resources is changed or terminated when those employees’ are no longer employed by the company or are in new roles – and that former employees are no longer able to access any company (or client) systems or assets.

Oversight and Management of WFH Employees

Regulators expect companies to maintain a robust oversight and management program of WFH employees and their work. Features of the program should include but not be limited to:

a. Ongoing training, meetings, and engagement and accessibility of supervisors or other resources to meet work responsibilities;

b. Call recordings and recordings of all work done servicing consumer accounts in the company’s information systems and retain all call recordings for not less than four years – other records potentially longer per applicable state and federal laws.

c. Monitoring in real-time WFH employees’ calls and activities on a regular and meaningful basis.

d. Assuring employees are providing consumers with the company’s proper address, email address and other contact information.

e. Publishing appropriate company addresses to the public, not WFH employee addresses, in any marketing materials.

f. Maintaining current records of WFH employees, their approved WFH locations, equipment assigned to them or made available by the company for their use, job descriptions, or other descriptions of work WFH employees are authorized to perform from their WFH locations;

g. Monitoring WFH employees to ensure they are working remotely without acting in any illegal, unethical, or unsafe manner.

h. Performing a review of all the policies and procedures governing remote work not less than annually for compliance with changing federal and state laws.