Penetration testers and infosec consultancy firms alike could find themselves in a costly legal bind

Concerns have surfaced that the application of new Californian labor law designed to prevent the exploitation of gig workers could have catastrophic results for cybersecurity consultants in the US state.

California’s Assembly Bill 5 went into effect on January 1, 2020. AB5 requires companies to perform a so-called ‘ABC’ test to determine whether or not workers are employees. Independent contractors must check all of the ABC boxes, as explained below:

A: The worker is free from the control and direction of the hiring entity in connection with the performance of the work, both under the contract for the performance of the work and in fact;
B: The worker performs work that is outside the usual course of the hiring entity’s business;
C: The worker is customarily engaged in an independently established trade, occupation, or business of the same nature as that involved in the work performed.

The state’s labor department uses the example of a plumber visiting a retail store. As fixing a leak is outside of the “usual course of business” for the retail outlet, they are considered to be a contractor and not an employee.

In the case of ride-hailing services such as Uber or Lyft, however, driving people from place to place is the core business. These companies consider their workers as independent contractors and do not offer employee status, protections or paid time off work. The treatment of workers means that the firms don’t pay employee tax either.

The bill came into existence in California with the aim of forcing companies including Uber and Lyft to change how they view their labor pool.

Now, even if federal law does not consider a gig worker to be an employee, California may do so.

Easy as ABC?

AB5 is considered controversial as it is far from just ride-sharing drivers that may be impacted: freelancers, small businesses, and consultants are also feeling the sting.

Vox Media has eradicated its pool of Californian freelancers. SMBs and the self-employed fear that contract offers will dry up as clients shy away, prompted by the fear of misinterpreting the law and ending up with civil penalties of between $5,000 and $25,000 for each violation.

AB5 is under a temporary restraining order issued by Judge Roger Benitez of the US Southern District Court to stop the trucking industry from grinding to a halt.

Infosec concerns

As the ramifications of the bill extend deeper into other industries, similar appeals to the court system may follow suit.

Cybersecurity could be one such industry to fight back. A discussion on Twitter, prompted by Dan Tentler, founder and CEO of California-based Phobos Group, has highlighted a number of concerns.

The main point of contention is item ‘B’ in the ABC test, in which an independent contractor is someone who “performs work that is outside the usual course of the hiring entity’s business”.

Tentler told The Daily Swig that his primary line of business is consultancy, and that AB5 will prevent him from “hiring security consultants to help us with our work when we need to scale up resources for larger engagements”.

This may also impact bug bounties, too, as vulnerability discovery could be considered the “usual course of business” for any infosec-related firm.

However, not everyone agrees. Ben Katz, ISPolitical architect, said on Twitter that the law would not necessarily require cybersecurity firms to hire external help as full-time employees and would be unlikely to have any real impact on the infosec market.

In response, Tentler summarized his view on the law: “This law has just f****d me. With a truck. It flatly says, ‘Your security company can’t hire security consultants because they do the same thing you do’.”

One way to avoid scrutiny and falling afoul of the labor laws is simply not to use Californian freelancers – a catastrophic prospect for infosec workers in the Golden State.

Another is to “LLC up”, Tentler says, which would allow freelancers to offer their services through a legal entity (effectively, a business with a sole trader) rather than as individuals. This approach, however, requires an annual fee of $800.

Unintended consequences

Running a limited company, even as a sole trader, is a common practice in the UK but in California, running a single person LLC is a more complex legal matter, as personal and business assets – and, importantly, debts – are not separated.

Another option is to form an S-Corporation, but according to Tentler, overheads are high and this may not be palatable to many infosec freelancers, especially if they are only looking for the occasional side project or consultancy gig.

“I just wish the authors of AB5 took some time to consider the ramifications of what they were doing,” Tentler told us.

However, Tim Mackey, senior principal consultant at the California-based Synopsys Cybersecurity Research Centre (CyRC), sees an opportunity for consultants in AB5.

“As a business, you are free to invest in your skills independent of what your current customer base expects,” Mackey says.

“In essence, true differentiated infosec businesses become a force delivering unique value not typically found on an internal team. This is the real opportunity for infosec consultants seeking greater flexibility and profit from their efforts.”

When contacted and asked repeatedly for clarification on this issue, California’s labor department referred us to an online FAQ.

The Daily Swig contacted several other cybersecurity companies in California, none of which were willing to comment.

YOU MIGHT ALSO LIKE Coalfire arrests: Charges against US pen testers reduced but not dropped