Does your company have a biosecurity policy for when the quarantine lifts?

I’m a company builder. By day I run Super Evil Megacorp, a game company. By night I sleep better by thinking about ways that I can help with the COVID-19 crisis.

At the start of March, we shared our remote first bible to help other companies preparing for COVID-19 scenarios. Two weeks later I shared an open source business plan for one way that a startup could help society get out of the coming mess. That led to the founding of Primary —a group of volunteers building community-wide COVID-19 test operations for community-wide efforts like testingbolinas.org.

Now, as talk is turning toward re-opening the economy, it’s worth spending time thinking about what company biosecurity should look like after. Some assumptions:

• COVID-19 is widespread in the San Francisco Bay Area. A new Stanford study of Santa Clara county has shown SARS-CoV-2 antibodies to be present in 2.5% -4.2% of the population or 48,000–81,000 people. 50–85x more than official numbers (1,870 today) indicate. This is very likely the case also elsewhere.
• The COVID-19 immunity status after recovering from the disease is uncertain. 163 cases of relapses emerged in Korea in 10 days after similar reports from Japan and China previously. The WHO has warned antibody testing is still immature and not a reliable indicator of immunity.
• “Flattening the curve” considerations aside, COVID-19 can hit your workforce hard even if it is mostly young. While the case fatality rate is concentrated in the over-65s, the young can get very sick for weeks and a substantial portion require hospitalization. The Spanish data set of over 135,000 infections tells a clear story. COVID-19 is not the flu.
• Biosecurity will be everyone’s responsibility. Given the experience so far, it seems unrealistic for those of us in USA to expect the kind of centrally coordinated, large scale test-trace-isolate policies that we have seen elsewhere that would lift this responsibility from other organizations.

So, how should companies think about biosecurity if and when shelter-in-place lifts? What is best for the welfare of our teams? How do we balance that with what is best for business in terms of productivity? What about controlling for the catastrophic risk of an asymptomatic super-spreader accidentally infecting the entire company or members of the broader community? What is our legal liability if we get this balance wrong?

Facebook recently announced their policy of gradually returning to work at the earliest end of May and canceling gatherings over 50 until June 2021. Today, Stanford Hospital staff are subject to a temperature check, a symptoms questionnaire, and a mandatory a face mask before they are allowed to enter a building. Those are two examples. But as soon as quarantine orders lift, we ALL end up setting biosecurity policies for our businesses — explicitly or implicitly. We will need to tell our teams something about rules around entering the office, physical proximity, wearing of masks, washing of hands, what to do if you have symptoms, external meets, how to handle office cleaning and so on.

Attempting to correctly weigh the welfare of employees, business continuity and the community is difficult and not something most of us are qualified to do. Yet every single company must do this.

We all need a biosecurity policy now.

Over time, we will likely end up developing a sophisticated set of biosecurity levels that look something like this

• Biosec 5 : Everyone works from home, no contact allowed (where we are today)
• Biosec 4 : Offices remain closed, but in-person meets of less than 5 people are allowed with an agreed symptoms/test protocol* and mandatory face masks and cleaning/disinfection protocol**
• Biosec 3 : The office is open, but the company is divided into micro-segmented groups of ~10 who can work together provided they wear face masks and follow the symptoms/test protocol and an office cleaning protocol. They can never meet others from a different segment. No external in-person meets allowed. If anyone gets sick, the segment as a whole works from home for two weeks.
• Biosec 2 : Same as Biosec 3, except segments of ~100 can now work together wearing face masks, small external meets allowed but logged.
• Biosec 1 : Testing continues upon entry, but no restrictions on interactions or meetings.
• Biosec 0 : No testing, no restrictions.

*Symptoms/Test protocol : protocol will involve some mix of self reported temperature / symptoms check, or possibly an administered antibody or pcr test combination.
**Cleaning/Disinfection protocol : likely follow the CDC guidelines for cleaning and disinfection.

These are just my guesses for where this will land. I will be evolving our concrete policies over the coming weeks. The science and probabilistic maths are both beyond my capabilities. But absent guidance we will figure them out as a company and I believe the principle is sound regardless.

Most importantly, whatever any of us as companies do when the shelter-in-place order lifts, we will have implicitly set something like one of these biosec levels in place. This is an effort that should be coordinated and informed by science, public health rather than every management team’s gut.

This post is a call for :

1. Explicit policy guidance on company biosecurity levels based on the latest science and local disease statistics. We need a shared, clear vocabulary around expectations of how companies protect employees, and what the corresponding risk levels are and how liability is handled. The Governor’s office, CDC and equivalent bodies internationally should take the lead.
2. An open discussion among companies, policy makers and public health professionals for how to manage all aspects of this process, to protect our teams, protect the vulnerable and best help kickstart the economy. If official policy is late, informal coordination based on the best ideas is much better than nothing.
3. Private biosecurity companies that can help companies implement and operate testing, monitoring and cleaning protocols to help better protect employees.

Our biosecurity policy at Super Evil Megacorp will remain at “Biosec 5” for the foreseeable future. We will continue to invest in our remote first culture and think through what safe lower biosec levels would look like for us while the fog of war clears, which may take a while. We will then look to evolve a set of biosec levels over time. This “take our time” strategy will not be an option for all companies. And eventually even we will want to spend time with each other in the same physical space.

However we decide this now. I believe a biosecurity protocol of this kind will likely be one of the things that will survive well beyond the COVID-19 epidemic. I believe it will something you sign up to, alongside information security and physical security policies. After COVID-19 we will use it in a lighter way to keep our teams healthier, mitigate influenza epidemics and — in hopefully a long time — be ready for other pandemics.

Given COVID-19 is here to stay at least for a while, we need the foundations of this in place today. We need it, our teams need it, healthcare workers need it and the vulnerable in society need it.

Does your company have a biosecurity policy for when the quarantine lifts?