A cyber attack knocks out work; what about continuing to pay wages?

While most companies are quietly recovering after all the difficulties brought on by the pandemic, VDL suffered another blow. Due to a cyber attack, one of the largest employers in the Netherlands was down for days. Some of the more than 15,000 employees were unable to work as a result. Reason enough for VDL to appeal to its employees. Among other things, the company has asked whether they wish to take extra vacation days and/or adv days from November and December can be brought forward. In addition, VDL wants to include hours not worked in a "hours bank. These hours would be saved there, to be made up later. From VDL's position, these proposals are very understandable, but what is the legal situation?

Legal risk allocation

Until Jan. 1, 2020, it was true that the employee retains his right to wages if he cannot perform that work due to a cause that should reasonably be borne by the employer. Since this change in the law, the risk distribution has been reversed and the employee retains his right to wages unless the failure to perform the work should reasonably be for his own account. Very little matters for this situation. Under the old regime, a cyber-attack would probably have been considered a risk that had to be borne by the employer. Under the current legislation, the same is true. A cyber-attack is not for the employee's account, after all, the employee cannot do anything about it, so the employee retains the right to wages if he cannot perform work because of the cyber-attack.

What about vacation and adv days?

The mandatory taking of vacation days is something the employer cannot simply require of an employee. It may be the case that the employment contract or collective bargaining agreement stipulates a number of mandatory days off. However, unilaterally changing primary terms of employment beyond that, which includes vacation days, is very difficult for the employer. There must be such an overriding business interest that the employee's rights are pushed aside, so to speak. Moreover, it is hard to imagine that an arrangement to take vacation days would be enforced to solve a (if properly) temporary problem.

In this situation, the right to adv days is regulated by the collective bargaining agreement. The works council often has the right of consent when adv days are changed. Depending on how exactly this is regulated in the CAO, it could be that there is also the possibility to reschedule adv days with the consent of the works council. If the collective bargaining agreement does not provide anything about this, then VDL will have no basis on which to act. The management can then still try to move the adv days with the consent of the works council. However, an individual employee might find it easier to object to such a decision.

Saving up hours for later

For the plan of a time bank, it is unclear whether a basis for this can be found in the collective bargaining agreement. Even with that basis (if the collective bargaining agreement believes it is allowed), there will have to be consent from the works council to set up such a construction. In addition, this is probably a short-term period without work, only for the period when parts of the company are down due to the cyber-attack. It is different in a case like corona, where it is clear that certain groups cannot work for a much longer period of time. So it is very questionable whether a works council would agree to a bank of hours. Its usefulness is then highly questionable for the long term.

Conclusion

For a company, the options for taking measures for a temporary work stoppage, such as a cyber attack, are legally limited. Therefore, VDL's initial appeal to employees to cooperate voluntarily is also logical and probably the most effective in the short term. That seems to be the best chance for the company to get out of this crisis situation in the best possible way. Moreover, employees also have every interest in keeping the (financial) damage to VDL limited.