Exabeam CEO On Coronavirus: ‘You Don't Want To Be The Company That Got Somebody Infected’

Here’s how Exabeam CEO Nir Polak took on legal, medical and communications challenges after four of his employees who attended RSA Conference contracted coronavirus, one of whom required hospitalization.

Nir Polak was waiting for his son to ski down a double black diamond slope in Park City, Utah on March 7 when his phone buzzed.

Everything changed for the Exabeam CEO after receiving that text.

Polak had gotten wind March 2 that a couple employees of the San Mateo, Calif.-based SIEM (Security Information and Event Management) startup were experiencing flu-like symptoms after attending RSA Conference, the world’s largest cybersecurity event. Exabeam’s human resources department instructed the employees to get tested for coronavirus and inform the company of their results.

[Related: 5 Things To Know About The Exabeam Coronavirus Cases At RSA Conference]

But for days, there was radio silence.

An Exabeam Senior Security Engineer named Chris Tillett visited his medical service provider in Connecticut three times that week to request a COVID-19 test. Each time, Tillett was sent home empty-handed.

It wasn’t until Tillett was admitted to the Emergency Department (ED) of Danbury (Conn.) Hospital on March 6 that he received a test for coronavirus. The following day, Exabeam’s head of human resources texted Polak while he was in Utah to inform him that Tillett’s test had come back positive.

“You don’t want to be the company that got somebody infected who then met their elderly parents,” Polak told CRN. “So the instinct was – no matter what kind of negative PR publicity we could get – we have to get this info out.”

Within 20 minutes, Exabeam’s human resources department had sent an email to the company’s entire 500-plus person workforce letting them know that an employee who had attended RSA Conference a week-and-a-half earlier had tested positive for coronavirus. Exabeam employees were told to shelter in place and cancel any and all future travel, Polak said.

A colleague who had been in contact with Tillett at RSA Conference used the email sent by Exabeam to at last secure a coronavirus test for themselves. On March 8, that test came back positive. Then four or five days after that, coronavirus tests came back positive for two additional Exabeam employees who attended RSA Conference and also used the company email to secure themselves a test.

Shortly after learning of Tillett’s diagnosis, Polak’s family watched him pace around the gate area of Salt Lake City International Airport as he grew increasingly agitated. An agency specific to the San Francisco area had told Exabeam not to communicate news of Tillett’s coronavirus diagnosis beyond the company, presumably because they didn’t want to start a panic given the shortage of tests in the area, Polak said.

Exabeam retained outside legal counsel to assess what risk the company would be assuming if it disregarded the government agency’s recommendation and sent an email to anyone who might have encountered Tillett during the RSA Conference without getting permission. While speaking at the airport, Polak urged Exabeam’s human resources leader and inside legal counsel to do the right thing.

“’This makes no sense. We have to let people know. We have an obligation to these people and the health of the community,’” Polak recalled telling his team. “And a lot of swearing went on that call because it was very frustrating.”

Polak’s flight had touched down in San Francisco when he officially got a note from Exabeam’s legal counsel. They indicated the company would be taking a risk by sending the email against the agency’s recommendation, but were advised by outside experts that nobody at the company would be in jeopardy of going to jail or anything like that.

“And we just said, ‘OK, if the risk isn’t insane, we should take the risk and send it without permission,’” Polak recalled. And so the email went out March 10 to anyone that might have encountered Tillett or his colleague during the RSA Conference.

Exabeam was quickly inundated with a barrage of inquiries from other companies who had attended RSA. They had a list of everybody from Exabeam who their employees had met with during the show, and wanted to know if anyone on that list had tested positive for coronavirus.

For three or four days, Polak said Exabeam was in “communications crisis mode” fielding all these requests for information as other cybersecurity CEOs attempted to assess the risk to their own organization. Exabeam had determined that under HIPAA, the company was able to respond to these requests with “complete transparency” and provide a yes or no answer, according to Polak.

Within Exabeam, Polak said emails were sent to employees every single morning and evening discussing what workers should do if they feel ill and providing updates on how the four employees who tested positive for coronavirus were doing. Within a week of Exabeam’s mass email, much of America was under shelter in place orders, so the company’s employees were in sync with the rest of the country.

“It’s very important to have a constant communication with different constituents, whether it's your employee base or your customers,” Polak said. “People just want to know; they want to hear from you frequently. Even if you don't have a lot of updates, you have to continue to update them.”

The other key responsibility for Exabeam was taking care of Tillett and the other three employees who had been diagnosed with coronavirus. Tillett’s wife Elizabeth was stuck at home with twin infants while her husband was in an induced coma and having new drugs tested on him that hadn’t been clinically trialed, according to Polak.

Given the experimental nature of the drugs, Polak said it was unclear whether these medications would be covered under insurance or not. As a result, Exabeam told Elizabeth Tillett that the company would cover any out-of-pocket medical expenses for her husband, and had the company’s human resources team assist Elizabeth with filling out all the insurance paperwork.

Polak said that he, human resources and Tillett’s direct supervisor were in regular contact with Elizabeth by phone and text throughout Chris Tillett’s hospital stay. Around March 20, Exabeam received a note from Elizabeth that Chris had woken up from his coma, and Tillett called his direct supervisor to speak over him over the phone.

“Everyone was very happy and glad,” Polak said. Tillett is currently home from the hospital and taking some time to recuperate before reentering the workforce, according to Polak.

The other three Exabeam employees who tested positive for coronavirus did not need serious medical attention, and are all now fully healthy and back to work, Polak said. They were able to take advantage of the company’s existing leave policies and received their full salary during their time out of work, according to Polak.

Since their families were in lockdown mode, Polak said Exabeam tried to help the families by sending over games and video games to help keep the spouse and kids entertained while the Exabeam employee was resting and recovering.

“People see your true colors at a time of crisis,” Polak said. “I think it was good for the employee base to see us communicating openly and transparently and doing the right thing.”