Enabling work from home is a solid start to managing your organization’s COVID-19 risks.  Yet, while it resolves some issues, it raises others.  Before providing remote access to the company’s IT systems and digital assets, consider the privacy and data security implications of telework.  Here are a few top-of-mind considerations:

Keep Calm and Carry On with Your Privacy and Security Policies

Raise awareness without increasing stress.  Provide actionable ideas for safeguarding business and personal data when working at home.  For instance:

  • Re-read policies relating to remote access, including acceptable use of company assets and information and use of personal devices for work (“BYOD”).
  • Need to work with others?
    • Use IT-approved collaboration and conferencing apps or services.
  • Need to transfer or store data files?
    • Use IT-provided cloud storage services – not personal accounts (e.g., Google Drive, Dropbox, OneDrive).
    • Avoid personal email for transmitting confidential company or personal data.
  • Need to take home devices, data, binders, and files?
    • Don’t over collect. Take only what’s necessary.  Return for other items as needed.
    • Be sure all laptops, devices, and flash drives are encrypted.
    • Keep confidential information out of sight from unauthorized individuals.
    • Lock screen when away from the computer.
    • Secure company property against theft or unauthorized access.
  • Need to print?
    • Print only as absolutely necessary and keep all paper with confidential information secure and out of sight, until it can be brought back to the office.
  • Is Alexa listening?
    • Disable or modify use of home digital assistants (e.g., Alexa, Siri, Google Assistant) to prevent active listening to or recording of confidential business calls.
  • Need to use a personal device?
    • Limit local file storage to a single folder and delete the folder once files are transferred back to company systems.
    • Clear out the “downloads” folder daily.
    • If using home Wi-Fi, ensure that the router is password-protected (and use your own strong, unique password – not the factory settings).
    • Avoid public Wi-Fi.

Beware of Business Email Compromise (“Phishing”)

Coronavirus opportunists and scammers abound, as explained in this Federal Trade Commission bulletin.  Alert both executives and frontline workers to the increase in phishing scams and what they can do to fight back:

  • Before clicking on links or opening attachments, independently verify (i.e., not via contact info found in the suspect email itself) the source of any unexpected email that:
    • prompts entry of username and password or the download or execution of certain documents or software;
    • requests transfer of protected personal information such as SSNs, bank information, HR info and tax documents, or health information; or
    • directs the transfer of money, whether by requesting wire transfer, changing previous wire transfer instructions, or directing the purchase of gift cards and subsequent disclosure of their security codes.
  • Watch for lookalike domain names in emails that otherwise appear to come from known colleagues or superiors (“spoofing”).
  • Use complex, randomly generated passwords or unique passphrases; and use an IT-approved password manager to keep them secure instead of recording them on a “sticky note” or elsewhere.
  • Promptly report suspicious emails and potential privacy or cybersecurity incidents.

Provide Workers with Secure Remote Connection and Monitor Remote Access

Many of the foregoing measures will be meaningless without a secure (encrypted) connection to the organization’s computer systems.  An enterprise virtual private network (“VPN”) effectively provides an encrypted “tunnel” from the employee’s Internet-connected device to the employer’s network.  Alternatively, where certain roles require access to only certain internal web-based or “cloud” applications (as opposed to the entire internal network), the employer can provide access to such applications via a secure web portal where remote users can authenticate.  A few additional considerations:

  • Regardless of type of remote connection, implement and require the use of multi-factor authentication for email and other network logins, which is the number-one defense against the phishing risks described above.
  • Just as we see increased Coronavirus phishing attempts, anticipate increased hacking and intrusion attempts.
  • Equip IT security personnel to ramp up review of access logs, attack and intrusion detection, and incident response and recovery.
    • Be extra diligent to keep up with patches and updates to VPNs and other remote computing software.
    • Test capacity. How many remote workers can your systems handle?
    • Finally, outside threats are one thing, inside ones another. Beware employees exporting trade secrets under the guise of materials needed for working at home.

Remote working raises additional employment law issues that are separate and distinct from privacy and cybersecurity.  For additional information on this and other workplace legal issues arising out of the COVID-19 pandemic, please see our March 13, 2020 Client Alert, “Advice for Employers Amid Growing Coronavirus Concerns.”  We continue to monitor and analyze issues related to the pandemic and will update clients accordingly.

If you have any questions or would like additional information, please contact any member of our Privacy and Data Security team:

Sherwin M. Yoder, CIPP/US, CIPP/E, CIPM

Direct: (203) 784-3107; Mobile: (203) 232-0932; syoder@carmodylaw.com

Jennifer A. Calcagni

(203) 575-2648; jcalcagni@carmodylaw.com

Damian K. Gunningsmith

(203) 784-3185; dgunningsmith@carmodylaw.com

Mariella LaRosa

(203) 575-2654; mlarosa@carmodylaw.com

Todd Michaelis

(203) 578-4287; tmichaelis@carmodylaw.com

Tamara Nyce

(203) 578-4275; tnyce@carmodylaw.com

Arthur G. Schaier

(203) 575-2629; aschaier@carmodylaw.com