Across the United States and the world, business are closing their doors and moving to remote work to help minimize the spread of COVID-19. Many of these closures have been abrupt, unexpected, and, in some cases, chaotic. As famously stated in Sun-Tzu’s The Art of War, “In the midst of chaos, there is also opportunity.” That statement perfectly describes the cybercrime and ransomware community’s response to this pandemic. Emails promising vital information about keeping safe from coronavirus or links to maps of the infection rate instead push malware, steal passwords, or spread disinformation from hackers working for nation-states.[1] More than ever, it is vital that companies work with their now remote employees to ensure that the more relaxed dress code of the home office does not lead to a more relaxed approach to data privacy. In-house counsel should also ensure that the increased security measures and policies responding to the COVID-19 threat will not expose the company to increased legal and regulatory liabilities. Whether you started remote working today or three weeks ago, there are many things companies can do to maintain security while employees work from home.

1. Keep remote work policies up to date. If you do not have a remote work policy, create one.

Remote work policies are policies that establish how employees can work from locations other than the office. They frequently address best practices while telecommuting, required equipment, and the employee’s legal rights. If not adequately addressed by a company’s IT policies, the remote work policy should also cover safe use of electronic devices and whether company equipment will be provided for remote work. If company equipment is not provided and employees will need to use their own computers, the remote work policy should also address policies for accessing company data on the employee’s personal electronic devices (i.e., a “Bring Your Own Device” policy). A remote work policy should be reviewed regularly and kept up to date.

Many companies switching to remote work have never had remote workers before. For those companies, a remote work policy is even more crucial. Employees who have never worked at home before are moving into a working situation that is unfamiliar and distracting. Remote work policies help establish the company’s expectations for employees during remote work and reinforce that work done at home is still work.

2. Invest in IT infrastructure and staff.

With the passage of new benefit laws and decreased revenues, it is tempting to look anywhere and everywhere for places to make cuts. Cuts to IT support and staff should be a last resort. Whether more employees are working remotely than ever before or this is the first time the organization has done remote work, IT resources are more likely to be strained. Reducing staff and other distractions can affect monitoring and response times, which leaves organizations more susceptible to hacking and other attacks. Strained staff may also procrastinate on necessary patching and maintenance, which leave networks open to hackers.

3. Limit access to the company network on a “need to know basis”.

Before immediately putting all employees on the company network, the company should ask whether that employee needs access to do their work from home. If access is not necessary, then that employee should not be given access. For those employees that will be accessing the network, the access should be limited to only the information they need to perform their jobs and that they are accessing the network in a secure manner. Steps employees can take include but are not limited to the following:

    • Employees should be accessing the network only on a secure WiFi connection, meaning that their WiFi should be password protected with a strong password. Public, open-access WiFi networks should be avoided, and the company should consider blocking access when the device is connected to public WiFi.
    • Connection to the network should be done through virtual private networks secured with strong multifactor authentication.
    • If the employee is using their own computer, then the computer should have antivirus software installed and updated frequently.
    • “Remember password” functions should be turned off when employees are logging into company networks from their personal devices.
    • Employees should not download or save company information to their personal devices or cloud services like DropBox. Company information also should not be emailed to personal email addresses.
    • Restrict use of company-owned equipment to the employee only. The computer should not be shared with anyone else in the home, regardless of relationship or age.

4. Update the incident response plan to address remote work.

If a breach would happen, it is critical that there be a plan in for detecting, containing, and recovering from a cybersecurity breach. The incident response plan is that plan, and it helps ensure that the organization responds in an orderly and effective way. Breaches are painful and expensive enough, but companies that do not take the appropriate steps to respond may find themselves open to regulatory penalties, lawsuits from affected persons or shareholders, and denials of coverage by insurance companies.

Not only does the plan identify the steps to be taken, the plan will also identify the team of people responsible for executing the plan. The response team is an interdisciplinary team formed of representatives from several departments including IT, management, public relations, human resources, and legal. With everyone working remotely, it is important that the team is ready to respond should the need arise. The incident response plan should be reviewed carefully to ensure those people are properly identified. Confirm with those individuals that they are aware of the requirements of that role. If your organization does not have an incident response plan, reach out to your privacy counsel to create one.

5. Ensure compliance with applicable laws.

Privacy regulations have not been relaxed during this time. In fact, many privacy law regulators are seeing the increased data collection from employees (e.g., temperature scans to keep out sick employees) as justification for more regulation and enforcement. Despite pleas from industry groups to delay its enforcement, the California Attorney General will not be delaying the enforcement of the California Consumer Privacy Act.[2] The European Data Protection Board released a statement on March 19, 2020 confirming that the EU General Data Protection Regulation does not allow non-compliance for exceptional circumstances.[3] We have previously written about the relaxation of some HIPAA requirements to support increased telehealth,[4] but HIPAA’s other requirements will still apply. Guidance has been released by the Department of Education regarding online teaching while maintaining compliance with the Family Educational Rights and Privacy Act.[5] If a data breach is suffered, data breach notification laws in all 50 states are still effective.

Point being, there has been no change to an organization’s obligations to maintain privacy law compliance, and the new remote work may make that compliance more challenging. Care should be taken to ensure that employees are maintaining any compliance-based measures while they work from home.

6. Remind employees frequently of privacy obligations.

The home can be a more relaxing environment for work. There’s no commute, and bathrobes are acceptable work attire. But the home can also be a more distracting workplace. Children are home from school, parents take on new homeschooling obligations, and those with small apartments and homes may struggle to find a location to work without interruption. Cabin fever and the never-ending news cycle also raise anxiety levels. Distracted and anxious employees working in a more informal atmosphere are more likely to make mistakes that could inadvertently expose data. Human error is the leading cause of data breaches, and the new work from home policies increase that risk.

Even more so than usual, employees should be frequently reminded about their obligations to maintain data privacy and the security of company information. Remind employees of the types of information that they need to safeguard. Typically this includes confidential business information, trade secrets, intellectual property, customer lists and information, privileged documentation, employee information, and other personal information, but each organization should make their own lists. Employees should be sure to only access this information when they can expect it will be kept confidential. They should not print out confidential information and leave it in the house where it can be viewed by other household members or visitors. A screen displaying confidential information should never be left unattended and viewable to others.

Employees must also be on guard against phishing attempts. While exact numbers vary, information security professionals have reported an over 600% increase in phishing emails since the end of February 2020.[6] Many of these emails seek to capitalize on the widespread knowledge of COVID-19, fear and anxiety about the virus, and the willingness of people to try to help the less fortunate. In addition to lures to click links for more information about the pandemic (which instead cause malware to be downloaded), there are also emails advertising cures or face masks, baits to invest in companies working to produce vaccines, or calling for donations to charities supporting victims. Employees are currently at their most vulnerable and are more likely to click on questionable emails when anxious and unfocused. It is not enough for organizations to rely on technology and IT alone to maintain security; training and human awareness of the threat is critical. Organizations should consider doing remote mandatory training sessions on recognizing threats and phishing attempts in addition to frequent reminders.

Remote work is a new experience, which can be exciting, but also present significant challenges. Businesses can keep going during stay at home orders, but a good plan for how that work will be conducted securely is essential to a successful telecommuting workforce.

********************************************************************************************************************

[1] Dan Goodin, “The Internet is drowning in COVID-19-related malware and phishing scams”, Ars Technica, Conde Nast (https://arstechnica.com/information-technology/2020/03/the-internet-is-drowning-in-covid-19-related-malware-and-phishing-scams/); Jessica Kim Cohen, “Hackers taking advantage of COVID-19 to spread malware”, Modern Healthcare, Crain Communications, Inc. (https://www.modernhealthcare.com/cybersecurity/hackers-taking-advantage-covid-19-spread-malware).

[2] Natalie A. Prescott, “COVID-19 Will Apparently Not Delay CCPA Enforcement”, The National Law Review, National Law Forum (Mar. 26, 2020) (https://www.natlawreview.com/article/covid-19-will-apparently-not-delay-ccpa-enforcement).

[3] “Statement on the processing of personal data in the context of the COVID-19 outbreak”, European Data Protection Board (Mar. 19, 2020) (available at https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf).

[4] Jessica Engler & Jennifer Jones Thomas, “HIPAA Privacy Rule Regulatory Response to COVID-19”, Louisiana Law Blog, Kean Miller LLP (Mar. 22, 2020) (https://www.louisianalawblog.com/covid-19/hipaa-privacy-rule-regulatory-response-to-covid-19/).

[5] “Resources”, U.S. Department of Education, StudentPrivacy.ed.gov (last accessed Apr. 2, 2020) (https://studentprivacy.ed.gov/resources).

[6] Phil Muncaster, “#COVID19 Drives Phishing Emails Up by 667% Under a Month”, InfoSecurity Magazine, Reed Exhibitions Ltd. (Mar. 26, 2020) (https://www.infosecurity-magazine.com/news/covid19-drive-phishing-emails-667/).