Celine Guillou

With many employees primarily working remotely, now more than ever organizations must heighten their security measures and monitor how employees connect to the workplace and the devices they use. As IT teams scramble to ensure that all of their employees can connect remotely and remain productive, while malicious players increasingly seek to exploit increased vulnerabilities in this age of Working From Home (“WFH”), some of the most obvious risks should not be overlooked. We discussed these risks in a recent post available here. To summarize, organizations must consider the risks associated with the use of personal devices for WFH, proper WiFi and the need for VPNs, and communication channels to transmit confidential information – all of this in the context of ever-changing and more sophisticated malicious attacks.

As part of addressing the risks of remote work, it is essential to put in place internal policies that set expectations and ensure that these policies and rules are followed. Some policies, also commonly referred to as “BYOD” policies, are intended to inform workers of what they can and cannot do when using their personal devices for work-related purposes. Other policies apply to devices that are provided by the employer. In either case, spelling out specific guidelines and obligations for WFH is very important to set expectations and minimize risks. The following is a high-level breakdown of some of the key points that should be addressed:

  • Security. The security of your organization’s information (which also includes personal information of users and/or customers) should be top of the list, whether the device being used is a company device or a personal device. Establish a list of authorized devices and operating systems, and include language addressing WiFi and VPNs, encryption standards, password and MFA? requirements, anti-malware software, and remote wiping (just to name a few), as well as other company-mandated security settings. Specifically, with respect to personal devices, your policy should require employees to update operating systems and applications, segregate personally-owned data from company-owned data. Conversely, the policy should outline employees’ obligations to prevent the deletion of proprietary, company-related data. And when it comes to protecting the company’s proprietary information (and any personal information of employees, users and/or customers), it is critical that employees understand their obligation to immediately notify the organization in the event of a compromised, a lost or stolen device or any other suspected or known unauthorized access.

  • Define proper communication tools. There are so many communication tools available today to replace in-person interactions, but having too many can create problems. Organizations should evaluate and define acceptable communications channels in order to ensure proper security and create a uniform and efficient communication protocol. This means taking stock of existing communications channels and tools, as well as defining when it is appropriate to use each tool. This not only ensures higher security (assuming the security of each acceptable channel has been evaluated) but also reduces dispersed communications that lead to inefficiency and potential security risks. For instance, a policy may list acceptable communication channels such as company email for most communications and secure document transfers, company intranet for internal resources, a reliable video-conferencing tool for virtual meetings and a secure messaging platform. Bear in mind that the more confidential the communication, the more important it is to assess the security of third-party communication platforms. For instance, some companies may ban the use of Google Docs for security reasons, and recently, others have switched away from  Zoom, which has come under attack in connection with its privacy and security practices. Ensuring that your organization’s IT and legal teams work closely together to audit communication tools and manage expectations will help identify and minimize these increasing cybersecurity risks.

  • Education. Educating employees so that they understand privacy and security implications that come with working remotely is often overlooked, and yet it remains an important way of mitigating risks. This is especially true when a workforce is dispersed and in-person security management is more challenging. Phishing scams relating to COVID-19, for instance, are on the rise, but many people would not know how to recognize one. While it may be difficult to achieve this in a policy due to the ever-changing nature of malicious attacks, providing some general insights along with regular updates is recommended. Likewise, where employees handle the personal information of users and/or customers, they should understand the privacy implications and what rights individuals may have. In some cases, this is legally mandated (e.g., CCPA).

  • Spell out enforcement and cooperation. A policy should state that compliance with the policy will be monitored and audited while addressing what disciplinary actions may result from for violation of the policy. In addition, where personal devices are used, a company should notify employees that the organization may have access to personally-owned data, and to that end, specify what expectations of privacy employees may have. The policy should also retain the ability to wipe a device, and thus recommend that employees using personal devices back up their personal data so that it is preserved in the event that the device must be wiped.

Other considerations may also be addressed in accordance with the company’s internal processes and security programs, but in all cases, drafting a policy should be a joint exercise between legal and IT, to provide a comprehensive road-map to employees. In all cases, any such policies must require employees to acknowledge that they have read and agree to the policy: beyond ensuring that policies are actually read and complied with, in the event of an audit or even litigation, having a record will no doubt come in handy.

Please reach out to any of our privacy attorneys if you have further questions. To stay up-to-date with the latest legal issues regarding COVID-19 please visit the Hopkins & Carley COVID-19 Resources page.