August 3, 2020

Volume X, Number 216

August 03, 2020

Subscribe to Latest Legal News and Analysis

Coronavirus (COVID-19): Managing Cyber Security Risks of Remote Work

With cases of the Novel Coronavirus (COVID-19) emerging in nearly every state, many businesses are taking swift action in an effort to curb its spread.  Teleworking, “remote working,” or simply “working from home,” is a centerpiece of those efforts. While remote working arrangements may be effective to slow the community spread of COVID-19 from person to person, they present cybersecurity challenges that can be different than on-premise work.  Below is a list of considerations and tips to help guide businesses through these challenges.

Policy:  

Review your current information security and other similar policies to determine if there are any established security guidelines for remote work and remote access to company information systems.  Some organizations may have policies specifically geared for remote work, while others may provide for contingencies in disaster recovery plans, BYOD (bring your own device) polices, and other similar plans and policies. If no relevant plans or policies are in place, this is a good time to establish at least some basic guidelines to address remote access to company information systems and use by employees of personal devices for company business. 

Communication:  

Managers should be familiar with applicable security guidelines, plans, and policies, and ensure that pertinent information is flowed-down to their teams and throughout the organization.  It is essential that the organization is aligned from top to bottom. Remember, many employees do not work in security day-to-day, and some may have never worked remotely before. Providing guidance to all employees is critical. 

Preparation:

Companies should review data breach and incident response plans to ensure that organizations are prepared for responding to a data breach or security incident.  Update the plans if necessary for contact information for the (now) remote incident response team and outside advisors. The increased security risk of remote work reinforces the need to have a plan in place if something goes wrong.  

Remote Work Cyber Security Tips:

  • Remind employees of the types of information that they need to safeguard.  This often includes information such as confidential business information, trade secrets, protected intellectual property, work product, customer information, employee information, and other personal information (information that identifies a person of household). 

  • Sensitive information, such as certain types of personal information (e.g., personnel records, medical records, financial records), that is stored on or sent to or from remote devices should be encrypted in transit and at rest on the device and on removable media used by the device. 

  • Train employees on how to detect and handle phishing attacks and other forms of social engineering involving remote devices and remote access to company information systems. There are an increasing number of Coronavirus-based phishing emails going around, preying on the health concerns of the public. For more information about this particular risk, please see our article.

  • Do not allow sharing of work computers and other devices.  When employees bring work devices home, those devices should not be shared with or used by anyone else in the home.  This reduces the risk of unauthorized or inadvertent access to protected company information.

  • Virtual Private Networks (VPNs) ensure that internet traffic is encrypted, especially if connected to a public Wi-Fi network. If your company has one in place, make sure employees exclusively use the VPN when working and when accessing company information systems remotely.

  • Company information should never be downloaded or saved to employees’ personal devices or cloud services, including employee computers, thumb drives, or cloud services such as their personal Google Drive or Dropbox accounts.  

  • Require security software on employee devices and ensure that all versions are up to date with all necessary patches.

  • Consider prohibiting access to company information systems while on public Wi-Fi.  With offices closed, employees may be tempted to work from their local cafes and coffee shops.  Without a company VPN, this can lead to significant security risks. 

  • “Remember password” functions should always be turned off when employees are logging into company information systems and applications from their personal devices.

  • Implement and enforce two-factor or multi-factor authentication (MFA). If you haven’t turned on MFA yet, now is the time to do it.

  • Limit employee access to protected information to the minimum scope and duration needed to perform their duties. 

  • Consider Mobile Device Management (MDM) and Mobile Application Management (MAM). These solutions can help manage and secure mobile devices and applications. These tools can also allow organizations to remotely implement a number of security measures, including data encryption, malware scans, and wiping data on stolen devices.

  • Keep IT resources healthy and well-staffed.  When more employees than normal are working remotely, or remote work is new to an organization, IT resources may be strained and required IT assistance may increase.  

  • Remember, HIPAA and other similar laws still apply during coronavirus. For a discussion of HIPAA, please see our article.  If the GDPR applies to your business, a number of European Union data protection authorities have issued guidance.   Check the website of your functional data protection authority. Some examples: IrelandItalyFranceUnited Kingdom

Stay vigilant – cyber security is not immune to COVID-19. 

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume X, Number 73

TRENDING LEGAL ANALYSIS


About this Author

Christopher Buontempo Corporate Lawyer Mintz
Associate

Chris is a corporate attorney and a Certified Information Privacy Professional (CIPP). He has significant experience handling legal and business issues relating to technology, data privacy and security, brand protection, contract negotiation, licensing, and product development. 

Chris has held several leadership positions at technology, consumer product, and e-commerce companies. Prior to joining Mintz, he was Director of Legal Affairs and Privacy Officer at The Predictive Index, a high-growth, SaaS-based personnel assessment and technology company with an expansive international...

617-239-8322
Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-demand media commentator and speaker on privacy and cybersecurity issues.

Cynthia is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E).

She represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions. She is also a key contributor to MintzEdge, an online resource for entrepreneurs that includes useful tools and information for starting and growing a company.

Cynthia has extensive experience in privacy, data security, and information management matters, including state, federal, and international laws and regulations on the use and transfer of information, behavioral advertising, data security breach compliance and incident response, data breach incident response planning, as well as data transfers in the context of mergers and acquisitions and technology transactions.

She conducts privacy audits and risk assessments to determine data and transaction flow and to assess privacy practices, and assists with drafting and implementation of privacy policies and information security policies and procedures and monitoring of privacy “best practices” across all levels of the enterprise.

She is a frequent speaker on privacy issues at conferences and media appearances and presents privacy awareness and compliance training seminars to client companies.

During law school, she was editor-in-chief of the Probate Law Journal.

617-348-1732