Summary

As the Covid-19 Pandemic forces more employees than ever before to work from home (“WFH”), businesses face new and different data privacy and security risks. This change is not lost on U.S. regulators, but it does not mean that businesses will get a pass on data privacy and security issues potentially caused by the shift in working conditions. In an effort to help businesses navigate these new circumstances, BCLP has prepared a series of articles on addressing data privacy and security issues in a WFH environment.

Like joints in a human body, every access point in a network represents a weakness that, if not properly protected, can cause the entire system to malfunction. As employees work from home, many of the protections that typically secure access points disappear. As a result, every company with a remote workforce faces an increased risk of security incidents and should be prepared to respond appropriately. Incident response planning is an essential part of any company’s cybersecurity plan, and is even more important when employees are dispersed among different networks, locations, and devices.

When drafting an incident response plan for the WFH environment, companies should, among other things:

• Incorporate legal counsel to ensure any investigation is conducted under attorney-client privilege

• Create protocols and systems that allow IT to safely remote into an infected device.
• Provide incident reporting procedures, including a clear plan for escalating information about an incident.
• Designate members of the company’s incident response team whose assistance would be required to respond to a data security incident (e.g., IS, Legal, CFO, COO, IT, Communications, etc.) and include both work and personal contact information for primary and secondary team members.
• Include references to any laws that require notification to a regulator within a short timeframe (e.g., 72 hours under GDPR, NYDFS, etc.)
• Discuss the need for preserving evidence. This should prohibit employees from wiping their drives or destroying physical evidence in the event of an incident unless otherwise instructed by an investigation lead.
• Include contact information for pre-approved external resources whom you might call upon to assist in a breach (e.g., breach counsel, forensic investigator, cyber insurance carrier, etc.).
• Outline a plan for keeping records of the investigation and identifying the need to minimize written communications about the incident
• Implement regular testing to identify weak points and document lessons learned.
• Require a post-incident meeting to debrief with the incident response team concerning what went well with the investigation and what did not. 

This article is part of a multi-part series published by BCLP to help companies understand and cope with data security and privacy issues impacted by the Covid-19 Pandemic.  You can find more information on specific data privacy and security issues in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.