As if data security weren’t tough enough already, employers must now also address the impact of COVID-19. With many employees currently working from home, companies must tackle a myriad of new issues related to data security. As we previously reported, cybercriminals are using the confusion and misinformation surrounding the pandemic to scam unsuspecting individuals, take money, plant ransomware or malware, or access confidential information. Further, home and public Wi-Fi networks are generally less secure than those in the workplace, thereby putting a company’s data at greater risk. While working from home, employees may also have the opportunity to access or download sensitive information from company databases, including trade secrets, personnel information, or other confidential information. These issues create numerous problems, including data breach liability, and may prove costly to a company, not only monetarily (and perhaps even criminally), but also in terms of business reputation.
Thus, while a business cannot do much about teleworking distractions such as children, spouses, and pets, it can and must address the security issues unique to working from home and incorporate sound data security practices into its telecommuting strategy.
Reasonable security procedures
A virtual private network with strong end-to-end encryption should be used for all remote access to company servers, even on a password-protected network at home.
Before permitting remote access to businesses servers, companies should require employees to use employer-provided security software on all devices and promptly add the latest manufacturer software updates.
Employers should require employees to use unique passwords. Caution employees to avoid using the names of pets, family members, or other personal details, as much of that information is readily available online. Passwords should also be changed every three to six months, which companies can require by applying expiration dates on passwords.
Multi-factor authentication should also be used for each login to a company portal as a password alone can be more easily hacked.
Advise employees to turn off Siri and Alexa during any in-person, telephonic, or video business meeting. Although the individual employee may have consented to these devices, the employer has not.
Sensitive data should be available remotely only on a need-to-know basis. Companies must document who has access to sensitive data and information and grant access to only the specific data systems necessary to fulfill that employee’s job duties and obligations.
Employers should not allow employees to work from public places where third parties can view screens and printed documents. Employees must be warned to never leave a device unattended. Instead, employees must be instructed to take devices with them or lock them in the trunk during stops, and never leave devices in a vehicle overnight. (While we’re at it, the same goes for hard copies of documents containing sensitive information, such as trade secrets.)
Device encryption should be enabled. If a device is lost or stolen, a typical password-protected user account does little to protect the actual data on the hard drive. A hacker can simply remove the hard drive, put it into another computer, and access the files. In some cases, hackers can even reset the password and thereby gain access to emails, passwords, and other personal information. This issue can be prevented by using the encryption features included in most operating systems. For example, Windows 10 comes standard with both device encryption and BitLocker. All Macs since 2003 have FileVault. If a system does not come with an encryption tool, it’s well worth it to purchase one.
Use of public Wi-Fi should also be prohibited, as set forth in detail below.
Prohibit use of public Wi-Fi for laptops, tablets, and cell phones
Employees should use only secure Wi-Fi connections for their laptops and tablets. Using public Wi-Fi, including networks available in airports, malls, restaurants, or apartment buildings, is dangerous. Even with a “safe” Wi-Fi network, employees should instead connect to the office via a VPN or use a mobile device as a Wi-Fi hotspot.
Although many people believe cell phones are secure, that’s not necessarily the case, either. As with laptops and tablets, cell phones should not be used with public Wi-Fi, at least for business purposes. Employees should also make a conscious effort to turn off their cell phones’ Wi-Fi when in public spaces. If not, the phones may automatically connect to the strongest available Wi-Fi signal. Similarly, Bluetooth must be turned off in public spaces, and unknown Bluetooth networks should be avoided.
Beware of phishing scams
A recent survey established that more than 80 percent of malware is planted through phishing. Shortly after the first cases of coronavirus were confirmed, an uptick in the registration of domain names leveraging “coronavirus” and “COVID-19” took place. Tracking apps and websites claiming to chart the spread of the virus have popped up worldwide. One such tracking app, CovidLock, actually planted ransomware on Android devices. And, perhaps unsurprisingly, coronavirus-themed domain names are 50 percent more likely to be malicious than other domain names.
Hackers preying on people’s understandable fears and uncertainty – and those attempting to cash in on the recent $2 trillion stimulus package – are sending fraudulent emails and texts claiming to be from the Centers for Disease Control and Prevention, the World Health Organization, or other government entities, stating that they have information regarding the disease and requesting personal information or money. Other phishing emails or social media posts ask the recipient to verify his or her personal information to receive economic stimulus money from the government, while still more may ask for charitable contributions and promote fake cures, vaccines, or testing kits. Indeed, on March 25, the Federal Trade Commission issued advice to businesses outlining seven such COVID-19-related scams that have been reported to the FTC. Similarly, the Federal Bureau of Investigation points out that governmental agencies do not send unsolicited emails asking for personal information so that it can transmit funds, or asking individuals to make charitable donations.
Employees should be warned about scams and advised to never click on links from unknown sources, regardless of where they pop up. Employees should also verify the sender of an email or text before clicking on an embedded link or opening an attachment.
Protect trade secrets
Trade secret litigation has skyrocketed in the last few years. This increase is due in part to the passage of the Defend Trade Secrets Act in 2016, combined with the substantial value embodied in companies’ customer lists, know-how, processes, formulas, business strategies, and other forms of intellectual property. If information is valuable, kept secret, and derives value from its secrecy, it can be a protectable trade secret – as long as reasonable measures are in place to maintain the secrecy. In the current teleworking environment, the need to protect trade secrets is as important as ever.
As set forth above, employees should be given access only to the specific data systems that are necessary to fulfill the obligations and duties of their specific jobs. Employers should also adopt reasonable security procedures, as described above, in order to safeguard trade secret information.
Review and update incident response plan
In the post-coronavirus world, a business must also carefully examine its incident response plan to make sure it remains meaningful and effective. Remember, people will now be scattered, and security incidents almost always move at lightning speed. As a first step, employers must obtain the cell phone numbers of their incident response team, which should include a manageable, cross-functional group of technological, legal, compliance, operations, human resources, and communications people. Employers also must have access to the contact information for critical vendors and outside counsel, who may need to be called in for assistance. Indeed, many breaches will originate with a vendor.
In order to avoid panic and mistakes, it is critical to establish in advance the procedures that will be followed, the resources that will be needed, and who will need to be involved in responding to a security incident. Preparing in advance for these breaches is now more important than ever.
A well-written, updated, and comprehensive governance plan is worth its weight in gold, and – pursuant to that plan – employees should be routinely reminded about their data security responsibilities. Now is the time to send out reminders! If these actions are not taken and something nefarious, or even careless, occurs, a company may be unable to successfully argue that it has used reasonable security procedures or is entitled to trade secret protection.