We want to enable our personnel to work from home during this health crisis.  What do we need to worry about from a privacy and cybersecurity perspective?

1. Equipment.  Personnel working remotely will need equipment, and you may not have enough company issued laptops, tablets and other devices to enable personnel to perform their functions outside of company premises.  Personnel without company-issued equipment may have personal devices that can be connected and supported for purposes of working remotely, but this may not be the case with outdated equipment.  Security issues introduced by using personal equipment to connect must be considered.  Programs and apps may need to be installed or downloaded in order to address the issues presented by the use of personal devices.  Usual cybersecurity hygiene should be “kicked up a notch” in this new, challenging environment.  Require the use of a virtual private network and multi-factor authentication before permitting access to company systems through a personal device.  In addition, now is a good time to require employees to update settings on their computers to keep information secure, such as the use of strong passwords or passphrases and automatic log off when not in use.

Consider also the company’s side of the equipment equation.  The IT infrastructure may or may not have the capacity to increase, probably drastically, the number of personnel working remotely.  

2. IT Support.  Particularly for those working remotely for the first time, who may be installing new programs and apps for this purpose, and who may be unaccustomed to navigating company systems in the remote environment, demands on IT will increase.  Consider whether existing IT support staff is up to the task.  Phasing in first-time remote users may help to spread out and ease the demands on IT support staff.  Prepare FAQs on how to utilize programs and apps remotely for first-time remote users, if such FAQs do not already exist. 

3. Policies and Protocols.  Given that the company and many of its personnel may be operating in a new environment, with every new remote access presenting new risks and vulnerabilities, a careful consideration of privacy and cybersecurity policies and procedures would be well advised.  For example, if the remote access policy restricts remote access to company-issued devices, appropriate and well-documented adjustments should be considered to avoid violations of an existing policy that could present additional exposures in the event of a security incident.  Similarly, existing policies could restrict the removal of data, including paper, from the company’s secure environment, but personnel may need more access to more data for a longer period than contemplated by existing policies, and appropriate adjustments should be considered to permit personnel to perform their job functions off-site.  Consider the sensitivity of the information contained in paper records and the corresponding need to keep such information secure.  Implement a method to track the physical movement of such records to enable the business to verify that all such records are returned to the worksite when the remote worker returns to onsite working.  In addition, review whether current policies include a prohibition on the use of personal connected devices that use Alexa, Google, or Siri, when working from home given the devices can listen to conversations occurring in the background, which could include confidential work-related calls. 

As always, limit remote access as much as possible.  Don’t let the current panic, and need to get personnel fully functioning as quickly as possible, distract from sound privacy and cybersecurity risk mitigation practices.