As the Covid-19 Pandemic forces more employees than ever before to work from home (“WFH”), businesses face new and different data privacy and security risks. This change is not lost on U.S. regulators, but it does not mean that businesses will get a pass on data privacy and security issues potentially caused by the shift in working conditions. In an effort to help businesses navigate these new circumstances, BCLP has prepared a series of articles on addressing data privacy and security issues in a WFH environment.
Nearly all companies should be performing data privacy and security risk assessments. Whether your company conducts a risk assessment because it is mandated by law or because your company recognizes the value of conducting such assessments even if not legally required to do so, now is an important time to reassess your risk profile with your work force moving to a WFH environment. With the shift to an expanded work from home environment, your company’s risk surface has radically changed. That change in circumstances necessitates a change in your risk assessment to assist your IT and response teams with reprioritizing their efforts to keep your company’s data safe. Here are some important things to keep in mind during the risk assessment process:
- Devices no longer completely controlled and on secured network. With your company’s devices no longer primarily interacting with the wider world through your company network, your IT team will need to evaluate whether their security process remain adequate for the challenges faced.
- Malware becomes a greater threat. Since your devices are no longer behind your company’s firewalls and you’re no longer able to be certain of the patching of the employee’s devices, malware becomes a much larger threat for your organization. To that end, your team should work to determine what antimalware solutions it trusts to protect employee device. Your IT team should also have a plan for helping employees install and update the software so that
- Ransomware lesser threat (possibly). With more limited access to your company’s network, the risk of a ransomware attack may be lessened. Instead, the ransomware risk may primarily sit on your employee’s personal computers. Alternatively, if your company has taken steps to make it easier to access company resources remotely, your systems’ risk of a ransomware infection may have increased. The important point is to reassess your risk under the changed circumstances and to develop a plan with your technical teams to address that shift in risk spectrum.
- Phishing, different threat profile. With employees now working from home, there are new types of phishing threats to consider. Has your business applied for loans or other government assistance? If so, your employees need to be on the lookout for government imposter scams seeking to take advantage of businesses seeking help. Is your company in healthcare? Then employees should be on the lookout for scams targeting healthcare companies responding to Covid-19 needs.
- Talk with IT to determine what threats have become more or less dangerous. Discuss the shift in threats with your security and privacy teams to ensure that your processes and policies match up with the current risks that your business faces. Working through these issues, and others, is a good way to ensure that you catch threats before they impact your business. It’s also an effective way to show regulators that your company was working diligently to address new issues. That way, if you have a breach, your company is in a better position to demonstrate to regulators that your company was taking reasonable and appropriate steps to identify threats before they resulted in harm to your company or consumers.
This article is part of a multi-part series published by BCLP to help companies understand and cope with data security and privacy issues impacted by the Covid-19 Pandemic. You can find more information on specific data privacy and security issues in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.