Summary

With the Covid-19 Pandemic forcing more employees than ever before to work from home (“WFH”), businesses face new and different data privacy and security risks. While this change is not lost on regulators, it does not mean that businesses will get a pass on data privacy and security issues potentially caused by the shift in working conditions. In an effort to help businesses navigate these new circumstances, BCLP has prepared a series of articles on addressing data privacy and security issues in a WFH environment.

Working from home presents a unique problem for employees who have sensitive data and may be unable to securely destroy it after it is no longer needed. Unlike in a corporate office, most homes do not have paper shredders or secure shred bins, and most home computers do not have systems that automatically delete electronic data. Every company is different, and there is not a single “right” solution to this problem. The sensitivity of a company’s data will change how it should handle the destruction of that data when employees are working from home.

Every company should develop an internal data destruction policy that accounts for information destruction both in the office and at home. When considering at-home data destruction options, companies should consider:

1. Physical Files.
   1. Purchase home shredders for each employee. This may be a good option if employees regularly handle papers containing sensitive personal data or other sensitive information.
   2. Enlist the services of a third party shredding company who can pick up paper files from an employee’s home. This may be a good option if you have employees who regularly handle high volumes of papers containing personal data or sensitive information.
   3. Establish a “no-print” policy, prohibiting employees from printing at home or taking physical documents to their home. This may be a good option if your employees don’t need access to physical documents.
2. Digital Files.
   1. Create a home computer data deletion schedule applicable to all employees who use their personal computer for work. The Department of Homeland Security suggests using either a Secure Erase command set or a disk wipe to permanently erase sensitive information from computers and flash drives.¹
   2. Periodically assist employees in overwriting sensitive company information. The Department of Homeland Security suggests overwriting data using Cipher.exe or Clearing.
   3. Additional guidance on securely deleting files can be found at https://www.us-cert.gov/sites/default/files/publications/DisposeDevicesSafely.pdf and https://www.us-cert.gov/ncas/tips/ST18-005.

This article is part of a multi-part series published by BCLP to help companies understand and cope with data security and privacy issues impacted by the Covid-19 Pandemic.  You can find more information on specific data privacy and security issues in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. https://www.us-cert.gov/ncas/tips/ST18-005