COVID-19, Remote Work and Cybersecurity Threats: 7 Pointers for In-House Counsel
The surge in inexperienced remote workers is creating a host of potential cybersecurity threats that in-house counsel need to quickly address, cybersecurity lawyers said. "Hackers love exploiting weakness and they know the entire world is distracted," said Jena Valdetero, partner at Bryan Cave Leighton Paisner.
March 17, 2020 at 12:09 PM
8 minute read
With more and more organizations responding to growing COVID-19 disruptions by allowing employees and students to work from home via the internet, the surge in inexperienced remote workers is creating a host of potential cybersecurity threats that in-house counsel need to quickly address, expert lawyers said.
The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency on March 13 issued an alert encouraging organizations that move to remote work "to adopt a heightened state of cybersecurity," citing an escalated risk of phishing and malware attacks and ransomware during the novel coronavirus pandemic.
"As organizations use VPNs [virtual private networks] for telework, more vulnerabilities are being found and targeted by malicious cyber actors," it said.
General counsel and their chief information security officers ideally would have planned in advance and established or reinforced their policies and procedures regarding telework, but events are moving too quickly now in many instances, and they will have to play catchup while dealing with other urgent matters, lawyers said.
David Newman, head of the coronavirus task force at Morrison & Foerster and partner in the global risk and crisis management group in Washington, D.C., said, "the top line to general counsel is that even with everything else going on, they need to appreciate that cybersecurity risks must remain front-of-mind.
"The No. 1 thing is to continue to ask about the cybersecurity risk of your actions. Think of how much worse it would be with a ransomware attack," he said.
Bryan Cave Leighton Paisner's Jena Valdetero, co-leader of the firm's data privacy and security team in Chicago and head of its data breach response team, said, "Hackers love exploiting weakness and they know the entire world is distracted."
Here are some pointers from these lawyers and other sources about how general counsel and their staff can get ahead of the problems:
1. Make sure your organization's information technology department has support.
"You have IT systems and IT staff that are stressed in a way that is unprecedented, and you have just a general set of circumstances in which people are rushing and scrambling to get through the day and meet their business needs and all that adds up to a case of real risk," Newman said. It's important to make sure these departments have the resources they need to do their jobs. "The CISO [chief information security officer] and/or CIO has to have a seat at the table during these discussions and they need to be thinking about the risks of teleworking and vendors and remote work and contractual relations, and reading the actual contracts is an important step."
2. Help employers make sure there is enough equipment for remote workers, and that it is properly configured with security software to ensure that data accessed on it remains secure.
Many organizations, including schools, are distributing laptops and tablets for the first time to new users, and they need to have the correct security software installed. Consider encrypting hard drives, said Bryan Cave's Valdetero.
Also, some remote workers may be using their own equipment that may not be properly configured and may therefore have security vulnerabilities. If workers must use personal equipment, the company should provide a VPN for connections and require multifactor authentication to log in.
3. Work with security experts to establish, or reinforce, policies around the use of company equipment and network access.
In-house lawyers should help their employers establish clear guidelines around acceptable internet connections and the types of devices they use to connect to the company's network. For instance, employees should not use unsecured WiFi, and use the enterprise's virtual private network only.
Establish best practices and make sure they are properly communicated: "If you don't want them to go to the library and log on, tell them that." Give clear and specific instructions, like "don't connect from a WiFi connection where you don't have to enter a password," she said. "Be realistic about human beings and how they will take shortcuts to get work done."
Make clear that company-issued laptops and other equipment are to go home and stay there, and specify what employees should do in case of lost or stolen equipment in order to prevent data breaches. Remind employees including top executives to turn on multifactor authentication.
As for the organization's network itself "whatever you [employers] can do to mitigate against threats you should do—increased monitoring, logging and monitoring suspicious logins when people are logging in from multiple suspicious addresses," she said. "It will be worth the investment."
4. Consider that in some instances, it may be better to have some nonessential personnel take leave rather than work remotely.
"If you are a highly regulated industry, they may not be able to work from home because the data security requirements cannot be met," Valdetero said. "If you can't meet those standards, maybe you should not let them work from home."
"I would also caution employers to think about labor and employment legal issues, there is an intersection between Fair Labor Standards Act and making sure you don't run afoul of those" with increased remote work, she said.
5. Warn all employees about the heightened risk of phishing, malware and other cyber threats connected to the COVID-19 outbreak.
"I think it is fair to say that first-time teleworkers are all at high risk of malicious attacks," Newman said. "Local governments of all kinds including schools are particularly attractive targets for these types of attacks."
Even the U.S. Department of Health and Human Services apparently was targeted in a DDoS, or distributed denial of service, cyberattack Sunday that may have been the result of a foreign state, according to Bloomberg News. HHS said the attacks weren't successful.
Tell employees to double-check before complying with any unusual directives from higher-ups. Some phishing attacks come disguised as instructions from higher-ups to wire transfer funds, for example.
Also, as after many disasters, charity and relief scams abound, so remind employees in corporate communications not to click on links and attachments of which they are unsure, the lawyers said. Also, many phishing emails are circulating purporting to be COVID-19 updates or information.
6. In cooperation with chief information security officers and chief security officers, review contracts with vendors, clients and customers with respect to cybersecurity.
"This [situation] is unprecedented and they may choose to do things that aren't strictly in the letter of their contracts. Reading the actual contracts is an important step," Newman said. This includes contracts with outside cybersecurity service providers and other support vendors.
As well, take time to review data breach insurance and similar policies for coverages and exposures, the lawyers said.
7. Finally, print out a list of internal and external emergency contacts and have them ready in case of a data breach or another emergency.
"Two things will help your business survive if you are [data] breached: Timing and communication," said Valdetero. That is, how quickly you respond to the data breach to cut off access by intruders, investigate and notify stakeholders. Printing out the list will ensure access to it even if the network is down or access cut off.
"This is the first time in recent history our country has had to deal with something like this," Valdetero said. "We are all learning as we go, but fortunately for us, because we have been moving much more toward a remote-working culture in recent years and, we are far better equipped to handle this in 2020 than we would have been even 20 years ago. We just need to be mindful that there are some risks and try to mitigate them."
Read More:
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllHow Marsh McLennan's Small But Mighty Legal Innovation Team Builds Solutions That Bring Joy
Aggressive FTC May Force Merging Companies to Bolster Legal Defenses
4 minute readBest Legal Departments: How Blackstone's Legal and Compliance Team Got the All-Clear to Grow Business
CEOs Want Data-Based Risk Management; GCs Lack the Tech to Do So.
Law Firms Mentioned
Trending Stories
- 1Life, Liberty, and the Pursuit of Customers: Developments on ‘Conquesting’ from the Ninth Circuit
- 2Biden commutes sentences for 37 of 40 federal death row inmates, including two convicted of California murders
- 3Avoiding Franchisor Failures: Be Cautious and Do Your Research
- 4De-Mystifying the Ethics of the Attorney Transition Process, Part 1
- 5Alex Spiro Accuses Prosecutors of 'Unethical' Comments in Adams' Bribery Case
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250