Pandemics, Privacy, and Confidential Data Security: Managing Information Risk is Critical
Following government guidance regarding public health and safety is paramount in this hour. However, this is no time to let one's guard down regarding the critical issues of securing data and documents.
March 26, 2020 at 09:30 AM
6 minute read
Unprecedented numbers of employees are working out of their normal offices. This new dynamic makes the typical challenges of data privacy and security even more challenging. As employers move to accommodate remote work, they must also protect their data from theft or loss. They must also remember that regulators are watching, and privacy class actions could be looming.
In this difficult environment, employers must take reasonable and necessary steps to ensure that company information accessed remotely is properly managed and remains secure. Normally, human error is the trigger that leads to many—if not most—data losses. Add the fact that many employees no longer have a physical office and are exceptionally anxious; it's a perfect environment for criminals, State actors, industrial spies, and bored hackers to apply their arsenal of trickery.
Aside from protecting confidential trade secrets, employers should also know that they must protect everyone's personal information, privileged communications, and other sensitive information. More than that, regulators are still watchful for violations of privacy and data-security laws, and private attorneys are no doubt ready to hold companies accountable.
Indeed, EU authorities have reminded businesses that, even now, they will hold "controllers" responsible for securing all data and limiting their processing of personal data to what is strictly necessary. Canadian authorities have published guidance on protecting data while dealing with the coronavirus. The Department of Education has issued guidance regarding the Family Educational Rights and Privacy Act and the coronavirus; the Financial Crimes and Enforcement Network has issued a statement highlighting illicit behaviors connected to the coronavirus; and the FTC has issued consumer warnings and advice regarding the dangers of scams relating to coronavirus and ways to keep information safe while working at home. Regulators have made clear that the coronavirus does not give businesses a holiday from privacy and data security obligations. Just as businesses should not expect leniency from regulators, they should not expect leniency from lawyers pursuing claims.
So, what should a business do about employees who are working from home? Even in these trying circumstances, it can take several actions to minimize risks with respect to remote work.
First, the business should review its IT systems and ensure that everything is secure and up to date and compliant with best security practices. Operating systems, applications, and software must be patched and up to date, as should mobile devices, laptops, computers, servers, and other devices. Also, the company's critical servers must continue to be backed up on a regular schedule. If a company's IT staff is, or may be, in a location that is under a "shelter-in-place" restriction, ensure that critical IT staff can remotely undertake all necessary security operations and updates.
Second, if a business already has protocols for conducting business outside the office, it should admonish employees to adhere to those protocols. In cases where the business has already issued its own secured laptops and cell phones to the workforce, the action may only require a reminder that employees should not use personal devices and email accounts for company business. In cases where such devices have been issued to only a few employees, the business should consider pushing devices out to the employees who need them.
In the absence of a BYOD program or other policies allowing remote access from non-company owned devices, employees who do not receive company-issued devices should be told not to conduct company business on their own devices and personal email accounts. For companies with BYOD programs, now is a good time to ensure that security parameters (such as virtual private network (VPN) connection requirements or mobile device management applications) are properly configured and that accompanying BYOD policies are understood and enforced. And if a company seeks to implement a BYOD policy now to meet the exigencies, the considerations of data security and risk should not be ignored in the emergency deployment and training process.
Third, if it has not done so already, the business should remind employees to heed security practices already in place, such as using multi-factor authentication and complex and unique passphrases. Companies may want to consider prophylactic measures, such as requiring employees to reset their passwords now or in the near future if that can be done without interrupting business operations.
Also, employees should be reminded to watch out for phishing and other scams and warned to not open unknown emails, visit unfamiliar websites, or click on any links within suspect emails. The FTC has issued abundant security guidance to businesses, much of which employers may find appropriate to send to their employees.
Fourth, employees should be told that family members may not have access to business documents or information. Friends and family should not be allowed to use a company device to access the internet or personal email. Nobody should use or allow facetime or videoconferencing for personal communications in view of an open computer screen with company data.
Also, consider whether any paper documents employees have at home need to be secured in locked rooms or cabinets. If a document with confidential information is printed or at home and no longer needed for business or legal purposes, it cannot be thrown in the trash but should be shredded with a cross-cut shredder or returned to the company for secure disposition.
Following government guidance regarding public health and safety is paramount in this hour. However, this is no time to let one's guard down regarding the critical issues of securing data and documents. To protect critical business information, and to stay out of the crosshairs of regulators and enterprising private lawyers, companies should recognize the risks and take appropriate mitigation steps.
David Shonka is a partner with the law firm of Redgrave LLP in its Washington, D.C. office. David focuses his practice on issues related to privacy, security, eDiscovery, cross-border data transfers, government civil law enforcement investigations, and information governance. Prior to joining Redgrave LLP, David served three terms as the Acting General Counsel at the Federal Trade Commission and ten years as the agency's Principal Deputy General Counsel. He can be reached at [email protected]. The views expressed in this article are his and not necessarily those of the Firm or its clients.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Is International Regulation of AI Moving in the Right Direction or Moving at All?
4 minute read
Trending Stories
- 1Infant Formula Judge Sanctions Kirkland's Jim Hurst: 'Overtly Crossed the Lines'
- 2Trump's Return to the White House: The Legal Industry Reacts
- 3Election 2024: Nationwide Judicial Races and Ballot Measures to Watch
- 4Climate Disputes, International Arbitration, and State Court Limitations for Global Issues
- 5Judicial Face-Off: Navigating the Ethical and Efficient Use of AI in Legal Practice [CLE Pending]
- 6How Much Does the Frequency of Retirement Withdrawals Matter?
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
