Cybersecurity for Remote Employees: Legal Requirements featured image

Cybersecurity for Remote Employees: Legal Requirements

by John DiGiacomo

Partner

Corporate Employment Law

The fact that employees are increasingly required to work from home does not obviate a company’s legal requirement to have reasonable company policies and procedures to safeguard consumer data and to protect sensitive company confidential information. Indeed, the dawning era of widespread work-from-home employment necessitates enhanced cybersecurity since there are enhanced data security risks associated with remote working.

The enhanced risks flow from several aspects of the work-from-home employment regime. First, because more data and information is being sent over the internet, there is an enhanced risk of hacking, hijacking and other interception of the data by cybercriminals. Second, employees are using devices and computers in the home work-area that have not been inspected or secured by the company’s IT department. Further, logic suggests that an increase in the number of at-home workers will result in an increase in the number of brands and types of computer and devices being used across the company. Moreover, employee-owned equipment may be obsolete and/or using antiquated, out-of-date security software. All of this increases the incompatibilities between hardware and software making more work and inefficiencies for the company’s IT department. The end result is a significantly increased potential for exploitable vulnerabilities.

Third, at-home employees have reduced direct day-to-day, hour-by-hour supervision by supervisors who may be better-trained with respect to data security and cybercrime. Reduced supervision increases the risks of hacking cybercrime. This is partly because less direct supervision increased the chance of employees conducting personal business. The at-home online environment may not have the same limited internet access or have other firewalls which are present in a standard workplace. The at-home work area is also likely accessible to family members and others who are not authorized to have access to company data and information. The risk is less that the family member will steal the data but, rather, that they might “surf the net” to danger areas allowing intrusion or exfiltration by a cybercriminal.

The solution is to create and implement official company policies and procedures for cybersecurity specific to the new work-from-home environment. Your company should already have such policies and procedures for an at-work environment, but a distinct set of cybersecurity policies is needed. Experienced employment and cybersecurity lawyers like the ones at Revision Legal can help.

As noted, the new policies and procedures must focus on protecting the company’s confidential intellectual property and on reasonably protecting against data breaches or exfiltration of sensitive consumer/employee data. Effective work-from-home policies and procedures will accomplish both tasks. Here are some of the provisions that should be included:

  • Training for work-from-home employees specific to data security
  • Training for work-from-home employees with respect to PHYSICAL security of at-home and mobile devices — at-home and mobile devices must be physically secured even though only family members are able to access the at-home work-area; proper security includes locked drawers/desks, complex passwords, regular password renewals, barring family members from using the device, etc.; mobile devices should never be left unattended, etc.
  • Training for your IT staff specific to data security risks associated with work-from-home employees
  • Stating the company’s commitment to securing the secrecy of the company’s intellectual property and consumer data
  • Where possible, mandate provision and use of company-purchased and owned equipment and mandate that at-home employees only use company-provided equipment
  • Procedures in the event a lost device or actual or suspected unauthorized access
  • Enact a no-tolerance rule for use of public wireless networks (like at a public library or coffee shop) — this rule is necessary even though, for now, there may be a lock-down on such public spaces; these work-from-home policies should be applicable for all work-from-home circumstances
  • Limit work-from-home employee’s access to confidential and consumer data
  • Ensure that all work-from-home employees have signed confidentiality and nondisclosure agreements — even short basic agreements are an important part of cybersecurity since they enhance an employee’s belief in the importance of these issues
  • Remote installation by the company’s IT staff of security applications and software with updates and upgrades regularly installed — the corollary is that the work-from-home employee must be prohibited from interfering with the company-installed security software, firewalls and protocols
  • For mobile devices, if not already in place, mandate installation of physical tracking software

If you need help with your company’s work-from-home policies and procedures or if you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100.

Extra, Extra!
Related Posts

Trademark Dilution Explained: Blurring, Tarnishment, and What Small Businesses Need to Know

Trademark Dilution Explained: Blurring, Tarnishment, and What Small Businesses Need to Know

Revision Legal

Most business owners understand trademark infringement: someone uses a name or logo confusingly similar to yours, and customers get misled. But trademark law protects certain brands from a second and distinct legal threat — one that does not require consumer confusion at all. Trademark dilution protects famous marks from uses that weaken their distinctiveness or […]

Read more about Trademark Dilution Explained: Blurring, Tarnishment, and What Small Businesses Need to Know

How to Protect Your Startup’s Intellectual Property Before Pitching to Investors

How to Protect Your Startup’s Intellectual Property Before Pitching to Investors

Revision Legal

Raising capital requires sharing information — and sharing information creates risk. Before a startup pitches to investors, the founders have usually built something worth protecting: original software, a novel process, a proprietary design, or confidential business logic. Once that information is disclosed to an investor, a competitor, or even an advisor, taking it back becomes […]

Read more about How to Protect Your Startup’s Intellectual Property Before Pitching to Investors

IP Assignment Mistakes That Can Derail Your Startup Acquisition

IP Assignment Mistakes That Can Derail Your Startup Acquisition

Revision Legal

When a company acquires a startup, the most valuable assets on the table are usually intangible. Software, brand identity, patents, proprietary algorithms, and trade secrets often represent the core of what makes a startup worth acquiring in the first place. The assumption that goes into almost every acquisition is that the startup owns these assets. […]

Read more about IP Assignment Mistakes That Can Derail Your Startup Acquisition

Put Revision Legal on your side