The fact that employees are increasingly required to work from home does not obviate a company’s legal requirement to have reasonable company policies and procedures to safeguard consumer data and to protect sensitive company confidential information. Indeed, the dawning era of widespread work-from-home employment necessitates enhanced cybersecurity since there are enhanced data security risks associated with remote working.
The enhanced risks flow from several aspects of the work-from-home employment regime. First, because more data and information is being sent over the internet, there is an enhanced risk of hacking, hijacking and other interception of the data by cybercriminals. Second, employees are using devices and computers in the home work-area that have not been inspected or secured by the company’s IT department. Further, logic suggests that an increase in the number of at-home workers will result in an increase in the number of brands and types of computer and devices being used across the company. Moreover, employee-owned equipment may be obsolete and/or using antiquated, out-of-date security software. All of this increases the incompatibilities between hardware and software making more work and inefficiencies for the company’s IT department. The end result is a significantly increased potential for exploitable vulnerabilities.
Third, at-home employees have reduced direct day-to-day, hour-by-hour supervision by supervisors who may be better-trained with respect to data security and cybercrime. Reduced supervision increases the risks of hacking cybercrime. This is partly because less direct supervision increased the chance of employees conducting personal business. The at-home online environment may not have the same limited internet access or have other firewalls which are present in a standard workplace. The at-home work area is also likely accessible to family members and others who are not authorized to have access to company data and information. The risk is less that the family member will steal the data but, rather, that they might “surf the net” to danger areas allowing intrusion or exfiltration by a cybercriminal.
The solution is to create and implement official company policies and procedures for cybersecurity specific to the new work-from-home environment. Your company should already have such policies and procedures for an at-work environment, but a distinct set of cybersecurity policies is needed. Experienced employment and cybersecurity lawyers like the ones at Revision Legal can help.
As noted, the new policies and procedures must focus on protecting the company’s confidential intellectual property and on reasonably protecting against data breaches or exfiltration of sensitive consumer/employee data. Effective work-from-home policies and procedures will accomplish both tasks. Here are some of the provisions that should be included:
- Training for work-from-home employees specific to data security
- Training for work-from-home employees with respect to PHYSICAL security of at-home and mobile devices — at-home and mobile devices must be physically secured even though only family members are able to access the at-home work-area; proper security includes locked drawers/desks, complex passwords, regular password renewals, barring family members from using the device, etc.; mobile devices should never be left unattended, etc.
- Training for your IT staff specific to data security risks associated with work-from-home employees
- Stating the company’s commitment to securing the secrecy of the company’s intellectual property and consumer data
- Where possible, mandate provision and use of company-purchased and owned equipment and mandate that at-home employees only use company-provided equipment
- Procedures in the event a lost device or actual or suspected unauthorized access
- Enact a no-tolerance rule for use of public wireless networks (like at a public library or coffee shop) — this rule is necessary even though, for now, there may be a lock-down on such public spaces; these work-from-home policies should be applicable for all work-from-home circumstances
- Limit work-from-home employee’s access to confidential and consumer data
- Ensure that all work-from-home employees have signed confidentiality and nondisclosure agreements — even short basic agreements are an important part of cybersecurity since they enhance an employee’s belief in the importance of these issues
- Remote installation by the company’s IT staff of security applications and software with updates and upgrades regularly installed — the corollary is that the work-from-home employee must be prohibited from interfering with the company-installed security software, firewalls and protocols
- For mobile devices, if not already in place, mandate installation of physical tracking software
If you need help with your company’s work-from-home policies and procedures or if you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100.