Cybersecurity Concerns with Remote Work
Written by Susan Kohn Ross and Timothy Carter
While likely not the first topic that comes to mind amidst a global pandemic, organizations and businesses that now find themselves entirely (or almost entirely) remote would be remiss not to consider the potential data and cybersecurity issues raised by this sudden and unexpected shift to remote work. For much of the country, COVID-19 has resulted in an abrupt shift in the way we work. Even for those businesses that maintained robust work-from-home policies and systems, this shift presents a learning curve. The more traditional data and cybersecurity concerns ever-present in normal business operations are compounded by the difficulties presented by an extensive remote workforce. Preoccupied remote workers can be more susceptible to online threats such as phishing emails or malware and ransomware, thereby “opening the door” and providing unauthorized access to bad actors. The other, often lesser considered concern is accidental disclosure of confidential business information.
While some professions undoubtedly deal with confidential materials more frequently than others, most businesses maintain sensitive company information, and with a significant chunk of their workforce now unexpectedly remote, businesses will want to be mindful of the complications remote work poses for maintaining confidential information, whether that data consists of employee or customer personal information, trade secrets, or tax and other financial information.
The disclosure of information related to an attorney’s representation of a client, for example, is governed by two separate (yet related) legal doctrines govern. The first (and likely most well-known) is the attorney-client privilege, which keeps communications made in confidence between an attorney and his or her client secret in the face of a legal demand for disclosure (subject to a few exceptions). The privilege can be waived by disclosure to third parties, such as family members not otherwise covered by some other privilege (e.g., marital / spousal privilege). Lesser known to those outside the profession, but significantly broader than the scope of the attorney-client privilege, are the professional rules prohibiting lawyers from disclosing any information relating to the representation of a client (again, subject to a few exceptions).
Communications made between a patient and their doctor during the course of providing medical services may also be protected from compelled disclosure. While not recognized federally, a number of states recognize such a privilege. Though the specifics often vary by state, the privilege is generally waived by disclosure to third parties. The Health Insurance Portability and Accountability Act (HIPAA) also governs the disclosure of individuals’ medical records and other personal health information by doctors and other medical providers. Disclosure of protected information, without patient authorization, is only permitted in a limited number of circumstances.
Similarly, in the case of therapists and their patients, communications made in confidence during the course of providing treatment may also be protected from compelled disclosure, though not all states recognize such a privilege. HIPAA’s privacy rule also extends to psychotherapists, though in certain circumstances, disclosure of protected information without patient authorization may be made to a patient’s partner, parent, doctor, or with law enforcement.
While these are only a few examples, businesses and employees outside of these professions must nonetheless be wary of how they interact with and discuss confidential information. With countless states and cities now restricting the travel and movement of their citizens to essential activities, employers and employees should be wary of both how they access their remote work systems as well as where (and in the presence of whom) workplace discussions occur.
Close the Door. Keep confidential work-related discussions confidential and, as much as is possible, have such discussions outside of the company of third parties, family members, guests, roommates and anyone else in the house.
Set Clear Remote Work Polices. While it’s always a good idea to have ground rules and policies for employees that work outside of the office or in public places, with all (or nearly all) employees working remote, it’s a great idea to revisit those policies (or create them if they don’t already exist). While it’s unlikely employees will be working in public places for at least the next month or two, the myriad of shelter in place orders issued by jurisdictions across the country suggests that employees may be working in close proximity to roommates and others not ordinarily privy to such information. For employees working on extremely sensitive information, best practice is require the use of a privacy screen.
Safeguard Physical Documents. For employees whose duties require use or reference to sensitive documents, set clear policies on how such documents should be handled, secured, and – where applicable – destroyed.
Safeguarding Digital Data. Stress the importance of cybersecurity. Businesses can mitigate their risk of data breaches by instructing their employees to (i) utilize a firewall to protect themselves and the company from hackers; (ii) utilize chat or messenger applications with end-to-end encryption; (iii) create complicated passwords and require employees to change passwords regularly; and (iv) require employees to access employer networks from secure, password protected networks.
We are already seeing situations where hackers are seeking to attack virtual private networks and have ramped up phishing emails, so keeping your cybersecurity healthy remains critical for the long-term benefit of the company.