Data Security Considerations for Businesses Allowing or Encouraging Employees to Work Remotely

In response to the recent uptick in COVID-19 cases in the U.S. and abroad, health authorities and government officials worldwide are increasingly encouraging, and in some cases requiring, “social distancing” tactics, including prohibitions on gatherings of large groups and the closure of workplaces. This has prompted an increasing number of businesses to allow and/or encourage their employees to work remotely.  

To avoid data security risks, which can lead to a wide array of business and legal impacts, we suggest considering the following measures, which are aimed at ensuring that company data is not compromised as a result of transitioning to expanded telework arrangements:

• Utilize a Virtual Private Network (“VPN”) or other secure method of encrypting transmitted data. Ensure that your employees exclusively use a secure connection when working remotely, particularly when connected to a public Wi-Fi network. You may also consider implementing a multi-factor authentication process when providing access to any areas of your network that contain especially sensitive information.
• Maintain document retention practices, including back-up files. Make sure that your teams continue to adhere to relevant data retention policies while working remotely, including by keeping documents for the prescribed amount of time and properly disposing of documents that contain sensitive information after a certain period. In addition, consider implementing systems that back up files using an online cloud-based platform.
• Consider prohibiting employees from forwarding work emails to their personal email accounts. Review your company’s data policy for provisions that outlaw such transmissions; if it does not include such a prohibition, consider adding one. Once an email is transmitted outside the security of your company’s network, it is virtually impossible to ensure that information therein remains secure and/or private. In addition, company emails that are forwarded to personal accounts may be subject to electronic discovery in certain circumstances. 
• Remind employees of contractual obligations to keep company information and materials confidential. If your company’s policies or employment contracts require employees to keep certain types of information confidential, make sure that they understand that this requirement applies equally in the teleworking setting as it does to in-office communications. In addition, you may want to consider prohibiting employees from sharing their work computers and devices with others while working remotely.
• Evaluate your company’s agreements with third-party software providers and data vendors whose products and services support employees working remotely.  Ensure that necessary products and services are accessible remotely under the terms of such agreements, evaluate vendor’s bandwidth and customer support capabilities, and remind employees of contractual limits on the use or distribution of covered products.
• Update and monitor your IT platform software. Work with your IT team to continue identifying new bugs and issuing patches and updates as appropriate to all operating systems, apps and web browsers while your employees work from home.
• Continue conducting employee security training. Offer any regularly scheduled cybersecurity and/or privacy training via secure videoconference or other remote means and inform employees as soon as you discover new vulnerabilities or methods of attack. If your company does not offer such training, consider doing so — particularly regarding techniques to avoid phishing attacks and other internet-based scams.  Also, provide employees with a means to contact the company for assistance with potential cybersecurity issues.
• Be vigilant in detecting fraudulent activity and encourage employees to promptly report suspicious communications. Scammers tend to be particularly active during times of crisis. Forbes reported last week that several coronavirus-related domain names were recently registered to steal information from recipients or infect them with malware via phishing attacks.¹ In addition, the Federal Trade Commission and Food and Drug Administration have issued warning letters to a number of companies selling products that claimed to treat or prevent the coronavirus, alleging that they were devoid of evidence supporting their claims and thus violated federal law.² Consider reminding your employees to be vigilant when interacting with third parties, including by not clicking on links from unknown sources or responding to communications from suspicious parties, and to report promptly any suspicious activity to applicable persons in the company.

If you have questions regarding your company’s data security practices, please contact our Data Privacy and Security practice group leaders below.

^{1. Thomas Brewster, "Coronavirus Scam Alert: Watch Out For These Risky COVID-19 Websites And Emails," Forbes (Mar. 12, 2020) https://www.forbes.com/sites/thomasbrewster/2020/03/12/coronavirus-scam-alert-watch-out-for-these-risky-covid-19-websites-and-emails/#2857444a1099.↩}

^{2. "Coronavirus Scams: What the FTC is doing," FTC.gov, https://www.consumer.ftc.gov/features/coronavirus-scams-what-ftc-doing.↩}