5 Practical Tips for Balancing Remote Access + Privacy in a Pandemic
March 19, 2020
In this rapidly changing environment, people and companies are innovating and adapting on the fly. Companies are operating today in ways that we would not have considered just a week ago. Among the more common adjustments is the wide-spread move to work from home for large numbers of employees.
In the current environment, the “workplace” has quickly been redefined to mean “wherever we are.” But during this time, employers cannot ignore privacy issues and their legal obligations. The reality is that many employees have access to information that is not necessary and are using personal electronic devices, applications, and internet access providers that may or may not be secure.
Of course, protecting sensitive data is a company’s responsibility in any work environment, no matter the chaos. You and your business remain subject to legal and contractual obligations to protect customer, vendor, or in some industries, patient privacy. The bottom line: you need to protect your own data and information.
As you continue to develop and operate your remote work models, identifying and minimizing risk can seem daunting. Below are five practical tips to help with this process.
1. Prepare for Resource Stress.
As the number of your remote users increases, virtual desktop environments, VPNs, and other resources may be pushed to their limits. Continue to assess and monitor these tools and ensure they are properly patched and updated. Consider how employees and other users will authenticate when outside the office. And even if not required by law, regulation, or contractual obligations, consider the use of multifactor authentication - the U.S. Department of Homeland Security’s March 2020 alert on enterprise VPN security may be a useful tool in these efforts.
Warn employees and other users of security risk related to remote work. Even if you already conduct periodic security awareness training, reminding users of basic security risk and best practices during this new and unfamiliar period may help reduce avoidable risk, by keeping these topics top of mind.
If you have existing training or resources available, simply reminding users of these tools and key best practices (including where and how to access them) can go a long way. In the event your organization does not already have existing content, a list of common best practices can be found in this recent article we published for Columbus Business First.
3. Understand your Obligations.
The legal obligations to protect information remain in place and these legal requirements must be considered in any assessment. For example, HHS has said that HIPAA still applies to health care providers even in this emergency. At the same time, the HHS Office of Civil Rights has stated that it will not seek HIPAA penalties if a health care provider’s employees work from home using systems that may not comply with HIPAA standards, so long as the provider has exercised “good faith.” Having taken whatever steps you can quickly implement to protect sensitive information is evidence of good faith and will be helpful in the event of a breach or in any ensuing investigation.
Of course, HIPAA is just one area of concern (and may not apply to your business). Depending on the business you are engaged in, you may need to consider other privacy laws and standards, such as Payment Card Industry standards, ISO standards, SOC 2, the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable state and foreign laws. Kegler Brown’s privacy and health care lawyers are available to help you navigate these challenges.
4. Assess and Minimize Access to Information.
Assessing and minimizing your potential obligations and general risk related to breach or other incidents should be part of any discussion of remote working. To begin this internal conversation and assessment, in general, an organization should, among other items:
- Know the information your employees will need to access.
- Know the tools for which you have to restrict access to the minimum amount of information necessary for each employee to access.
- Know the tools you have to monitor the information each employee views, downloads, or otherwise accesses.
5. Perform (and Document) a Risk Assessment.
Even if you are not legally or contractually required, each organization should perform a risk assessment and document the steps taken to address the risks.
It is important to document any changes to, or temporary deviations from, your existing privacy policies. While this step will not guarantee there will not be a breach or other incident, these efforts may help establish that a breach did not occur because you were asleep at the wheel.
Your employees may already be working from home, but it is not too late to assess your exposure. In fact, assessment should be an ongoing process. Note that these issues are not solely the responsibility of your IT team- this issue affects marketing, finance, operations, and nearly every other internal staff group. To be successful, your entire team must stay vigilant and make adjustments as needed.