We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
20 March 2020
On March 11, the Word Health Organization officially characterized the coronavirus (COVID-19) outbreak as a pandemic. During the outbreak, many employers around the world are seeking to prioritize the well-being and safety of their employees by asking them to work remotely instead of risking exposure while commuting and working in populated office spaces. Organizations need to take into account increased risks to the security of their networks, systems, and data during this time.
As employees head home, there is a potential for increased risk of exposure of sensitive data. One area of concern is that employees may take shortcuts to ease working on personal devices or outside of the organization's environment. For example, employees may send emails to personal accounts with sensitive data attached or upload that data to personal cloud-storage accounts. These incidents of data being sent outside an organization's network could potentially create an obligation to notify customers, regulators, or individuals under various laws, regulations, and contracts. For purposes of convenience, employees may also be tempted to take home sensitive documents that would otherwise remain in the office, thereby increasing the risk of loss, theft, or external exposure. Additional risks might arise if employees download information to personal devices. Working on personal devices may be convenient for employees who have not been equipped with employer-provided hardware, but the risks associated with the use of unsecured devices can be significant, particularly if those devices are able to connect to the organization's network or systems remotely.
Organizations also can expect to see cyberattackers attempt to exploit this unfortunate situation. For example, attackers seeking to capitalize on fears associated with the pandemic could send phishing emails purporting to contain important updates to organizational policies associated with the outbreak, requesting that employees validate their credentials, or asking employees to install additional software to permit remote connectivity. These sorts of phishing attacks could provide attackers with opportunities to infiltrate the organization's networks and systems. In addition, organizations may expect to see attacks increase on systems and networks operated by third-party service providers that are supporting the applications and data flows necessary to facilitate an effective remote workforce.
In addition, employer networks may be subject to increased risk of intrusion when significant numbers of their employees work from remote locations. Organizations may lack the infrastructure in place to support remote working by a large portion, or even all, of their workforce. As employers scramble to bolster their ability to support remote working, overburdening of IT infrastructure and rapid deployment decisions may create vulnerabilities that invite unwelcomed intrusions, increase the odds that malicious activity goes undetected as usage patterns generally veer outside the normal course, or increase the risk that malware might find its way onto internal networks. These risks increase if (i) employees are more frequently accessing the organization's network via unsecured networks, (ii) there is increased reliance on third-party applications and services, (iii) monitoring and logging capabilities are diminished through increased use of remote access, or (iv) network security is weakened due to increased remote connectivity.
The increased risks to data and network security could expose weaker cybersecurity practices if organizations have not yet adopted robust security measures for these circumstances or communicated those practices to employees through training and internal policies. Organizations may wish to address data security topics in guidance shared with employees regarding remote working. Even if policies for remote working already are in place, it may be worth reminding employees of their obligations to help security the organization's network, systems, and sensitive data when they are working from home. Organizations may also see value in confirming that their monitoring and auditing capabilities remain sufficient to detect and thwart cyberattack activity during this period of uncertainty and shifting work norms.
In-house counsel whose responsibilities include privacy and cybersecurity can play a leading role in their organization's efforts to adapt to this new and rapidly changing workplace paradigm. Partnering with the IT, cybersecurity, HR/employment, and risk functions, in-house counsel are uniquely positioned to assist with the assessment of the evolving threat landscape and modify the organization's privacy and cybersecurity programs, policies, and practices accordingly.
For further information on this topic please contact Paul Otto, Peter M Marta or Julian Flamant at Hogan Lovells by telephone (+1 202 637 5600) or email (email@example.com, firstname.lastname@example.org or email@example.com). The Hogan Lovells website can be accessed at www.hoganlovells.com.
This article has been reproduced in its original format from Lexology – www.Lexology.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.