Most companies that can do so have sent their employees home to work, which means that many employees have brought their home to work. Businesses have transitioned from maintaining a centralized workplace with a standardized data security protocol managed by knowledgeable IT personnel to a decentralized system of home offices with uneven or unenforced data security policies, largely managed by end users with minimal or no technological expertise.
Consequently, companies have been forced to introduce into their system the very vulnerabilities that they normally spend substantial time and money trying to eliminate. These vulnerabilities present a compliance issue for companies legally required to keep certain information confidential–such as health providers, law firms, or defense contractors–and for those otherwise subject to regulatory oversight. A confidentiality breach therefore presents a legal risk as well as a business risk, so companies must address squarely the data security implications of a home-based workforce.
For example, “phishing” schemes have increased in the age of COVID-19, as employees working from home forget the data security training from the office. One scheme sends employees a fake company email directing them read the company’s “Communicable Disease Management Policy” by clicking a link that downloads malicious software. Other scams purport to offer readers “COVID-19 relief” or infection prevention information. In any event, companies should now take the time to refresh their employees’ data security training, tailored to a home office environment.
Also, many employees have smart speakers such as the Amazon Echo or Google Home in their home office. Although these speakers ostensibly begin recording only when they hear a specific “wake word,” they are, by design, always listening. This “always on” feature has privacy implications, memorably illustrated in 2018 when an Echo-enabled device recorded a couple’s conversation and sent it to a person in their contacts list. Therefore, an employee having a confidential business conversation in earshot of a smart speaker risks accidentally triggering the device’s recording feature, with the loss of privacy that entails.
Employees’ Wi-Fi systems present another data security challenge. Many employees operate home wireless networks that lack modern security features or may still be on default settings from the factory. Additionally, employees may be using a weak password (“Password” or “1234”), or no password at all. For employees who handle confidential information, businesses should take measures to increase the security available to them at home.
Companies can do a few things to protect their employees and their confidential information in the age of COVID-19:
- Companies should enable (if not outright require) their employees to work over a company VPN. Alternatively, companies can encourage their employees to obtain their own VPN, through cost reimbursement or otherwise.
- Companies should encourage employees to obtain a Wi-Fi system with “WPA2” or “WPA3” security. No work-related data traffic should be conducted over unsecured wireless. If an employee lacks a modern router, he or she should use an Ethernet cable to connect directly to the router. In a pinch, an employee can use a mobile phone to generate a secure hotspot.
- Companies should encourage employees to make sure their password is hard to guess and continue enforcing their password-expiration and complex password policies.
- Employees with access to confidential information should work in room without smart speakers. At the very least, the smart speakers should be unplugged during confidential conversations. Simple Bluetooth speakers should be turned off when not in use.
- Employees using mobile devices to access confidential information should enable the PIN, fingerprint, or facial ID feature to prevent unauthorized users from accessing the device. Again, any PIN or password should be hard to guess.
- Companies should remind their employees to keep their computers and mobile devices patched and updated. Most provide an option to check and install updates automatically, which is a good idea from a data security standpoint.
Part 1 of this series, which focused on the Zoom videoconferences and their data security implications, can be found here.
For more information regarding this article, please contact Sean Griffin.
For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.
As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.