By John M. Benjamin and Edward Pickard of Duane Morris LLP
[Reprinted by permission of the authors]
The coronavirus pandemic has had a severe impact on businesses right across the globe and with a third of the world now in lockdown, thousands of businesses have moved most of their workforce to remote working. Although working from home allows a business to continue operating, it brings significant security risks, placing a greater need to maintain compliance with relevant data security requirements.
Maintaining the security of company data is the responsibility of both the employer and employee and continuing to maintain appropriate security measures is critical at this time. Below are some key points for employees and businesses to keep data secure when working remotely.
- Secure Servers. Secure servers should be used when working remotely. In doing so, data can be accessed, altered, disclosed or deleted only by those with authority to do so. In particular, document management systems should be used so that documents received and/or edited can be saved to a company’s secure systems.
Documents should not be saved locally unless company approved security measures are in place.
- Devices. Where possible, company provided IT equipment should be used from home in order to protect and secure company data. The use of personal laptops and tablets creates greater risk as to the security of company’s data, particularly if other family members or othersuse those devices.
Employees should take particular care that they sign in and out of secure servers correctly and ensure that other users are unable to access company data when using personal devices.
- Screen Positioning. Leaving your device in plain view, where neighbors, passers-by, family members or others can see it, risks the security of the data on your screen. Employees should be aware of where they are working and ensure that they can only see their screen, including avoiding clear sight through windows, or communal areas of their homes where others may also be working. Employees should be encouraged to purchase privacy filters for their screens.
- Personal Email Accounts. When secure servers, printers or company mailboxes are not operating properly, employees might be tempted to forward emails and documents to their personal mailbox so they can access documents and data. Personal email accounts should not be used to view and review documents and emails as this severely risks the security of the data and is also likely to be against company policy.
- Printing. Printing documents when working from home can risk confidential information or personal data becoming inadvertently disclosed to parties who should not see it or simply picked up by outside parties through the documents being disposed of in the regular waste.
In order to maintain the security of data, it is important that employees only print documents when essential to do so. If printing, particular care should be taken to keep documents safe and secure until disposed of correctly.
- Disposing of documents. Many offices will have clear procedures around disposing of documents that contain confidential information, whether that be a shredder or confidential bins. Many employees will not have the same ability to deal with their documents in the same way, nor will they have access to locked cabinets. Consider whether the ability to install printers should be controlled by the company’s IT department. Consider also deploying software to track the volume of printing of company documents by a user, there will however be employee monitoring issues to be considered here.
In the same regard as our tips in relation to printing, you should take particular care that any confidential information, or documents containing personal data, are disposed of correctly. If an individual does not have access to a shredder, then documents should be held securely until such time as they can be disposed of correctly.
- Texting. Employees should be careful to avoid texting colleagues to discuss work of a confidential nature involving personal data that they would usually discuss in person. Employee’s mobile devices are unlikely to be as secure as company email or secure internal chat rooms, which should be used instead. Companies should consider controlling employees use of personal messaging and video conferencing solutions that have not been approved by the company’s IT department, as such solutions may not meet the information security standards required by the company.
- Training. As a final point, encourage employees to use this period to remind themselves of need to protect personal information, security obligations and relevant company policies. If necessary, they should be encouraged to take online privacy and security training.
Ensuring Employee Compliance and Data Security
- Secure Information Management. Regular and continuous management of your IT security systems. With employees accessing systems remotely, it is vitally important that businesses continually monitor, maintain and reinforce information security programs in order to protect the data held.
- Restrictions on Usage. Restricting how employees can use certain documents that contain large amounts of personal data or particularly sensitive data when working remotely. For example, restricting the ability to print/tracking printing of documents (see above) or limit documents to read-only mode.
- Remote Access Policy. A remote access policy can clearly outline employees’ requirements and responsibilities, and the security standards required when accessing company’s servers and data remotely.
- Own Device Policy. A policy setting out what is expected of your employees when they are using their own devices and the standards they need to maintain with their devices if using them for work.
- Online Awareness Training. Now might be the right time to ask employees to take online training refreshers in order to promote and maintain data protection compliance particularly when working from home for extended periods.
Source: https://blogs.duanemorris.com/techlaw/2020/03/26/top-tips-keeping-data-safe-when-working-remotely/#page=1; also appeared at www.lexology.com on 3/31/20.
[Reprinted by permission of the authors, John M. Benjamin and Edward Pickard and Duane Morris]
About the authors
John M. Benjamin is a partner with Duane Morris in London. He serves as a team lead for the Duane Morris Technology, Media and Telecom industry group. Mr. Benjamin focuses his practice on intellectual property, technology and privacy law, dealing with both transactional matters and litigation. His client base includes leading global financial institutions and pharmaceutical companies, as well as social media, consumer electronics, and FTSE 100 and Fortune 500 companies. Mr. Benjamin has extensive experience in data protection and freedom of information matters, including the General Data Protection Regulation (GDPR). He advises companies on claims following data breaches and on complex cross-border issues dealing with exporting personal data in connection with regulatory investigations. Mr. Benjamin has represented clients on privacy matters in front of the Information Tribunal and the High Court. He has managed cross-border litigation for clients in a number of jurisdictions globally. Mr. Benjamin earned an LL.B. (Hons) in Law and an LL.M. in IP Law from Queen Mary and Westfield College. Learn more about Mr. Benjamin: https://www.duanemorris.com/attorneys/johnbenjamin.html
Edward Pickard is an associate with Duane Morris in London. He practices in the area of litigation. Mr. Pickard holds an M.Sc. in Law and Business as well as a graduate diploma in law from the University of Law, Birmingham, and a B.A. (Hons) from the University of Nottingham. Learn more about Mr. Pickard: https://www.duanemorris.com/attorneys/edwardpickard.html
London Offices of Duane Morris, Citypoint, 16th Floor, One Ropemaker Street, London, UK EC2Y 9AW; https://www.duanemorris.com