Data Privacy and Security in the Remote Work Era
Date: March 28, 2022
We are nearing the end of Q1 2022. Safety concerns relating to the original Covid-19 virus and variants have decreased relative to reported lower average daily infection rates and fewer hospitalizations. Senior executives and human resources professionals are now studying their organizations as they plan for the post-Covid-19 workplace. Indications are that a larger number of employees, who have jobs compatible with a remote work environment, will be working remotely on a full- or part-time basis than those who worked remotely prior to March 2020.
Employers have presumably improved upon their remote work data security processes and procedures since the early days of the pandemic. However, they may still have questions about the extent of their legal obligations to secure data and the best practices that can be used to meet those obligations. The remainder of this article will focus on those areas.
Security Standards - Employers’ Obligations.
There is no universally inclusive data security standard required by federal law[ii]. If an employer is not the type of organization covered by a specific federal standard, the employer must look to state standards.
There are a number of states which require organizations to take reasonable measures to protect against the unauthorized access to, and acquisition, use and disclosure of personal information. Maryland, for example, has adopted the reasonable measures standard. Maryland’s law says
“. . . a business that owns or licenses personal information of an individual residing in the State shall implement and maintain reasonable security procedures that are appropriate to the nature of the personal information owned or licensed and the nature of the business and its size and operations.”[iii] California, Delaware, the District of Columbia, New York and Virginia (effective January 1, 2023) are included among the states that apply the reasonable measures standard.
Most legislators and regulators use the reasonable measures standard because one size does not fit all, nor is it appropriate for all situations. The data security program implemented by, for example, a global financial institution does not need to be the same as that implemented by a local pizza shop. An organization has flexibility to implement a program that is risk-based and otherwise appropriate and tailored for its unique circumstances.
Massachusetts law gives more specific guidance on what is reasonable. Massachusetts regulations[iv] require each organization to which the regulation applies to maintain a written information security plan. The plan must describe the safeguards the organization uses to protect personal information. The safeguards must be appropriate to the size, scope and type of business, the organization’s available resources, the amount of data stored and the need for security and confidentiality, i.e., the sensitivity of the stored data. Activities that must be part of the security plan include, but are not limited to, appointing an employee who is responsible for administering the plan, conducting risk assessments and reviewing the safeguards annually.
For an employer trying to determine what is reasonable, the author suggests that it review Massachusetts law and perhaps adopt its standards. Regulators would likely look favorably on the argument that an organization modeled its security plan on an actual state law even if the employer is not subject to that state’s law. Similarly, a potential adverse party would have a difficult hurdle to overcome in arguing that the employer did not act reasonably.
Controls an Employer Can Implement.
Employers must evaluate and re-evaluate their data security programs to account for larger numbers of full-time or part-time remote workers. The following are some of the physical, administrative and technical safeguards which can be used as a part of an employer’s reasonable security measures[v]:
1. Require employees to use complex passwords of at least 8 characters with a combination of upper and lowercase letters, numbers and symbols. Establish a standard to change passwords at least every 90 days. Use best practices for password management.
2. Make multi-factor authentication mandatory. A second log-in credential greatly decreases the ability of threat actors to infiltrate an employee’s account.
3. Keep all software updated with the latest patches and security configurations.
4. Raise employee awareness of threats such as phishing, spear phishing and ‘deep fakes’ via periodic messaging and mandatory training.
5. Issue corporate-owned devices to employees. The devices are generally more secure and likely to utilize methods such as encryption to secure data in transit and at rest.
6. Establish a written incident response plan. Assemble an incident response team, including an IT forensics resource, which is available at the ready to carry out the plan in the event of a data incident. Test the plan periodically via a table top exercise.
7. Remind employees to not share a company-owned device with a family member. Children, in particular, are susceptible to downloading malware.
8. Procure and renew cyber insurance. Be certain it covers incidents caused by remote workers.
9. Train employees to be wary of working in public spaces using public WiFi and hot spots.
10. Remind employees to observe the ‘clean desk’ concept even if at home. Persons other than family can be present in a home.
11. Documents containing sensitive information that are printed away from the office should be returned to the office for shredding or via disposal by other secure methods.
Conclusion.
A written information security plan should include physical, administrative and technical safeguards appropriate to the business. It must cover all employees, whether working at a physical office location or at a remote location. Remote work is likely to continue as we are seemingly emerging from the worst of the Covid-19 pandemic. In fact, it is likely that a larger number of employees will be working remotely, whether full-time or part of the time, relative to pre-pandemic numbers. Employers need to use reasonable measures to secure the data they handle, and to give particular attention to the challenges posed by more employees working remotely.
[i] ‘Remote’ incudes work at home. Home can be geographically close to the employee’s office location or many miles away. Home can be a second home or a vacation destination. It can be anywhere with an internet connection.
[ii] There are federal laws that set out security standards. Their application is limited to certain types of businesses. For example, the Security Rule adopted under HIPAA sets out security standards for safeguarding electronic protected health information. However, with limited exception, it applies only to healthcare providers, healthcare clearing houses and healthcare insurers. The Federal Trade Commission adopted the Safeguards Rule to protect consumer information. The rule applies only to certain financial institutions.
[iii] MD Code, Comm’l Law § 14-3503(a).
[iv] 201 Mass. Code Regs. 17.01 – 17.05.
[v] These are not listed in order of importance. All are effective.
The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.
The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.