Privacy and Cybersecurity Practices for Working Remotely During COVID-19

Just as we are adapting our daily lives, cyber-criminals have adapted their nefarious activities to capitalize on people’s fears and potential system weaknesses during COVID-19. Hackers are targeting connection vulnerabilities and sending phishing emails with COVID-19-related subject lines or pretending to be a boss/coworker using a personal account. They have also been sending malware with fake COVID-19 tracker maps, WHO, or CDC information and making social media posts or comments with pleas related to COVID-19.

Reasons systems and data could be particularly vulnerable during COVID-19 include:

• Human error;
• Unvetted personal devices;
• Devices behind in patches or updates;
• Public Wi-Fi networks; and
• Lack of remote work ‘protocol’ or training.

As a result, now more than ever you need to review your company’s data and privacy policies and ensure your workforce can successfully work from home. To illustrate just how important this is, consider Privacy Rights Clearinghouse’s statistic that 11,613,547,443 records have been breached since 2005.

Recent research conducted by “threatpost,” a leading authority on information security, indicates that one-fifth of survey respondents said they are struggling with the process of ensuring proper security measures during COVID-19 and remote work availability. Forty percent of these companies reported seeing an increase in cyberattacks as they enable remote working at this time.

Phishing or social-engineering efforts are the primary threat, making up roughly one-fourth of all attacks, many of which revolve around COVID-19 fears. Even the U.S. Health and Human Services Department was reportedly hit by a cyberattack recently as security incidents related to COVID-19 ramp-up. While there were no network penetrations in this case, a foreign state is suspected.

Recently the National Security Council tweeted about “fake text messages” from hackers posing as government entities. On the other side of the world, Pakistani-linked actor APT36 has been seen using a decoy health advisory related to COVID-19 to spread the “Crimson RAT” malware in India.

Data Security Reminders

All businesses have two basic data security legal obligations. The first is a duty to protect data. The second is a duty to disclose a data breach. You must provide “reasonable” or “appropriate” security for systems, media, and data in order to prevent breaches, detect breaches, and respond to a breach. This also applies when the workforce shifts to a work from home approach.

You should ensure your layered approach to data protection is utilized remotely, not just in the office. This approach starts at the core with data security then proceeds to outer layers of application security, end point security, network security, and finally, perimeter security. While a layered approach may be more difficult or seem daunting with the high number of remote workers, a clear plan can help alleviate this stress.

Work with your IT team to analyze your company’s current practices and the type of protection available for remote workers. This means prioritizing your workforce and ensuring those with the most access to data are protected first. Determine the essential applications your employees need access to for working remotely. See if there is data that cannot leave the office and how it will be managed. Determine how access to company data and systems will be secured or available to employees, e.g., personal versus company equipment, cloud platforms, portals like CITRIX, and multifactor authentication.

Consider your built-in remote options. For instance, if your company utilizes Microsoft Office365, it can be used to store files as it is known to be a secure platform and includes chat and conference features. Speak with your HR team or an attorney about developing a policy and/or contract stating that employees are not permitted to download sensitive or proprietary documents or data to their personal devices.

Privacy Reminders

While employers seek to address and limit virus infection rates by requiring or encouraging employees to work from home, privacy protections are still applicable. These include regulations employers are very familiar with like the ADA, state medical confidentiality laws, HIPAA, and possible tort concerns. However, the EEOC published guidance regarding workplace behaviors during COVID-19.

While ADA and Rehabilitation Act rules continue to apply, they do not interfere with or prevent employers from following CDC or state/local public health authorities’ guidelines and suggestions regarding COVID-19. The following are practices that you may utilize during an international pandemic such as COVID-19.

During a pandemic, ADA-covered employers may:

1. Ask employees who call in sick if they are experiencing flu—like symptoms. In the case of COVID-19, currently known common symptoms include fever, dry cough, fatigue, and shortness of breath.
2. Monitor employees’ body temperature. As the CDC and state/local health authorities have acknowledge community spread in COVID-19 and issued precautions, you may measure employees’ body temperature. Please remember that not all people with COVID-19 have a fever.
3. Require employees who become ill with COVID-19 symptoms leave the workplace and stay at home as outlined by the CDC.
4. Require a doctor’s note certifying fitness for duty upon an employee’s return to work. However, this may not be practically possible as health care professionals become increasingly busy during the outbreak.
5. Screen applicants for symptoms of COVID-19 after making a conditional job offer. So long as this is done for all entering employees in the same job type. This applies whether or not the applicant has a disability.
6. Take the temperature of an applicant as part of a conditional offer’s post-offer, pre-employment medical exam. Again, remember that not all people with COVID-19 have a fever.
7. Delay the start date of an applicant with COVID-19 or affiliated symptoms as the CDC states such individuals should not be in the workplace.
8. May withdraw a job offer if they need the applicant to start immediately but the applicant has COVID-19 or its affiliated symptoms as they cannot safely enter the workplace based on current CDC guidance.

Because guidance for public health authorities is likely to change rapidly as the COVID-19 pandemic evolves, continue to update your practices accordingly. Of course, continued privacy compliance is important even during troubling health and safety times such as COVID-19, and any records of illnesses must be treated as a confidential medical record.

Following these privacy requirements provides many benefits for employers and helps prevent future exposure to possible discrimination or harassment claims. For example, protecting employee confidentiality encourages further self-reporting and communicating with your employees maintains trust and promotes health and safety.    

Some Do’s and Don’ts to Navigate Work from Home and COVID-19

Do:

1. Make sure all teams assist in prioritizing staff for remote access.
2. Establish work from home policies, whether that’s work hours, breaks, timekeeping, or set-up issues.
3. Encourage employees to work in an area of their home where others have limited access to viewing company information.
4. Limit at-home or local printing. Ensure a shredder is available or a policy is established as needed.
5. What you can to ensure employees cannot download sensitive, proprietary documents or data onto personal devices.
6. Over-communicate with employees about security risks and expectations.
7. Ensure all devices, access portals, and licenses are patched, updated, and secure.

Don’t:

1. Allow personal devices directly onto your network unless means are in place to protect information.
2. Forget security is just as important, if not more so, when employees work from home.
3. Assume leadership, HR, and IT understand each other’s needs and are on the same page.

Should you have any questions or require legal assistance with these cybersecurity and privacy issues, please do not hesitate to contact our office to schedule an appointment to speak with one of our attorneys.

Additional Resources:

COVID-19 Business Operations for Danna McKitrick

Coronavirus/COVID-19 Resource Center

Posted by Attorney Hannah E. Mudd. Mudd is a member of Danna McKitrick’s transaction team. As a member of the team she advises clients on a variety of corporate and business transactions including entrepreneurial, real estate, banking, employment, and corporate formation and governance matters.

(c) tashatuvango www.fotosearch.com