With the majority of the world working remotely due to COVID-19, we are all trying to adjust and continue to be productive in these very uncertain times. When we are in the office, we take for granted the data security and privacy protections that are readily available. At home, there are certain risks involving data privacy that we should be aware of. This brief article will identify some of the data privacy issues to consider while working remotely for the foreseeable future to ensure that when we transition back to office-life, our data (and our customers, clients, patients, etc.) will be safe and protected.
When working from home, you connect to your home Wi-Fi network and the risk of a data breach is generally higher at home given less protection. The security built into the office’s network is not as robust at home generally making home an easier target for things like malware and malicious attacks. If you are using an unsecured Wi-Fi connection, always refrain from using your login information because your data can be intercepted by third parties. All of your data can be accessed in these circumstances while on the unsecured network. If the company has a virtual private network (VPN) option, it is a great idea to use the VPN access because the VPN establishes a secure and encrypted connection. This will provide greater privacy and security protection than a secured Wi-Fi! It is a good idea to, therefore, follow company guidelines and if possible, secure your home network (or use a VPN) and use commercially available antivirus software or firewalls.
While it may be easier and quicker to send that quick email on your personal device when you are working at the house, keep in mind that your personal laptop (as an example) likely has less security and backup software access and therefore it is riskier than your company-issued devices. Your personal device is much more likely to be infected with malware (without you even being aware) and accessing company data through your personal device can, therefore, infect the company’s data. Using a personal laptop at home could also potentially open up access to your personal data stored on your computer to your employer. Neither your employer nor you want that…
One simple way to safeguard data is to lock your computer when leaving your home work station. This is a good practice even while in the office and should be followed regularly. Much of what we do nowadays can be done on your smartphone as well so protecting your phone (and computer) with an appropriate password is highly recommended. It is likely that your company already requires you to change your passwords every 30, 60, or 90 days. Following this and using challenging passwords is really necessary as hackers are becoming more and more capable (get in the practice of updating your phone’s password with your computer at the same time).
In addition to locking your devices down, another simple measure is to not leave your devices unattended. Leaving your laptop or smartphone can create an opportunity for someone to access the device without your knowledge. If your device were to be taken or accessed the device’s data can be downloaded or deleted (even if there is not a breach, losing data can be disastrous). Of course, if the devices are locked you may be in the clear, but keeping the devices in a secure location is a good idea as well.
Regardless of whether you have a secure network, backing up your data is critical these days. No one wants to have to recreate massive amounts of data due to a data loss. Loss of data may also be considered a data breach and under the California Consumer Privacy Act (CCPA), your company may require access to the data to produce data due to consumer requests. Given working from home increases your vulnerability to security attacks, and given computers can simply be damaged or fail, backing up data can really be a lifesaver if something were to go wrong. There are ample cloud-based backup options and your company may already provide you with access. Consult your company’s IT group (if applicable) and discuss your back up options—you’ll be happy you did if you, unfortunately, have a data loss.
Finally, if you deal with personal health information (PHI) then the Health Insurance Portability and Accountably Act (HIPAA) applies and needs to be considered. The Department of Health and Human Services (HHS) regularly levies hefty penalties for the failure to properly manage remote worker’s access and protection of PHI. There are many examples of penalties levied by the HHS, but one that comes to recent memory include a $750,000 settlement between Cancer Care Group and HHS due to a remote employee losing a laptop when the employee’s car was broken into (link: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/cancer-care-group/index.html). Another example is a settlement between Lincare and HHS for $240,000, where a remote employee failed to safeguard PMI by exposing and abandoning the records (link: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/lincare/index.html). All of the above suggestions will certainly help protect PMI but employers should note which employees are remote workers and record the level of information to which these employees have access to (with respect to PMI). If your company deals with PMI it is good to have robust data privacy and security policy and train all staff that has access to the PMI.
Given the majority of the world’s workforce is working remotely now, it is a great time to revisit our data privacy and security practices and procedures. Taking these steps will ensure the company is compliant with applicable data privacy laws (CCPA, GDPR, HIPAA, etc) and help you (the employee) keep data safe and secure.
Should you or your company need help to secure your own or your employees homework environment, Klinedinst PC can help! Our team of data privacy professionals can help customize a data privacy solution and training for you. We will work with you to understand your business’ needs and prepare a holistic solution to include data privacy and security policies and procedures, disaster recovery policies, confidentiality agreements, and data privacy agreements as well as policies for human resources such as a Bring Your Own Device (BYOD) policy.
About the Author
In his practice, Mr. Snyder represents clients in business transactions, M&A, and data privacy issues. He provides legal and compliance counsel to emerging startups and established companies in areas involving licensing, finance and investments, data privacy and security, corporate structuring, contracts, patent, trademark, copyright, and domain portfolios. He has built a reputation as an outside General Counsel, providing legal guidance on a wide range of issues. For questions about policies, documentation, or best practices for remote employees, contact Mr. Snyder at firstname.lastname@example.org.
Klinedinst is the go-to firm for clients looking for litigation, trial experience, transactional representation, and legal counsel. The firm’s offices in Los Angeles, Sacramento, San Diego, Irvine, and Seattle service the entire West Coast. What sets Klinedinst apart is the relationship our attorneys foster with each and every client. Klinedinst lawyers are indispensable strategic partners to business leaders, helping to achieve business objectives and create proactive solutions to resolve the many legal challenges that businesses are confronted with every day. Whether vigorously advocating for business clients in court, or guiding business transactions and negotiations, Klinedinst is the trusted legal advisor to have by your side.
This article is intended to be for informational purposes only. This information does not constitute legal advice. The law is constantly changing and the information may not be complete or correct depending on the date of the article and your particular legal problem. The use of information from this article does not create any type of attorney-client relationship.