Information Security Tips & Advice for Teleworking
We understand that a sudden transition to a remote-only environment may raise a number of security concerns for companies. Ensuring security when every employee is operating on different networks can present challenges, but there are a number of steps that companies can take to mitigate risk:
- Enforce use of VPNs and multifactor authentication. When feasible, businesses should require employees to connect to a VPN protected by two-factor authentication to access the company’s internal network. Ideally, all confidential information should be stored in databases behind the VPN so that it remains within the control of the company and to reduce the number of attack surfaces. To the extent confidential information is stored on SaaS or IaaS platforms, business should also require measures such as two factor authentication, single sign-on, and/or IP whitelisting.
- Provide guidance to employees on secure configuration. Even when they are using a VPN – but especially where they’re not – remote connections can be an attack vector for compromise of company systems and information. Consider providing guidance to workers about how to bolster security on their home connections, such as by choosing strong passwords for their home WiFi network. Employees should be discouraged from using open public networks, such as those available at coffee shops or public spaces, to conduct company business unless they are connected to a trusted VPN. Employees also should be discouraged from using unauthorized cloud-based platforms, particularly for storing any confidential, proprietary or sensitive information.
- Conduct phishing tests and provide remedial training as needed. We have already seen reports of hackers exploiting COVID-19 fears by sending convincing phishing emails that purport to be from government agencies or health experts. Not only should companies send out reminders not to open attachments or click on links in suspicious emails, but they should also run internal tests to see if employees are heeding these warnings. Employees who click on links or enter sensitive information in response to these simulated phishing attacks should be provided with remedial security training. All employees should be given instructions on immediate steps to take in the event they are phished or otherwise compromised.
- Review and strengthen incident response plans. Unfortunately, even the most prepared companies can suffer security incidents. Therefore, companies should ensure that members of their incident response teams have reviewed their incident response plans and are aware of their responsibilities. If incident response plans rely heavily on in-person coordination, they should be augmented with remote response procedures, such as by designating secure remote communications channels. These remote procedures should be tested in advance, ideally by simulating an actual incident. Employees at large should also be made aware of channels for reporting incidents.
U.S. & International Privacy
Many of our clients have been asking about the privacy implications of COVID-19, and whether changing their data collection, use, and sharing activities are permissible, and if so, what types of disclosures and consent mechanisms are required. For example:
- Do existing privacy disclosures need to be revised to cover new information collection, use, and sharing activities related to COVID-19? Should new ones be created?
- Do any of these new information processing activities require a more robust privacy risk mitigation strategy such as through the completion of privacy impact assessments or legitimate interest assessments?
- Can a company require customers to provide evidence of their COVID-19 status before issuing refunds on purchases that would have involved travel or events?
- How can companies in the services industry where employees have to go into homes (e.g., cable installers) or interact with customers on a regular basis (e.g., gig economy workers) ask for or use the health information of their customers before engaging in these ways? If such collection is allowed, how can this information be used and shared?
- Can companies require consumers entering their physical stores to provide information about their health status or require temperature checks? Who should be responsible for performing the health status checks?
- What information can companies collect from third-party sources about an individual’s general health status or COVID-19 risk?
- How can a company comply with data minimization requirements while still collecting enough personal information to respond appropriately to COVID-19?
- When a company determines that one of its employees has coronavirus, what level of detail can it provide to customers, business partners, and others who may have interacted with the employee?
- Under what circumstances can a company voluntarily share coronavirus exposure data, or other held data, with the government?
- How long can a company retain personal information collected in connection with coronavirus response?
Governmental Demands for Data
In an effort to identify, track and contain the spread of COVID-19, governmental entities may seek information from companies about their operations and users or customers. Of course, companies will want to cooperate to the extent possible to do their part to stem this global pandemic. Despite the clear public health emergency (the federal government, at least 39 states and countless local jurisdictions have declared a state of emergency), companies should be thoughtful in cooperating with requestors when the disclosure of information is sought. Some of the issues that companies should consider include:
- Who is making the request? Is it a law enforcement agency, a federal, state or local public health department or official, or some other health organization?
- What type of data is sought? Is it, for example, the company’s own business records or user data?
- How broad is the request? Is the requestor seeking basic contact information for a single person believed to be infected or is the request far-ranging, seeking detailed information of many users or customers across a long period of time to try to identify patterns of infection?
- Under what authority is the request being made? Many state and local jurisdictions give some public health departments and officers the ability to seek and obtain orders compelling the production of information, especially in a time of an outbreak of a communicable disease. In the past these have been sparingly used, but we expect to see more usage of this process in the weeks to come.
- Is the request for voluntary disclosure and if so, what restrictions might constrain your ability to produce information? For example, if the request is for user data and the Stored Communications Act applies to your business, can the emergency provision found in 18 U.S.C. Section 2702(c)(4) allow for the disclosure?
- If your cooperation or lack thereof were to become public, what type of reputational damage may occur, both from the perspective of assisting in the containment of this public health risk and of your customers’ and users’ privacy interests?
As we all by necessity change the way we work and the larger economic impact of COVID-19 takes shape, companies should be mindful of how these operational and economic changes might impact both their own contractual obligations and those of their counterparties. Some initial questions to consider include:
- What are the notice provisions under your contract and do you have a plan for communicating with your counterparty to ensure you exchange appropriate and timely updates regarding your respective abilities to perform contractual obligations?
- Does your contract contain representations, warranties, or other requirements that either you or your counterparty will not be able to meet, such as service level requirements?
- Does your contract require your counterparty’s employees to be able to access your facilities or vice-versa?
- Does your contract contain force majeure, frustration of purpose, or material adverse change provisions that might be triggered by the spread of and/or response to COVID-19?
- What can you do to mitigate potential risks that might arise under contracts that you currently are negotiating or that might be ripe for renewal or extension?
Product Counseling, Advertising, & Marketing Advice
With social distancing and customers spending more time indoors and online, there may be a push to increase advertising and promotions to drive revenue. Regulators (such as FTC and state Attorneys General), who already monitor advertising statements for misrepresentations, will be particularly sensitive to approaches that they may think take advantage of an already sensitive community. So, it is a good time to remind marketing teams and others internally about truth in advertising principles and other best practices. Below is a quick hit list of issues to consider:
- “Free” Products or Services. Use of “free” requires extra care to ensure that it is not misleading. Avoid overstating what is “free” – if conditions apply, then they should be disclosed clearly and in close proximity to the offer.
- Time-sensitive or exploding offers. Time-sensitive offers should not create a false impression of urgency. For example, time-limited offers (“Deal ends soon!”) should actually conclude.
- Promotions need to disclose material terms. Failure to adequately disclose terms for promotions, including termination or renewal processes, can create risk.
- Substantiation. Confirm, in particular, that claims about the effectiveness or value of your product are substantiated.
- Influencers and Endorsements. Individuals who have a “material connection” with the company and who may appear to be speaking independently must disclose that connection. Their comments also should reflect their actual experience with the product or service.
- Additional considerations for online markets and sales platforms. A number of online markets and sales platforms have implemented procedures and mechanisms to limit and facilitate reporting of price gauging. This is a good time to review and assess your current practices.