Covid-19 made it impossible to properly select alternative communication platforms, as from one week to another companies were forced to work from home. This resulted in a variety of platforms suddenly being used without proper setting them up. This has presented organizations with a multitude of privacy- and cyberrisks. This article aims to highlight some of the challenges GC’s face in their rush to address these (compliance)risks.
Scoping
In order to scope your legal and compliance project on remote working, you will first need to assess which solutions are being used by your employees.
Private devices will likely have been used such as phones, laptops or home desktop computers. Depending on your policies on company proprietary devices, new applications may also have been downloaded on such devices. Only when the scoping exercise is complete, will you be able to assess the risks that have come into existence by the use of these platforms and devices over the past few months.
Once your overview of the solutions that have been used is as complete as it can be, you will need to delve into:
(i) the user terms of all those platforms
(ii) scope the actual use
(iii) identify the security level and data flows
(iv) retention of information (on devices and in the cloud) enabled by that solution.
However, not all risks and challenges can be found by simply reading the license terms and conditions of those solutions, and by delving into the technical workings of them. Another aspect to consider lies within the domain of the employee.
Cyberrisk & storage
Many of them will have been using poorly secured private networks, for example; many privately owned routers are not or rarely updated, private devices may have been used or devices may have been shared within the household.
Apart from this, it is often overlooked that network printers have hard-drives that keep copies of the documents printed. Many companies have procedures within their offices that such hard-drives are wiped regularly, however it’s likely nobody has done this for their home situation. This means that any printing done through the home network has created risks. Firstly the printer has stored a copy of the employer’s confidential information, and secondly the home network itself could have been hacked. Lastly, there are also probably highly confidential print-outs lying around employees’ homes.
Furthermore how do you know what personal data was collected and shared in the home working situation, maybe even on private devices? If a non-company solutions have been used, how will you be able to, verify retention/deletion and for example, fulfill a Data Subject Access Request (DSAR)? Have you created a legal basis to access personal devices and apps that were used for company purposes??
Commercial & Trade Secret protection
The above not only relates to cyber/GDPR, but also to confidentiality in a commercial sense, as many companies rely on trade secret protection in line with the trade secrets directive. However, one can only successfully call upon trade secret protection if one has put the proper confidentiality and security safeguards in place to protect that information in the first place. So how does the unauthorized use of communication platforms measure up to those standards? Will their use mean that your organization has lost the possibility to call upon trade secret protection? It goes even further if one considers proper confidentiality obligations in most commercial contracts. In a vendor-customer setting confidentiality is often agreed upon, setting high standards for means of communication and storing of information. Have those agreements been breached by the uncontrolled rush by your employees to unauthorized communication platforms?
Confronted with such an alleged breach, will you be comfortable enough to just call upon force majeure protection? It might be wise to open up conversations with your customers and agree upon amendments of the confidentiality aspects of your agreements, based on the working from home situation. We have meanwhile drafted a specific template for this.
Based upon the above we would emphasize that when starting your repair quest, you would (at least) need to address the following issues and challenges:
- Cyber Security policy for home networks, what is going to be your standard, will you help employees and will you audit this?
- Strict policy to use only company devices (be it in your private network or will you enable 4G or 5G) or amendment of (Bring-)Your-Own-Device (‘BYOD’) policies;
- Will you start using end-point monitoring and detection on these devices?
- Review and amend your fair processing notices and your internal privacy policies;
- Implement specific guidelines on the use of solutions and the storage of both confidential information as any information relating to personal data;
- Printing from home, archiving and retention or can you disable that functionality for a home network within your company network?