Data protection and working from home
If, like us, staff in your business are working from home for the foreseeable future, your business is probably too busy dealing with immediate financial and resourcing concerns to be thinking much about data protection compliance right now.
Unfortunately, homeworking brings its own particular challenges for data protection compliance, such as cybersecurity risks associated with staff remote connecting and using their own devices and WiFi, geographically dispersed IT/information security/breach response teams, and isolated staff potentially being more vulnerable to phishing emails and similar attacks. Hackers and bad actors may also try to take advantage of these vulnerabilities and businesses’ stretched resources and capacity. It is also likely to be more difficult to respond to data subject requests in time and to carry out higher level data protection compliance work.
A recent ICO statement on data protection during the coronavirus pandemic gives some comfort, recognising that organisations are facing unprecedented challenges and will need to share information quickly and adapt the way they work over the coming weeks and months.
With regard to data subject requests and general compliance work, the ICO states that although it can’t extend the statutory timescales for data protection compliance, it understands that staff and expenditure may currently be diverted from usual compliance work and won’t penalise organisations that need to adapt their approach during this extraordinary period.
With regard to staff working from home, the ICO says that data protection law isn’t a barrier to homeworking, but that organisations will need to consider the same kinds of security measures for homeworking that they would use in normal circumstances – i.e. businesses need to ensure that information security and data protection compliance are not compromised as a result of the new arrangements.
Although business managers will obviously have a lot on their plates right now, information security should be considered a top priority and risk. Businesses should take steps to ensure that adequate security measures are in place whilst staff are working from home to avoid the damaging effects of a data breach and help maintain basic data protection compliance. Below are some suggestions of steps that both management and general staff can take:
- Set up/maintain secure Virtual Private Networks ("VPNs") connecting staff personal devices with the business’s servers. Alternatively, where your staff need to access IT business systems in the cloud, then consider allowing staff the ability to access directly, subject of course to proper credential verification measures.
- Ensure effective firewalls are in place.
- Ensure that secure verification, login processes and password requirements are in place (e.g. consider enhanced security measures such as two factor authentication, an absolute must for sensitive and/or confidential data).
- Decide whether to allow or prohibit staff use of third party video-conferencing/messaging/document sharing tools/features and whether this would change if the business’s email servers fail. Consider the need to carry out a privacy impact assessment, update your data protection records and check for international transfer issues.
- Review and update permissions for and monitoring of staff access to the business’s information and systems.
- Mandate and enforce minimum security requirements and processes for staff’s home WiFi networks (such as replacing factory-default passwords).
- Set up/maintain suitable data back-up processes.
- Implement/maintain data breach detection and alert software.
- Maintain regular resilience/penetration testing to identify any weaknesses in the business’s IT systems.
- Ensure that staff personal devices are patched and up to date with virus protections.
- Deploy sandboxing/compartmentalisation tools to avoiding staff accessing sensitive information on personal devices.
- Review existing data breach response plans and update as necessary to take account of the new working arrangements.
- Review existing relevant company policies such as Information Security, Acceptable Use, BYOD, Remote Working and Data Protection policies and update as necessary to take account of the new working arrangements.
- Ensure continued effective and secure communications between relevant management-level staff whilst homeworking arrangements remain in place, such as IT/information security/breach response teams.
- Communicate with staff in relation to these steps (see ‘Staff communications’ below).
The National Cyber Security Centre has published some useful guidance for businesses on homeworking during the coronavirus pandemic, which contains some useful practical suggestions. Businesses that do not have the necessary technical capability/resources to implement some of these steps may need to engage suitable IT services companies to assist (but stick to known and trusted providers in these circumstances to avoid companies attempting to cash-in on this situation without having the required skills or ability).
General staff security responsibilities:
- Public WiFi networks must not be used to connect to the business’s IT systems and access the business’s information, unless using a VPN, TOR or zero trust network.
- Only the staff member’s own secure, password protected WiFi network should be used to connect to the business’s IT systems and access the business’s information.
- Implement any minimum security requirements and processes for staff home WiFi networks mandated by management.
- Comply with all security-related instructions given by the business, including e.g. those regarding login processes and password requirements.
- Avoid printing documents where possible, particularly those containing confidential/sensitive/personal information.
- Dispose of any confidential/sensitive/personal information in paper form in a secure manner (e.g. shred or store in an appropriate secure location until it can be disposed of safely).
- Don’t leave documents lying around the house – put them somewhere secure and out of sight.
- If it is necessary to transport information/documents/devices between home and office, do so securely (e.g. using locked bags/cases, encrypted hardware).
- Avoid making confidential work calls in a shared space (e.g. video conferences in the proximity of flatmates/friends/family).
- Avoid using devices where the screen can be seen by flatmates/friends/family.
- Allow the IT team to access to their devices if necessary to ensure that they are patched and up-to-date with virus protections.
- Be vigilant regarding phishing emails and other email/phone-based scams (this training resource from the National Cyber Security Centre is quite useful on this point)
- Notify the business of any suspected/attempted phishing emails or other scams (using contact details and/or procedures communicated to them by the business).
- Turn off IoT devices like Alexa or Google Home when making a call.
- Report any security breaches they become aware of to the company (using contact details and/or procedures communicated to them by the business), including when they have fallen victim to phishing emails or other scams.
Staff communications – communicate with staff in order to:
- Bring to their attention the potential security risks associated with homeworking and asking them to be extra vigilant whilst homeworking.
- Provide details of steps staff can take as individuals to maintain security and protect information – this online training from the National Cyber Security Centre is quite a useful resource if your business doesn’t have its own similar training resources available.
- Explain any new/changed/enhanced security procedures that the business has implemented.
- Provide or link to relevant company policies – such as Information Security, Acceptable Use, BYOD, Remote Working and Data Protection Policies – and ask staff to remind themselves of their responsibilities under these. If you can highlight pertinent points for them, this would be more effective than relying on them trawling through lengthy documents. However, bear in mind that these policies may not be suitable or account for the changed working arrangements, so only do this if/where those policies are suitable.
- Notify staff of any steps they need to take individually in response to any weaknesses or breaches the business has become aware of (e.g. changing passwords, using new login procedures).
- Notify staff of any attempted phishing emails or similar scams that the business has become aware of and instruct them what steps they need to take to avoid them.
- Provide contact details for relevant staff, e.g. the CIO, CSO, DPO and IT Support Team and make it obvious whom staff should contact with particular questions and concerns.
- Provide clear directions about how staff should report any data breaches they become aware of, e.g. direct contact details for the DPO or a (secure) breach reporting portal.
Online staff security training:
Consider making online information security training available to staff. If your business doesn’t have the resources/capacity to produce and deliver this in-house, you could approach an online training company to tailor existing information security modules to your business’s policies and practices (but stick to known and trusted providers in these circumstances if possible).
These are challenging times for all of us, and information security is a key issue we all need to take seriously to help ensure that our businesses survive these unprecedented circumstances with our data, reputation and finances intact.