| Insights | Authored Article

Ensuring Data Security and Privacy During Coronavirus/COVID-19

As more and more businesses send their employees home to self-quarantine and work remotely as part of their COVID-19 mitigation measures, it is important to remember that working remotely carries with it unique data privacy and security concerns of which everyone should be aware.  The following are a few tips for employers and employees to be aware of during these times:

Security of VPN/Remote Connections

As employees shift to logging into VPN and other remote connections, IT professionals should be assessing their resources to ensure both (a) adequate capacity and (b) proper security of these connections. According to an OpenVPN study conducted in 2019, 24% of companies had not updated their remote work security policy in over a year, and 44% say their IT department did not lead the remote work security policy plan.  Questions employers should be asking include: 

  • What’s the maximum number of users who need remote access?
  • How does this translate into additional bandwidth needed?
  • How soon will we need additional bandwidth and how quickly can it be provided?
  • What technologies can we use to boost bandwidth cost-effectively?
  • How quickly can we obtain additional licenses and other resources to support the demand?
  • How much will additional bandwidth and network components cost?
  • How will we handle cybersecurity threats?
  • How do we secure and protect the increased amount of data traffic?
  • How quickly and cost-effectively can we scale back resources once the demand for remote access has subsided to normal levels?
  • What resources are available from local access carriers, WAN carriers and Internet services providers (ISPs)?

 

When choosing a VPN, consider whether it allows for multi-factor authentication, provides access control, and provides endpoint security (i.e., securing the various endpoints that connect to a network such as mobile devices, laptops, and desktops), as these issues will be critical to both availability and security of remote connections.

 

Keep a proper balance between employee/customer health and privacy rights. 

Collecting and sharing information is necessary, but must be done with employee’s privacy in mind. Many businesses are curious to know what they can ask employees without violating any privacy laws. 

  • For example, can businesses take temperatures at work? This is typically considered a medical exam and normally would be prohibited under the Americans with Disabilities Act (ADA). However, according to new guidance issued by the Equal Employment Opportunity Commission (EEOC) on March 18, 2020, employers may measure employees’ body temperatures in light of CDC and local health authorities precautions.
  • The new EEOC Guidance also states that if an employee calls in sick the employee’s   employer may ask if  the employee is experiencing symptoms of the pandemic virus, which for COVID-19 include symptoms such as fever, chills, cough, shortness of breath, or sore throat.
    • The employer may also ask other employees if they too have “the same symptoms” and “encourage them to report that they may be a high risk for COVID-19. The CDC states that employees who fall ill with flu-like symptoms during a pandemic should leave the workplace, and so this information is necessary to comply with that guidance.
  • Both temperature readings and information an employee provides about symptoms should be considered confidential medical information.  The employer should maintain all such information about employee illness as a confidential medical record in compliance with the ADA.
    • The EEOC has directed employers to review the EEOC publication entitled:Pandemic Preparedness in the Workplace and the Americans With Disabilities Act.
    • Educational institutions should also be cautious about how they handle the health concerns and privacy rights of students under the Family Educational Rights and Privacy Act (FERPA). FERPA prohibits an educational agency or institution from disclosing personally identifiable information (PII) from a student’s education record without the prior written consent of a parent or non-minor student unless an exception applies. One exception is the “health or safety emergency,” which allows disclosure in an emergency to public health agencies, medical personnel, law enforcement officials or even parents if such disclosure is necessary to protect the health and safety of other students or individuals. There must be an actual emergency, not a future or unknown one. In areas where COVID-19 has been declared a public health emergency, this exception would arguably be met. However, the Department of Education notes that public health departments typically can have education records disclosed under this exception even in the absence of a formally declared health emergency. For more, see the U.S. Department of Education’s Frequently Asked Questions regarding student privacy and COVID-19.

 

Consider security and confidentiality of client data.

For employees who are attorneys, healthcare workers, accountants, government contractors, and some consultants, consider how you plan to keep client information appropriately confidential and proprietary, and in compliance with any applicable privacy laws, while working in a home environment.  This is especially important if you are part of a dual income family whether both spouses are working from home. Consider the following:

  • Find out if your organization has rules or policies for telework; if so, make sure you read and comply with them. For example, they may allow you to use your own computer for reading company email, but not for accessing or storing sensitive customer data.
  • If you use Wi-Fi at home, make sure your network is set up securely. Look to see if it is using “WPA2” or “WPA3” security and make sure your password is hard to guess.
  • If working from a home computer or mobile device, make sure it is patched and updated.
  • Do you and your spouse share a computer? If so, do you have separate login profiles where electronic data can be segregated, or do you share the same drives, servers, and folders?
  • Can you store client data separately on the cloud instead of locally on the hard drive?
  • Where do you keep physical files? Do you have a file cabinet at home? If not, can you designate a separate workspace?
  • How can you ensure privacy during phone calls and teleconferences. As you engage in client phone calls and teleconferences / videoconferences, can you isolate yourself within the house to a separate room? Can you be aware of the information you disclose verbally so as to effectively communicate without necessarily revealing identities or other confidential information verbally. (e.g., say “the client/patient” instead of “John Smith”).

 

Continue to be vigilant and educate employees regarding phishing and other social engineering attempts.

  • As always, there will continue to be bad actors who wish to capitalize on a national tragedy or vulnerability. Already, the Department of Health and Human Services experienced a cyber attack intended to slow its coronavirus response.
  • It is entirely expected that a new onslaught of phishing attempts will flood inboxes related to the coronavirus pandemic – pretending to offer information, provide education or services, or solicit donations. With increased information exchange taking place over the phone or through email, you can also expect to see more “spearphishing” attempts where an employee receives an email from a sender purporting to be another employee within the organization (up to and including executive management) requesting the recipient to click on a link, open an attachment, or process or wire funds.
  • It is therefore important that employees – particularly those unaccustomed to working remotely or via email – be on the lookout for social engineering attempts such as phishing emails or phone scams related to telework. Be wary of emails from unknown accounts with strange file attachments, any calls from people claiming to be technical staff asking for passwords or requesting that you allow them to ‘scan’ your computer, or unusual web meeting requests—don’t hesitate to ask questions and verify things by phone or other means before proceeding. Employers should consider updating firm directories or creating phone trees that would allow an employee to pick up the phone and verify such attempts “offline” before proceeding.
  • As always, judgment is key. If something seems slightly off, or if the stakes are large (i.e., large payments), take the extra time to double check “offline” through independent means before proceeding with granting access to a computer, clicking a link or opening any attachments, or processing any payments.