COVID-19 has changed the way we interact with each other. It has also changed how we work, with many people now working from home on a full-time basis. Just a month ago, a large fully remote workforce was unimaginable. Now it’s a reality, and it’s working.
The traditional argument against telecommuting has been accountability ― how to ensure remote workers remain engaged and productive. Generally, this is no longer a concern, and we anticipate that in the post-social distancing world, many workers will continue to telecommute. Businesses transitioning to a permanent large remote workforce should consider the associated challenges and risks ― in particular, those related to data protection.
COVID-19 has forced many businesses to operationalize a remote workforce in the middle of a privacy-law evolution in the United States that has seen a number of states enact or propose broad consumer privacy legislation. The California Consumer Privacy Act, or CCPA, is the most well-known, and other states — including Washington — have enacted or proposed similar legislation. Such laws typically restrict how a business may process personal information and grant consumers enhanced rights over their data.
Data security laws present additional challenges. All 50 states have breach notification statutes, and numerous states, including California, Oregon and New York, have laws that mandate minimum security standards. The reality facing many U.S. businesses is a drastically different privacy and security compliance landscape than existed even just a couple of years ago.
Typically, data security programs include administrative, technical and physical safeguards. But with few exceptions, most programs aim to secure a location that the business can control, i.e., the office. Remote workspaces can vary widely, presenting potential challenges for implementing effective security controls. One such challenge to address is the higher likelihood that third parties, such as roommates, family members and guests (all of whom may work for other businesses), or even household internet of things devices, will have exposure to corporate data and conversations.
Some security controls can be readily adapted to tackle these challenges — corporate travel-security policies can be instructive. Other enhancements might include mandated use of VPNs for remote access, implementing stronger workstation-security controls and issuing company-controlled routers to provide secure private networks within home networks. These devices are relatively inexpensive, are easy to manage and mitigate potential risks by providing company assets a secure environment separate from the employee’s home network.
Other challenges are more nuanced. Without having colleagues or the help desk on-site, remote workers may be more susceptible to phishing, social engineering and other attempted cyber fraud. No matter what security controls an organization implements, well-trained employees are the most effective protection for a distributed, remote workforce.
Businesses should revisit training and awareness programs to account for a degree of independence and responsibility previously not considered. They should also consider interactive training tools, such as tabletop exercises where employees collaborate to respond to a cybersecurity incident. Interactive training requires more employee engagement and awareness than videos or lectures. Such exercises can provide insights about workforce preparedness related to cyber-threats, a better understanding of privacy and security risks and a business’s associated compliance obligations, as well as information regarding gaps in the business’s privacy and security programs.
Every business will have different risks and priorities when transitioning to a large remote workforce. The business should tailor its data protection programs to meet its needs. Companies considering operating with a large remote workforce on a permanent basis should consult their advisors and attorneys to understand their privacy and security risks and obligations in order to adjust their data protection programs accordingly.
Matt Beland is the chief executive officer of Smooth Sailing Solutions, a security, privacy and management consulting firm. Xavier Clark is an attorney with Schwabe, Williamson & Wyatt P.C., where he advises clients on privacy and technology matters.