This is a joint publication between Thompson Coburn’ Cybersecurity group, and Jarrett Kolthoff and Benjamin Auton of SpearTip Cyber Counterintelligence.
In response to COVID-19, many companies have shifted their workforce to working remotely. This creates some entirely new security challenges. Remote employees may not be working within their company’s secured environment, and many companies are not well prepared to secure remote work. SpearTip Cyber Counterintelligence and Thompson Coburn have partnered together to give you some tips that you can consider implementing to add more security to your remote work. These tips are for informational purposes only and do not constitute legal or cybersecurity advice. For legal or cybersecurity advice for your particular circumstances, you should consult an attorney or cybersecurity professional.
Legal or regulatory obligations that may apply directly to an entity or indirectly passed along by contract to the entity may impose requirements for added or revised security controls. Many laws or regulations require, or at least strongly suggest, performing regular risk assessments of information systems and updating those risk assessments to address changes in the information systems, company operations, or changes to the nature of risks. In the new remote work reality, company personnel may need to assume a more active role in securing data and information systems.
1. All devices you use for work purposes should have the most up-to-date security protection software installed. Software updates often include security vulnerability patches that you’ll want installed on your device as quickly as possible. You should also be able to update your software remotely, have a plan in place to regularly check for updates and alerts from remote devices, and know whom to contact in the event something out of the ordinary is detected.
Compliance Tip: Some regulatory requirements, including the Massachusetts data security regulations, require “reasonably up-to-date” patching and virus definitions for software.
2. You should brush up on, as well as circulate to your employees, if applicable, some security basics. This would include knowing how to spot phishing e-mails (non-company e-mail address, spelling and grammar errors, non-routine requests, etc.), knowing not to click on links or attachments unless you 100% trust the sender, and not downloading anything onto work devices that your company has not approved.
Compliance Tip: User training is a required element of a security program under several security regulations, including the HIPAA Security Rule and the GLBA Safeguards Rule.
3. Use strong passwords and differentiate them across accounts. That way, if one account is compromised, all of your accounts are not exposed. Using a password manager such as LastPass will help you keep track. Password managers can also generate secure passwords for you. In some cases, consider using longer passphrases rather than passwords.
Compliance Tip: Some data security requirements include standards for the selection and updating of passwords and, in some cases, authentication using multiple factors, not just passwords, may be mandated.
4. Only use a secured Wi-Fi connection or hotspot while in your home, and check that the default password has been changed since being installed. Do not connect to public Wi-Fi or to your neighbor’s open Wi-Fi. Update the username and password of your Wi-Fi router. If you have never done this, go into your router settings and change the login information from the default settings to a secure username and a strong, unique password. Most internet service providers can assist you with updating this.
Compliance Tip: The Massachusetts data security regulations require secure access control measures that “assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls.”
5. Do not transfer company information to a non-company device, such as a personal phone or laptop, via e-mail, USB, DropBox, etc. If you need to print on the printer connected to your home network, connect the printer to your company-approved device.
Compliance Tip: Several data security regulations mandate that personal information must be encrypted when stored on portable devices.
6. If you receive a USB drive or other device in the mail that you did not order from a known vendor, inform your company and, if possible, have a qualified IT expert examine it first. Hackers have recently attacked systems by mailing USB sticks to targeted companies and individuals. When inserted into a computer, the USB sticks deploy malware or give the hackers unauthorized access.
Compliance Tip: Many companies disabled USB ports on company devices, but with many new BYOD (bring your own device) devices connecting to company information systems, risks from USB drive-based malware are again more significant.
Maintaining good data-security practices from your home office may help avoid some very real consequences. Losing customers’ or clients’ data in a breach not only entails reputational risk, but may breach applicable contracts as well. In a recent case, a Missouri law firm was sued by its insurer client for failing to disclose a breach of its insureds’ information. One of the insurer’s claims is that the law firm breached its contractual duty, which the insured argues is implicit in the firm’s retainer agreement, to protect personal information from disclosure. The case remains pending.
Running afoul of applicable regulations is another potential risk. In its February 2020 Privacy & Data Security Update, the Federal Trade Commission (FTC) noted that it has brought more than 70 cases since 2002 involving inadequate protection of consumers’ data. Notable examples include the Federal Trade Commission’s actions against Wyndham Worldwide and LifeLock, Inc. In both cases, the FTC alleged (among other things) that the companies failed to implement hard-to-guess passwords, did not use readily-available defenses to common attacks, and did not restrict or limit access to personal information only to those individuals or vendors who actually needed the information to do their jobs. In another action against InfoTrax Systems, the FTC alleged the company failed to use readily available and low-cost security measures.
Finally, if you are breached, and you lose customer or client data, you may be civilly liable to the individuals whose information was lost. Many companies that lost data have been sued by private litigants alleging damages from the breach (including such things as an increased risk of identity theft, cost of credit monitoring, and the value of time spent on mitigating the consequences). If the breach involves a California consumer, the California Consumer Privacy Act (CCPA) also authorizes statutory damages in addition to any actual loss. There are currently at least six active federal cases alleging CCPA violations, and the statute only took effect on January 1 of this year.
Jim Shreve is the chair of Thompson Coburn's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years. Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about the California Consumer Privacy Act (CCPA). Libby Casale is an associate in Thompson Coburn’s Business Litigation group.
Jarrett Kolthoff is the CEO of SpearTip Cyber Counterintelligence. Benjamin Auton is the Vice President of SpearTip Cyber Counterintelligence.
Click here to subscribe to News & Insights from Thompson Coburn related to our practices as well as the latest on COVID-19 issues.