The unique circumstances raised by COVID-19 require organizations to consider new situations and implications that may not be covered by their existing privacy and security policies. In some cases, companies are collecting and disclosing new types of personal information for which they need to seek consent.
Organizations are also outsourcing services to vendors who may store personal information outside of the jurisdiction. In other cases, employees working from home may increasingly expose their companies to security vulnerabilities. Given this reality, companies should revise their suite of privacy and security policies to reduce the risk of a privacy breach and ensure alignment across the entire organization. As many companies are experiencing some down time, it is a good idea to do some housekeeping related to compliance.
How Companies Can Respond
In this challenging time, management is expected to set clear guidelines for how their organization should be managing privacy and security risks in the new work environments, leveraging new policies and technologies and empowering their employees. Here are three recommendations for management:
1. Update your Work from Home Policy
As employees work from home, there is less consistency and control regarding which staff are handling data or records. Organizations must maintain control over their assets to reduce privacy and security risks. As such, organizations should review their Work from Home Policy, which should outline appropriate practices while working from home. For example, there should be control over which devices staff can use and what security controls are installed on these devices. Rules regarding appropriate methods of communication should be outlined, such as which videoconference platforms are approved by the organization and what settings should be implemented. Setting boundaries around a remote workspace is also necessary for a high level of efficiency and data loss prevention.
2. Update your Information Security Policy
Managers should guide their security teams to identify new potential attack vectors and prioritize the protection of their most sensitive information and business-critical systems. Based on this understanding, they must ensure that the organizational Security Policy and all related procedures are clear and include easy-to-follow steps that empower employees to make their home-working environment more secure. In addition to that, management should ensure all connected devices are equipped with essential security capabilities and extending the same network security best practices that exist within the company to all remote users and environments.
Organizations should review existing privacy policies (and externally facing notices) to ensure that they include the collection of new types of personal information or the disclosure of personal information to governmental agencies for requested emergency purposes. Moreover, privacy policies should provide that personal information can be shared to protect the health or safety of the person/data subject, or in response to valid legal process/judgment or a lawful obligation.