With most of the United States currently under various state mandated stay-at-home orders in the face of the COVID-19 pandemic, many businesses have transitioned to a work-from-home service model. In New York, all non-essential businesses have closed in-office personnel functions for the foreseeable future as required by Governor Cuomo’s “New York State on PAUSE” executive order. This transition presents unique risks, including privacy and cybersecurity risk when using home-based or work provided computer systems. In the current environment, cyberspace is as vulnerable as it is vital and companies may want to use this opportunity to examine their cyber hygiene.
Safeguarding confidential business information should always be a paramount concern to any business, especially when system security may be less than robust. Out of necessity during this time, many businesses may be using software or applications that they would not normally use. While downloading an application to your cell phone that purports to confidentially scan business documents may sound like a great idea, the privacy implications should be clearly understood. In addition, as has been widely reported, many businesses are using ZOOM to conduct business meetings. While having many positive attributes, ZOOM has been roundly criticized for not living up to the terms and conditions of its privacy policy. It claims to have “end-to-end” encryption but, according to industry sources, this protection is not available for video and audio content on the platform. As a result, ZOOM may be able to see and use this data. As a first step, when utilizing any new software, a business should clearly understand such product’s privacy policy. Maintenance of an inventory of all new software being used outside an office network and making sure any new system is pre-approved by an IT department before use is also good practice. Carefully vetting third party vendors is imperative, especially in today’s environment. In addition, any United States business with European Union General Data Protection Regulation (“GDPR”) responsibilities may want to review new systems or applications to ensure they remain in compliance with GDPR privacy requirements.
In addition to privacy, the security of company and client data during this time should be a critical priority. New York recently passed the Stop Hacks and Improve Data Security Act (the “SHIELD Act”) that expands the existing definition of personal information to which data breach notification requirements apply and requires companies to use reasonable measures to protect private information. In a time of increased system vulnerability and the concomitant increase in the number of hack attempts as a result, companies can adopt a number of precautions to avoid a data breach:
- First, start with updating company systems. Regular updates for operating systems and applications often contain important security updates. Keeping devices (computers, tablets, phones, routers, and other devices) up to date with the latest patches is an important, and relatively easy, way to keep your systems and data more secure. Turning on automatic updates only takes a few minutes and may make the process even easier.
- Second, make sure employees avoid use of public Wi-Fi networks. Instead, use private home networks or mobile hotspots. If public or shared Wi-Fi network must be used, use a virtual private network (“VPN”) while accessing company databases, email, and other services while limiting access to sensitive services and data. Using a VPN allows your employees to connect to your company’s intranet, the private network designed to be used only by your company’s staff.
- Third, make sure employees are using strong passwords. For further protection, consider the use of multi-factor authentication to access your network and/or accounts and services.
- Lastly, make sure your employees are on the look-out for phishing e-mails and sites. Phishing is a form of social engineering designed to deceive users. Once inside your network, a cybercriminal can take advantage of sensitive information for their own personal profit and advantage.