Employees have been working remotely (i.e., any place with an Internet connection) since at least the mid-2000s. The COVID-19 outbreak, which started in 2020, forced employers to permit employees with certain types of jobs (usually white-collar) to work remotely on at least a part-time basis.
IT departments were overwhelmed by the pressing need to set up remote access in a very short time. In some cases, the push may have overridden established data security processes and procedures. Presumably, the situation has improved since the pandemic’s early days, but you may still have questions about the extent of your legal obligations to secure data. Here are some best practices you can follow.
Security Standards for Employers
There’s no universally inclusive data security standard required by federal law. If your company isn’t the type of organization covered by a specific federal standard, you must look to state standards.
A number of states require organizations to take reasonable measures to protect against the unauthorized access to and acquisition, use, and disclosure of personal information. Maryland state law, for example, says:
A business that owns or licenses personal information of an individual residing in the State shall implement and maintain reasonable security procedures that are appropriate to the nature of the personal information owned or licensed and the nature of the business and its size and operations.
California, Delaware, the District of Columbia, New York, and Virginia (effective January 1, 2023) are other states applying the reasonable measures standard.
Most legislators and regulators use the reasonable measures standard because one size doesn’t fit all, nor is it appropriate for all situations. For example, the data security program implemented by a global financial institution doesn’t need to be the same as one developed for a local pizza shop. Organizations have the flexibility to implement a program that’s risk-based and otherwise appropriate and tailored for its unique circumstances.
Massachusetts law gives more specific guidance on what is reasonable. State regulations require each covered organization to maintain a written information security plan describing the safeguards it uses to protect personal information. The safeguards must be appropriate to the size, scope, and type of business, the organization’s available resources, the amount of data stored, and the need for security and confidentiality (i.e., the sensitivity of the stored data). Activities that must be part of the security plan include but aren’t limited to:
- Appointing an employee who is responsible for administering the plan;
- Conducting risk assessments; and
- Reviewing the safeguards annually.
Employers trying to determine what is reasonable should review Massachusetts law and perhaps adopt its standards. Regulators likely would look favorably on the argument that your organization modeled its security plan on an actual state law even if you aren’t subject to it. Similarly, a potential adverse party would have a difficult hurdle to overcome in arguing your company didn’t act reasonably.
11 Steps Employers Can Take
Even with COVID-19 subsiding, many employees want to continue working remotely. Consequently, you must evaluate and reevaluate your data security programs to account for larger numbers of full-time or part-time remote workers. Here are some physical, administrative, and technical safeguards you can use as part of your reasonable security measures:
- Require employees to use complex passwords of at least eight characters with a combination of upper and lowercase letters, numbers, and symbols. Establish a standard to change passwords at least every 90 days. Use best practices for password management.
- Make multifactor authentication mandatory. A second log-in credential greatly decreases the ability of threat actors to infiltrate an employee’s account.
- Keep all software updated with the latest patches and security configurations.
- Raise employee awareness of threats such as phishing, spear phishing, and “deep fakes” via periodic messaging and mandatory training.
- Provide employees with corporate-owned devices, which are generally more secure and likely to use methods such as encryption to secure data in transit and at rest.
- Establish a written incident response plan. Assemble an incident response team, including an IT forensics resource, which is available at the ready to carry out the plan in the event of a data incident. Test the plan periodically via a tabletop exercise.
- Remind employees to avoid sharing a company-owned device with a family member. Children are particularly susceptible to downloading malware.
- Procure and renew cyber insurance. Be certain it covers incidents caused by remote workers.
- Train employees to be wary of working in public spaces relying on public WiFi and hot spots.
- Remind employees to observe the “clean desk” concept even if at home. Persons other than family can be present there.
- Documents containing sensitive information that are printed away from the office should be returned to the office for shredding or via disposal by other secure methods.
Bottom Line
Your written information security plan should include physical, administrative, and technical safeguards appropriate to the business. It must cover all employees, whether working at a physical office or in a remote location.
We expect a larger number of employees to be working remotely, whether full- or part-time, relative to the prepandemic numbers. Therefore, you need to use reasonable measures to secure the data they handle and give particular attention to the challenges posed by more people working away from the physical office.
Bruce F. Martino, CIPP/G, CIPM, is the director of privacy, data security, and compliance at Whiteford, Taylor & Preston, LLP, in Baltimore, Maryland. You can reach him at bmartino@wtplaw.com.