Search for:
Covid-19

Initial lessons learned as COVID-19 exposes critical gaps in information security

By , , and 5 Mins Read

In brief

As the COVID-19 pandemic stretched across the globe, companies shifted to remote working environments and many reduced staff, all without much of an opportunity to prepare. The past two months have presented a serious threat to data security, including the most vulnerable financial data, personal data of employees and customers, and trade secrets. These risks cut across all sectors — financial services, industrial manufacturers, health care, and professional services. Recent experience confirms that an effective information security strategy should target these most-common threats: phishing, data sprawl, and employee mobility/redundancies.

Contents

  1. How to protect your company
    1. Cybersecurity and privacy
    2. Trade secret protection
    3. Employment law
  2. COVID-19 related phishing
  3. COVID-19 related employee mobility

How to protect your company

Take a holistic approach to threat mitigation and data loss prevention in the face of increased risks. Such an approach must account for data protection, intellectual property (including trade secrets), and employment law. Here are the action items in these uncertain times to help address and mitigate the legal and regulatory risks:

Cybersecurity and privacy

  • Implement appropriate telework policies to address data privacy (e.g., remote monitoring and “bring your own device” policies) and cyber security hygiene (e.g., no using personal accounts for company information and no using shared accounts on computers).
  • Restart and revamp your cybersecurity training and messaging and review and update your data breach response plan to address pandemic-related risks and scenarios, especially related to phishing attacks and cyber-hygiene.
  • Document the updated policies, procedures, security controls, trainings, and mitigation measures put in place. This is essential for litigation readiness.
  • Remind employees that they have specific obligations in terms of data privacy and security, as part of their work duties.
  • Perform an impact assessment in order to find a reasonable balance between the need to protect data and information and the rights of employees.

Trade secret protection

  • Make access to confidential information on a need-to-know basis for employees who require the data to further company business objectives.
  • Provide updated notice to employees regarding the precise nature of any confidential information that they are accessing, including reiteration of the employee’s obligation to safeguard all confidential information and trade secrets from disclosure. Not only is this an effective reminder, but this notice can be used in the event of misappropriation to document your reasonable steps to secure information.
  • Refresh confidentiality obligations for current employees. Departing employees should be considered an external third party, thus treated with the same confidentiality measures as any third party.
  • Prepare to act quickly if you believe your trade secrets have been compromised, including immediate consideration of whether to pursue a seizure or alternative interim measures under applicable laws.

Employment law

  • Require departing employees to sign an acknowledgement of their ongoing obligations to maintain firm trade secrets; certifying their compliance; and confirming that they understand that any future violations will be subject to action under applicable laws.
  • Require departing employees to return all of the company’s property, specifically materials containing confidential or trade secret information. To the extent permitted by applicable law, examine, through the company’s HR representative, whether any confidential or trade secret materials are on the employee’s personal email, cloud storage, personal USB or hard drives, or in hard copy at home, and require the return or deletion of any such materials and to confirm they did so.
  • Immediately deactivate the departing employee’s email accounts, passwords, building key cards, or other access to company confidential information and trade secrets.

COVID-19 related phishing

A particular concern in the current environment is the significant increase in data sharing that is understandably occurring in the remote working environment. Think: file-sharing services, video conferencing, network connection for multiple personal devices, newly-deployed software, IT-generated exceptions to security protocols, and so on. Many of these well-intentioned vehicles for adapting out-of-the-office (and out of the secure network environment) create myriad opportunities for inadvertent data sharing.

While accidental data loss is a key concern, there are numerous other actors who stand ready and willing to take advantage of these IT weaknesses, including potential attackers and rogue employees.

COVID-19 related employee mobility

Another reality of the current environment is that employers are considering or implementing layoffs of key personnel who have accessed company confidential information or trade secrets. In the normal course, access to company data could essentially be shut off following an exit interview. Effective off-boarding of engineers, heads of R&D, sales managers, financial services, and others requires particular consideration in a remote environment. Companies must decide how to recover corporate devices, ensure hard and soft copy files are deleted, confirm whether the departing employee has downloaded or stored documents/data to personal devices and make an action plan where such activity is detected, and investigate what the employee has accessed during this remote working time period preceding termination. Complicated issues may arise for particularly high-risk employees, such as whether/how to verify that company data has been fully recovered and whether/how to confirm that an employee’s personal devices do not contain confidential or trade secret files.

The massive business disruptions in this sectors have been accompanied by attempts to phish, breach, or otherwise access data by an outside actor and concerns about controlling access to confidential information and trade secrets for departing employees. The remote work environment has also put employers in a tenuous position as they attempt to ensure that documents, data and devices are used in the proper way even if outside of work premises, where protective measures were duly addressed. In addition, documents, data and devices should be returned upon departure and continue to adjust and adapt to this shift of an entire workforce operating remotely.

This article can also be accessed here.

Categories:
Author

William (Bill) Dugan is a partner in Baker McKenzie’s Employment and Compensation Practice Group, residing in Chicago and New York, chair of the US Disputes Employment Group, co-chair of the North American Employment Disputes Group, and a member of the Steering Committee for the North American Employment and Compensation Practice. Bill has been recognized as a leader in labor and employment law by Chambers, he has been repeatedly recognized for his superior litigation defense in Super Lawyers, and Legal 500 has stated that Bill is a “master in the art of defending corporations in litigation.” Bill represents management in complex litigation in federal and state courts and other tribunals throughout the United States, including trade secret and restrictive covenant matters, class and collective actions, and labor arbitrations. Bill also counsels employers on a wide range of Labor and Employment issues.

Author

Michael Egan advises clients across various industries, including global online businesses, pharmaceutical companies, healthcare providers, manufacturers, financial institutions, sourcing providers, retail companies, and other organizations regarding the legal aspects of global privacy and data protection, data security, information technology, and related restrictions on data collection and transfer. He focuses on these issues in the context of: global company operations and applications, including websites, mobile and e-commerce applications; data security breach and incident response; transactions; litigation; internal investigations; and government inquiries. He has represented companies before numerous government authorities, including the US Federal Trade Commission, the US Department of Justice and the US Securities and Exchange Commission.

Author

Francesca Gaudino is a member of Baker McKenzie’s Information Technology & Communications Group in Milan. She focuses on data protection and security, advising particularly on legal issues that arise in the use of cutting edge technology. She has been recognized in Chambers Europe’s individual lawyer rankings from 2011 to 2014. Ms. Gaudino is a regular contributor on international publications such as World Data Protection ReviewDataGuidance, and others. She routinely holds lectures on data privacy and security at post-graduate courses of SDA – Manager Direction School of the Milan Bocconi University and Almaweb – University of Bologna. She regularly speaks at national and international conferences and workshops on the same topics.

Author

Christine Streatfeild is a partner in the IPTech Practice Group. She has a broad range of trade, regulatory, and litigation experience, most frequently representing clients in antidumping and countervailing duty cases, safeguard measures, duties imposed for national security purposes (Section 232 duties), and Section 337 intellectual property and trade secrets disputes. She appears before the US International Trade Commission (ITC), US Department of Commerce (DOC), and the federal courts. She also routinely advises companies regulated by the Food and Drug Administration (FDA) on issues affecting mergers, acquisitions, licensing, and compliance. Prior to joining Baker McKenzie, Ms. Streatfeild served as the acting deputy director of the Generalized System of Preferences (GSP) and in the Environment and Natural Resources division of the Office of the United States Trade Representative. She has also served as an adjunct professor at the Krieger School, Johns Hopkins University, where she taught Global Trade, Policy and Competition.

Related Posts