While working remotely has long been the norm for many, the ability to work from home took on a new sense of urgency back in March this year.
Now that we’re returning to a ‘new normal’, its clear that remote working is one of the legacies of Covid-19 that we’ll keep indefinitely.
Remote working poses serious data security risks to companies as employees are distanced from the security measures, both cyber and physical, which exist in the office space. The majority of data breaches result from human error and not from cyber attacks by an unknown source. Under the General Data Protection Regulation 2016/679 (the “GDPR”) a data protection breach can result in a company receiving a fine of of up to €20 million or 4% of the company’s annual global turnover and so data security is of real concern to employers for financial as well as moral reasons .
Below we’ve listed some of the main areas employers need to consider when looking at their remote working policies and practices.
- Training
Employers should now, if they have not already, be taking steps to review their security policies and ensure that they are adequately communicated to all of their employees. The training of personnel is fundamental in reducing the risk of a data breach both in the office space and the remote working space.
- Risk assessment
Employers should ask their employees to carry out a risk assessment of their home working envirrnoment. Questions such as where are they physically working, what equipment is being used, what security measures are in place to protect the work station at home, should be considered.
- Password best practice
Implementing good password practice is very important and the use of passwords and multifactor authenication to gain access to work materials should be implemented. Passwords should also be changed on a regular basis. This may seem obvious to some, but others should be reminded of the basic security advices.
- Email security
Recently there has been an increase in phishing emails and money scams. Employers should be hyper vigiliant and adopt standard practices to avoid being caught out. For example a simple method to increase security, is to adopt a procedure whereby when receiving a request to transfer money by email, the person supplying bank account details for the receipt of monies should always be contacted by phone to verbally confirm the bank account details.
- Policies for remote working
Employers should also look at implementing policies and guidelines around where their employees are physically working. With the good weather recently people have been flocking to the outdoors. Employees should consider if it is desireable for employees to be checking their emails in public spaces on an unsecured wifi network or having conversations with clients while out walking their dog?
- Security on employee devices
Employers should review the security measures on the devices that employees are using to gain access to their work materials. For example, if the employee is using a home desktop computer, is it password protected and can other members of the household gain access to it? Where a personal laptop is being used by an employee it may be perferrable for them to be supplied with a work laptop or have an employer’s IT service provider check the security of the device. Where an employee is living in sharded accomodation it may also be necessary to provide an employee with a headset and a screen protector so that others in the accomodation will not have access to the employee’s work.
- Removing documents from the office space
Perhaps one of the most important considerations for an employer to consider is ifthere is a policy in place in relation to an employee bringing a file home from the office. The employer must communciate with the employee if this an acceptable practice and if are there restricitions on what documentation can and cannot be removed from the office. Where employees are removing hard copy documents and files from the office it is advisable that there is a system in place to record the movement of documents so that they can later be accounted for.
- Disposal of documents
Where an employee uses paperwork at home, consideration should also be given to company policies on the disposal of hard copy documents. For example all hard documents may need to be shredded for confidentiality reasons, therefore where employees are working from home, an employer should consider how this material will be disposed of. A home shredder or shredding bags may need to be provided to employees or perhaps the collection of the shredded material may be arranged.
Remote working does not limit an employer’s responsibilities under the GDPR or data security obligations and employers should take the risks poses seriously and regularly review and communciate to their employees their data and cyber security policies.
About the author: Hannah Brady is a solicitor on our litigation team.
For more information on any of the above issues, or any employment queries, please contact Head of Employment Marc Fitzgibbon at mfitzgibbon@lavellepartners.ie, Associate Emer Murphy at emurphy@lavellepartners.ie or call 01 644 5800.