Managing Data Privacy During Remote Work
- Remote work has presented new challenges to managing data privacy – beyond simply connecting to networks and sharing data
- IT, privacy, and security teams can take steps to ensure (General Data Protection Regulation) GDPR compliance and CCPA compliance by improving protocols and educating employees
- Working remotely requires employees to step up their efforts and pay attention to data privacy issues that they may never have had to consider while working onsite
COVID-19 presents many challenges, not the least of which is the high level of remote work and the amount of data produced on home networks. When thinking about remote work, there is a tendency to think about the employee connecting to the company network, but that’s just the tip of the iceberg when it comes to data sharing. Doctors are conducting telemedicine sessions. Meetings are conducted by Zoom, often with screen shares. Teachers have conferences and share information with and about their students. E-commerce has increased, with expectations that online retail will surpass last year’s total numbers by October.
Is your company in retail? Curious how a retailer can continue personalization for customers while staying continuously compliant with existing and emerging privacy regulations? We’re here to answer that question and more in our recent report – How Consumer Privacy is Reshaping the Retail & Ecommerce Landscape.
From a consumer point of view, how an organization treats your sensitive information has long been an issue, fueling the need for data privacy regulation. But during the pandemic, data privacy has taken on a different type of urgency. With the remote worker, the difficulty has risen for data privacy compliance as companies figure out how to do system discovery, data mapping, DSAR processing and more.
Remote Work Complexity When Using Multiple Systems and Apps
“It’s great for productivity when every app integrates with Slack and HR, but this changes the privacy risk profile drastically.” – CEO Daniel Barber during our ‘Bridging Privacy and Security in the Dynamic Workplace’ webinar.
Businesses are utilizing an increasing number of systems for marketing, sales, and operations, leading to consumer data being spread across platforms. In order to meet CCPA requirements, businesses need to determine where personal information lives and ensure that access and deletion requests can be fulfilled across systems. One solution is to map data across the entire business and identify where personal information is stored. However mapping data and processing requests can be a challenge with employees working remote.
Employees working on home networks may lack access to specific systems that are required to fulfill data subject requests. Chris Niggel of Okta, the leader in identity access management said “Security folks like to say that ‘the most secure system is the one nobody can use.’ But that just means employees will use a different, less secure system,” in a recent webinar, pointing out one of the many risks that comes with restricted access during remote work.
Running a privacy program, no matter the size, is a tall task in 2020 given the current state of work and the data privacy regulations both in place and forthcoming. One solution is to implement a privacy platform across the business by connecting systems together through a live data map. This data map provides an up-to-date look at where data is being stored and used and allows companies to respond to data subject requests in a short time frame by pulling data from all of their systems simultaneously. Find out how DataGrail provides this for companies including Revolve, Drift, Outreach, and NoRedInk, becoming as one of them put it – “A one-stop shop for our data privacy request needs”.
Security on Home Networks
In addition to rising concerns around privacy programs, security during remote work is another issue at hand. Remote employees tend to be less attentive to basic security and compliance issues when working from home. As a Forbes article pointed out, “48 percent of employees reported being less likely to follow safe data practices while working from home. Meanwhile, 84 percent of IT leaders reported that data loss prevention is more challenging with a remote workforce.”
“Endpoint security is much more difficult when people work from home,” explained Paul Bischoff, privacy advocate with Comparitech, in an email interview. “Staff aren’t only working from their personal device, but on their home networks. That makes it much more challenging to ensure that every device and connection is properly protected and that staff is following proper operational security procedures.”
Organizations are more susceptible to data security issues such as data leaks, malware, and phishing, Bischoff added. “The risk of phishing is far greater when staff can’t meet face to face to verify each other’s requests for information, data, and money.”
The Housemate Dilemma
The people you live with also put your company at risk of data privacy compliance violations.
“Staff might not log out of their work accounts, inadvertently exposing data to family members to sensitive data,” said Bischoff. “Families also tend to be lenient about wi-fi password sharing, which increases the chances of a hacker breaking into the local network.” And if one device on the network is infected by a worm or virus, it could spread to other devices on the same network, putting all data at risk of a breach.
It’s not only what gets exposed on the network that causes a data breach. Sharing a workspace with living space also creates opportunities for passive data privacy breaches. A health professional could unwittingly violate HIPAA compliance by conducting a telemedicine call that is overheard by a roommate, or a security clearance could end compromised if someone looks over your shoulder at your screen.
Video calls are especially dangerous territory; in fact, these sessions, regularly standing in for what would otherwise be in-person meetings, are part of privacy class action suits. In a post from the law office of Nixon Peabody, the suits allege the conferencing software “collected and disclosed, without adequate notice or authorization, personal information of its users to third parties, including Facebook,” and “allegedly disclosed personal information including the model of a user’s device, the time zone and city where a user is connecting from, the phone carrier being used, and a unique identifier for targeted advertisements.”
If any of the participants in these calls are from California or the European Union, CCPA or GDPR could kick in, putting the company at risk of fines and penalties for the sharing of personal information without consent.
How to Improve Data Privacy Protocols
CCPA enforcement came into effect in the middle of the COVID-19 work-from-home orders, which is why California General Attorney Xavier Becerra issued an alert reminding citizens of their data privacy rights. In the alert, he encouraged workers to enable privacy settings of conferencing software and use passcodes to make sure only invited attendees are on the call. Find out what you need to know about CCPA Enforcement, now in effect – including who is enforcing, what companies and issues are at the highest security risk, and what to expect when it comes to Data Subject Requests (DSRs) in our recent blog post.
IT departments should also step up their efforts to monitor data privacy efforts. “Issuing work-only devices with hardened security, strict network access, and remote management software is the ideal solution, but not financially feasible for every company. Short of that, IT admins should create VPNs that allow remote workers on personal devices to securely log in and access office resources,” Bischoff suggested. Using remote device management software, IT admins can remotely disable and wipe devices that have been compromised, lost, or stolen.
In a perfect world, IT departments would be able to issue devices designated only for use on their networks, said Chris Hauk, consumer privacy champion with Pixel Privacy, in an email interview. However, we don’t live in a perfect world, and the coronavirus crisis forced many companies to make do with what they had on very quick notice. “IT departments at the very least should do their best to educate remote workers as to the proper use of VPNs, corporate email, etc. Education should also include the proper way to verify other users’ identities, how to safely share documents, and how to avoid phishing schemes,” Hauk added.
If having a VPN isn’t possible, both Hauk and Bischoff advised remote employees to create a separate WiFi network that is exclusively for work purposes, and make it password protected with that password known only by the user. Newer home wi-fi routers broadcast 2.4 Ghz and 5 Ghz signals. Pick one for work and the other for personal/home connections.
Security and Privacy: Dynamic Duo
While there are actionable steps to take to maintain proper security and privacy protocols alone, neither will be complete without the other. Security could be top notch, but if data is being kept in shadow IT systems, privacy may be compromised. As outlined above, there are clear ways to improve security protocols and help employees keep their work secure. The next step is to make sure privacy is taken care of, regulations are being followed, and consumers have trust in the company. Find out why DataGrail is the privacy platform for the modern company – featuring our live data map, request manager, and preference card.
Working remotely requires employees to step up their efforts and pay attention to data privacy issues that they may never have had to consider while working onsite. But data privacy issues didn’t go away when COVID-19 arrived; instead, the pandemic made them unavoidable and something we all have to be aware of in our unique work settings.
Want to learn more about remote working data protection?
Check out our webinar: Bridging Privacy and Security in the Dynamic Workplace featuring Chris Niggel – Regional CSO at Okta and Lan Xuezhao – Founding and Managing Partner at Basis Set Ventures.