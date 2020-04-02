Various data protection authorities and cybersecurity authorities have issued guidance for employers and employees regarding working from home during the current COVID-19 (‘Coronavirus’) pandemic and the consequent data protection implications and privacy risks, against which organisations must protect themselves.

EU

The European Union Agency for Cybersecurity (‘ENISA’) issued, on 24 March 2020, its Tips for Cybersecurity when Working from Home (‘the Teleworking Guidance’) during Coronavirus. In particular, ENISA highlights the use of virtual solutions, including videoconferencing, and provides recommendations for employers. Gabriel Voisin, Partner at Bird & Bird LLP, told OneTrust DataGuidance, ” The use of virtual solutions and the increased use of remote working solutions stretch employers on two principal fronts:

IT and Information Security departments are obliged to relax security requirements to permit workers to access corporate networks and tools from their home. This means that basic security practices such as IP address whitelisting techniques, minimum antivirus/software update standards or encryption level are no longer fully enforced by employers; and

employees and teams, in their desire for agile and collaborative tools to work remotely, are tempted to source solutions by themselves. This bypasses normal vendor onboarding processes which put employers’ infrastructure at greater risk.”

In relation to issues employers might face when providing for teleworking during the Coronavirus epidemic, Maarten Stassen, Partner at Crowell & Moring LLP, told OneTrust DataGuidance, “In these times where nothing is what it used to be and nothing seems normal anymore, abnormal emails and messages no longer stand out, which increases the security risk. Hackers will take advantage of the fact that we are busy with so many different things and thus “look the other way” to attack our systems.”

Moreover, the Teleworking Guidelines, apart from addressing the security of digital systems, also address the physical security of assets which might contain personal data by referring, for instance, to the protection of local drives which contains data at rest, and screen locking when employees work in a shared space.

Voisin continues, “Physical security measures are mission impossible. Indeed, they refer to techniques such as:

quality of doors and locks, and the protection of your premises by such means as alarms, security lighting or CCTV;

how you control access to your premises, and how visitors are supervised;

how you dispose of any paper and electronic waste; and

how you keep IT equipment, particularly mobile devices, secure.

which are very difficult to implement and enforce at home.”

Moreover, Stassen, with regards to paper records outside the office environment, highlights, “The greatest danger lies in disposing of confidential information. At work, this can usually be achieved through secure containers or shredding facilities, but there is a good chance that a lot of confidential company information will soon – literally – be on the street when thrown in home trash-bins.”

In addition, ENISA’s Teleworking Guidelines draw attention to the increase of phishing attacks and the importance of raising awareness of digital security to respond to the increased phishing attacks. Olivier Proust, Partner at Fieldfisher (Brussels), told OneTrust DataGuidance, ” In times of crisis, it’s not unusual to notice a spike in phishing attacks […] Despite the current situation, the General Data Protection Regulation (Regulation (EU) 2016/679) GDPR continues to apply, including the obligation for organizations to report data security breaches to the regulators. Therefore, while it is reasonable to expect some slowdown in the enforcement activity by the EU data protection authorities, this does not exempt data controllers and processors from their obligations under the GDPR, including their obligation to maintain appropriate security measures at all times.”

Finally, Stassen further noted, “This Coronavirus pandemic is quite scary for many people and people will have to feel protected again, which is why I believe that acting against those who exploited this situation would help to restore the trust in governments and the judicial system, which will be what people need to go back to ‘normal’ gain.”

France

The French data protection authority (‘CNIL’) issued, on 31 March 2020, guidance on teleworking for employees and employers.

In particular, CNIL outlines practical steps that organisations must take to ensure the security of information and information systems. Specifically, CNIL recommends security measures which include assessing risks, implementing two-factor authentication mechanisms, and equipping employee workstations with firewalls, antivirus protection software, and software blocking access to potentially malicious websites. Claire François, Counsel at Hunton Andrews Kurth LLP, told OneTrust DataGuidance, “If the organisation’s services are on the Internet, CNIL further recommends:

using protocols that ensure the confidentiality and authentication of the receiving server (such as HTTPS for websites, and SFTP to securely transfer files), and using the most recent versions of those protocols;

regularly reviewing logs of access to remotely accessible services to detect suspicious behaviours; and

not making non-secure server interfaces directly accessible.”

Notably, CNIL highlighted that organisations should update or formulate and implement information security policies to cover teleworking. Olivier Proust, Partner at Fieldfisher (Brussels), told OneTrust DataGuidance explains, “In the given context, there is no exception in how the GDPR applies and organisations must continue to inform their employee in accordance with Articles 13 and 14 of the GDPR. In particular, they must ensure that their privacy policies and notices provide an accurate and comprehensive description of the purpose of the processing, the categories of recipients (including those that are located outside the EU) and the rights of the data subjects.”

Francois continued, “Such policy or rules should specify the security rules which employees must comply with, such as never providing identifier/password to a third party; locking computers as soon as employees leave their workstation; and if not done already, securing their home Wi-Fi network by using state of the art encryption (WPA2 or WPA3 with a long and complex password), turning off the WPS function and deleting the Guest Wi-Fi.”

Furthermore, it can be noted that the increase in working from home raises questions about the monitoring of employee activities. Proust highlighted, “While this may be done with the legitimate intention of ensuring business continuity, it also increases the risk of invasiveness and possible a violation of the employees’ right to privacy. In Europe especially, organisations must be careful not to monitor their employees excessively, which could constitute a violation of their right to privacy and possibly also a violation of the GDPR […]. In addition, companies must comply with the national labour law rules, which (depending on the applicable laws in each EU member state) may require them to inform and or consult the employee representative bodies before implementing such tools.”

Beyond measures for the security of digital systems, François elaborated, “CNIL reminds employees to follow the instructions of their employer and not do at home what they are not supposed to do in the workplace. This means, for example, that employees should not destruct business paper records containing personal data in a non-secure way or make them easily accessible to unauthorised persons, including family members.”

Further to the same, Proust clarified, “At a time when everyone is confined at home, there is an increased risk of attempts to access some sites that may be under reduced surveillance. In particular, there is a risk that some criminals may try to physically penetrate certain sites in an attempt to access or steal any organisation’s confidential or sensitive information, or simply to cause harm to the organisation (e.g. by accessing a company’s physical servers). […] Therefore, each organisation must be attentive to these risks and will need to maintain an adequate level of surveillance via video-monitoring as well as a minimum physical presence at certain sites to prevent any unlawful attempts to penetrate such sites.”

Germany

Some German data protection authorities have responded to the increase in working from home with guidance for organisations on how to protect the personal information and systems at this time. For example, Schleswig-Holstein State Commissioner for Data Protection (‘ULD’), the Bavarian data protection authority (‘BayLfD’), Rhineland-Palatinate data protection authority (‘LfDI Rhineland-Palatinate’) and the Hamburg State Commissioner for Data Protection and Freedom of Information (‘HmbBfDI’) have all issued their own guidance.

In particular, the ULD highlights the importance of positioning desks and computers away from third parties. Valentino Halim, Associate at Latham & Watkins LLP, told OneTrust DataGuidance, “It is true that data security measures in home-office scenarios focus on protecting personal data processed in IT systems. Apart from that, however, companies also need to implement sufficient security measures for personal data in paper-based company documents, including printouts. In this context, German supervisory authorities have stressed out that business documents containing personal data in home offices should only be printed if actually necessary. Companies have to instruct their employees on keeping such documents in a sufficiently secure manner when working at home. In particular, persons in employees’ households (e.g. family members, visitors etc.) must be prevented from accessing any information contained therein. For this, using lockable workrooms is just as conceivable as storing paper documents in locked cupboards or other containers. Finally, employees have to destroy paper documents no longer needed in accordance with data protection requirements, for example by using a shredder. Employees who do not have the appropriate equipment available must temporarily retain such documents at home for the time being. After the home office period has ended, they should securely destroy these documents in the workplace using the company’s standard procedure.”

Furthermore, the ULD continues that organisations should ensure that processing client data from home is not excluded in contracts with clients. Regarding further obstacles which organisations might face for the protection and safe processing of client data, Halim illuminated, “Professionals who are bound by statutory professional secrecy face additional restrictions in home-office scenarios. Inter alia, lawyers, tax advisors and professionals working in the life and health insurance sector must not disclose the data of their respective clients or customers without authorisation. In the event of violations, such professionals face professional consequences as well as criminal offences (Section 203 German Criminal Code). In home office environment, however, there is an increased risk that client or customer data protected by professional secrecy will be disclosed. For example, affected professionals are running afoul of their statutory professional secrecy when storing and processing customer or client data on their private IT devices, or even using their private email accounts for this data. In the current situation, such data security deficiencies might occur where home-office has been introduced spontaneously throughout the company.”

Moreover, the BayLfD details that, in the health sector, sensitive data should not be stored on private devices unless there is the possibility to delete the data. Halim explains that organisations in the health sector should note that, “the BayLfD is willing to temporarily accept the use of private IT devices under the described condition only with regards to communication within and outside public organisations. For using private IT equipment while processing social data or health data in hospitals, the BayLfD requires additional strict conditions. For example, medical data of patients must still not be stored on private devices and employees may only use private devices for accessing such data by means of desktop virtualisation, VPN and comparable solutions. The accessed data itself still has to be stored in the company’s IT systems.”

Finally, Halim concluded that “German supervisory authorities have correctly clarified that, particularly in the current situation of the Coronavirus pandemic, applicable data protection law, including its provisions on data security, does not prevent companies from introducing the home office to the entire organisation. Nevertheless, companies must ensure appropriate data security measures. Especially, companies that have introduced home office work spontaneously should define and implement binding rules and guidelines for employees on the most important data security measures as soon as possible.”

Netherlands

The Dutch data protection authority (‘AP’) also published guidance for employers and employees in relation to working from home.

In particular, the AP outlines four key tips, which include working in a secure environment, protecting sensitive documents which may be in paper form, taking care when using video call services, and watching out for phishing emails. Quinten Kroes, Partner at Brinkhof Advocaten, told OneTrust DataGuidance, “The AP notably calls for caution in the use of generally available commercial (video) chat services, especially by healthcare providers. The reason for this cautious approach is that it hasn’t established that these services are fully compliant with the GDPR.”

Further to the AP’s guidance on awareness of phishing attacks, Kroes highlighted that, “All organisations are under a legal obligation to take sufficient security measures, especially to protect personal data, and this surely also includes an obligation to educate personnel on the risks of phishing. According to the AP, all cases of phishing should be reported to it as a data breach. The AP already has taken enforcement actions against organisations who have failed to report data breach incidents, and also if the data breach is seen as resulting from failing security policies.”

Furthermore, it is interesting to note the role of Dutch civil law regarding virtual solutions and virtual documents which may be required at the time. Kroes notes, “As a general rule, Dutch civil law is light on formal requirements, and legal acts (like the offer to enter into an agreement, or its acceptance) may be made in any form, including electronically, for example through an exchange of email messages. However, there are exceptions. For example, the law requires an employment agreement with a non-compete obligation to be entered into ‘in writing’. Dutch law provides that this formal requirement may also be met through electronic means provided that certain conditions are met, including the condition that the identity of the parties can be established with sufficient certainty. The use of electronic signatures may help to meet this requirement.”

Expanding on the above, Kroes recommended, “When implementing digital signature solutions, organisations should ensure that employees are properly instructed about their secure use. If possible, the technology should include safeguards to ensure that employees can only apply these solutions to the extent that they are legally authorised to represent the organisation. If an employee applies a digital signature in a situation where they were not authorised to do so, this will generally be for the risk of the organisation which has chosen the digital signature solution, and not for the third party who relies on its validity.”

Lastly, Kroes concluded, “While the security of digital systems is crucial for the protection of personal data, organisations should be aware that they also need to protect personal data that are handled outside of their digital systems, especially now employees work from home. Given current circumstances, employees are more likely to print out sensitive information and/or to keep business (confidential) documents at home. For certain types of records, it may be advisable to consider technical security measures, like the option to disable forwarding, copying or printing from home.”

Greece

The Ministry of Digital Governance issued, on 30 March 2020, guidelines (‘the Guidelines’) on securely working from home. In particular, the Guidelines highlight, among other things, the use of end-to-end encryption during communications, two-factor authentication, the avoidance of public networks as they are more prone to hacking, and the monitoring of devices connected to home networks.

In relation to the key practical steps organisations must take to ensure information security, Spiros Tassis, IT and Privacy lawyer, and Chairman of the Hellenic Association for Data Protection and Privacy, told OneTrust DataGuidance, “With the uprise of ecommerce services, users should choose established and known websites and [avoid] social media accounts that offer cheap and not verified protective goods, since many of them hide trojans and other malware. It is also pinpointed that banks or other organisations [should not] request the transmission of user accounts or passwords over the phone or via an email.”

In addition, Alexandros Manousakis, Senior Partner at ALG Manousakis Law Firm, told OneTrust DataGuidance, “when available, employees should also enable the two-factor authentication and access online services using biometric data, such as fingerprints. They should also monitor the devices connected to their home network and change the password of the network router as well as the network name/SSID in case of identification of unknown devices.”

Moreover, the Guidelines give recommendations on how to avoid potential obstacles which are associated with teleworking. Concentrating on the obstacles employers face when setting up teleworking, Manousakis noted, “Teleworking might make difficult the oversight of the workforce regarding confidentiality of corporate information and compliance with policies and procedures (e.g. using of personal devices) and might cause a crisis in the relationship of employers and employees (test of the relationship of trust). Employers should provide the employees with all necessary IT tools and support, virtually train them when necessary and accept the risk of technical problems arising (e.g. from home network) […] Finally, special attention should be given to home smart devices (e.g. Alexa, Google Home) and employees should be instructed to turn their speakers off when making a business call to ensure confidentiality.”

Furthermore, beyond the protection of digitally stored data, and addressing the physical protection of data, including data stored in USB sticks, Manousakis stated, “Employees must pay attention and protect the corporate devices (e.g. cable locks) and ensure even at home that no authorised access is performed. A simple solution would be to work in a closed-door room, use lockers or desk drawers and not leave corporate staff lying (e.g. documents, USB sticks) around the house unattended.”

Finally, in relation to additional proposals on how to deal with the obstacles and uncertainties created by teleworking, Tassis suggested, “a good practice would be to use shared folders in the company’s cloud instead of local folders in the home device [and in relation to BYOD], the devices of the employees need to be checked before connecting to company’s electronic resources.”

