Organizations of all sizes are facing daunting technological and logistical challenges, as much of the country’s workforce adjusts to working remotely.  Privacy and data security risks only add to these challenges.

This is because bad actors are already taking advantage of new opportunities presented by telework and state and federal regulators are showing no sign of relenting on enforcing new and existing regulations.  So, what can organizations do to minimize the data protection risks of a newly remote workforce?

A good place for any company to begin is to take stock of existing policies and procedures that relate to data protection.  If your organization processes the sensitive personal information of even one New York or Massachusetts resident, it should have a Written Information Security Program, or WISP, in place that governs the administrative, technical, and physical safeguards your organization has adopted to protect that sensitive personal information.  Where WISPs are required, organizations must also evaluate and adjust their WISPs in light of material developments affecting the organization, such as the present shift to an emergency at-home work environment.  At a minimum, organizations of all sizes should review their WISPs to ensure appropriate flexibility and protection in light of the current pandemic. 

In this same vein, an organization facing distributed remote work should review its Incident Response Plan, which, like a WISP, is also required under certain regulatory regimes.  A good plan will identify key incident response team members as well as their roles in relation to incident response, describe the steps to take in responding to an incident, and identify key third parties such as forensic vendors and counsel, who must be contacted quickly.  The worst time for an organization to be reviewing its plan, however, is when an incident has occurred, especially when the organization is under significant outside stress.  At the very least, organizations facing emergency remote work should assemble their incident response teams—virtually—to discuss appropriate roles and what to do in the event of a security incident.  Organizations should also ensure that their vital outside vendors are ready, willing, and able to provide crucial support at a moment’s notice.