Privacy and Data Security Risks During COVID-19 Pandemic

Organizations of all sizes are facing daunting technological and logistical challenges, as much of the country’s workforce adjusts to working remotely.  Privacy and data security risks only add to these challenges.

This is because bad actors are already taking advantage of new opportunities presented by telework and state and federal regulators are showing no sign of relenting on enforcing new and existing regulations.  So, what can organizations do to minimize the data protection risks of a newly remote workforce?

A good place for any company to begin is to take stock of existing policies and procedures that relate to data protection.  If your organization processes the sensitive personal information of even one New York or Massachusetts resident, it should have a Written Information Security Program, or WISP, in place that governs the administrative, technical, and physical safeguards your organization has adopted to protect that sensitive personal information.  Where WISPs are required, organizations must also evaluate and adjust their WISPs in light of material developments affecting the organization, such as the present shift to an emergency at-home work environment.  At a minimum, organizations of all sizes should review their WISPs to ensure appropriate flexibility and protection in light of the current pandemic. 

In this same vein, an organization facing distributed remote work should review its Incident Response Plan, which, like a WISP, is also required under certain regulatory regimes.  A good plan will identify key incident response team members as well as their roles in relation to incident response, describe the steps to take in responding to an incident, and identify key third parties such as forensic vendors and counsel, who must be contacted quickly.  The worst time for an organization to be reviewing its plan, however, is when an incident has occurred, especially when the organization is under significant outside stress.  At the very least, organizations facing emergency remote work should assemble their incident response teams—virtually—to discuss appropriate roles and what to do in the event of a security incident.  Organizations should also ensure that their vital outside vendors are ready, willing, and able to provide crucial support at a moment’s notice.

New York Temporarily Allows Remote Witnessing of W...
Harter Secrest & Emery Resources for Responding to...

Disclaimer

This website presents only general information not intended as legal advice. Although we encourage calls, letters and emails from prospective clients, please keep in mind that merely contacting Harter Secrest & Emery LLP (HSE) does not establish an attorney-client relationship between us. Confidential information should not be sent to HSE until you have been notified in writing by HSE that a formal attorney-client relationship has been established. Information sent to us before then may not be treated as confidential by HSE or the court.

I have read this and agree     Cancel

Our website uses cookies. By continuing to use our site, you agree to our use of cookies in accordance with our Privacy Policy.