Organizations of all sizes are facing daunting technological and logistical challenges, as much of the country’s workforce adjusts to working remotely. Privacy and data security risks only add to these challenges. This is because bad actors are already taking advantage of new opportunities presented by telework and state and federal regulators are showing no sign of relenting on enforcing new and existing regulations. This LEGALcurrents briefly addresses what organizations can do to minimize the data protection risks of a newly remote workforce and explains some of the key regulatory considerations to keep in mind.
A good place for any company to begin is to take stock of existing policies and procedures that relate to data protection. If your organization processes the sensitive personal information of even one New York or Massachusetts resident, it should have a Written Information Security Program, or WISP, in place that governs the administrative, technical, and physical safeguards your organization has adopted to protect that sensitive personal information. Where WISPs are required, organizations must also evaluate and adjust their WISPs in light of material developments affecting the organization, such as the present shift to an emergency at-home work environment. At a minimum, organizations of all sizes should review their WISPs to ensure appropriate flexibility and protection in light of the current pandemic.
In this same vein, an organization facing distributed remote work should review its Incident Response Plan, which, like a WISP, is also required under certain regulatory regimes. A good plan will identify key incident response team members as well as their roles in relation to incident response, describe the steps to take in responding to an incident, and identify key third parties such as forensic vendors and counsel, who must be contacted quickly. The worst time for an organization to be reviewing its plan, however, is when an incident has occurred, especially when the organization is under significant outside stress. At the very least, organizations facing emergency remote work should assemble their incident response teams—virtually—to discuss appropriate roles and what to do in the event of a security incident. Organizations should also ensure that their vital outside vendors are ready, willing, and able to provide crucial support at a moment’s notice.
Lastly, in relation to regulatory oversight, no relief is readily in view for most regulated organizations, including under the NY SHIELD Act. The WISP provisions of the SHIELD Act took effect as of March 21, 2020, and include special focus on disposal of private information when no longer needed for a business purpose. With employees downloading work data to allow for remote work when not connected to the organization’s network, proper disposal of regulated data will be vastly more difficult than it would have been before the pandemic. There has been no indication from the New York authorities that SHIELD Act enforcement will be paused during the pandemic or that amnesty will be granted for organizations that did not have a SHIELD-Act compliant WISP in place before the March 21 deadline. Similarly, the New York Department of Financial Services has not lifted the 72-hour breach notification deadline required under 23 N.Y.C.R.R. Part 500 for financial institutions under the Department’s regulatory reach. Nor has the California Attorney General’s office indicated any willingness to put off enforcement of the California Consumer Privacy Act, which can begin as of July 1, 2020.
How We Can Help
The HSE Privacy and Data Security Team remains available, 24/7, at 1-800-232-3021 to support you in this crisis and answer your privacy and data security questions, including in relation to the special challenges of remote work. For further information about our deep privacy and data security bench, please visit our Privacy and Data Security practice group.