Summary

With the Covid-19 Pandemic forcing more employees than ever before to work from home (“WFH”), businesses face new and different data privacy and security risks. This change is not lost on U.S. regulators, but it does not mean that businesses will get a pass on data privacy and security issues potentially caused by the shift in working conditions. In an effort to help businesses navigate these new circumstances, BCLP has prepared a series of articles on addressing data privacy and security issues in a WFH environment.

As noted above, regulators, like the Federal Trade Commission (“FTC”), understand that many businesses now find employees working from home in numbers and manners that are unprecedented. The FTC has provided guidance[1] on things employees can do to secure their WFH operations such as, securing their home network, safely disposing of sensitive data, and following employer security policies, among other things.

But, just because the FTC recognizes that businesses are coping with unexpected, novel problems, it does not mean that the FTC will not be using its Section 5 authority to enforce data privacy and security rules. The guidance the FTC has provided could be used as a template for FTC enforcement in the future: if a business suffers a data breach or mishandles consumer data because it failed to take some of the steps outlined in the FTC guidance, expect the FTC’s judgment to be especially harsh.

“We told you so,” is not something you want to hear from a regulator, especially if you have just suffered a data breach. So how best to avoid having a discussion like that with a regulator?

• Pay special attention to your regulator’s guidance. If you have a primary regulator and they put out guidance on work from home issues, you should make an effort to follow their lead. If you do not have an entity you consider to be your primary regulator, take a cue from the FTC’s guidance since it is a default regulator for most US-based businesses.
• Take steps to show that you are aware of the risks and are taking steps to mitigate them. Keep in mind that perfection isn’t expected, instead what is expected is taking reasonable precautions under the circumstances. By taking basic steps to address the new WFH security and privacy realities, you give your business a leg up in defending itself if something does occur.
• Talk with your security and privacy teams. They know what new points of friction have sprung up since your workforce started working from home. Develop a plan of action with those teams to address the new issues that they face.
• Stay alert. Many regulators and law enforcement agencies have noted new Covid-19 related scams and threats. Be aware of those issues and alert your employees to them. This goes back to the “We told you so” problem; if there are alerts on a scam and your employees fall for it after the alerts are provided by regulators, then the regulator or plaintiffs’ attorney is very likely to focus on a lack of diligence when they knock on your door.
• Stay tuned to this space. This article is a high level overview; the coming weeks will include dives into topics like network security, laptop security, planning with your IT team, incident response in a WFH world, among many others.

This article is part of a multi-part series published by BCLP to help companies understand and cope with data security and privacy issues impacted by the Covid-19 Pandemic.  You can find more information on specific data privacy and security issues in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

[1]  www.consumer.ftc.gov/blog/2020/03/online-security-tips-working-home