Privacy concerns in working from home during COVID-19

IT security specialists deal with threats everyday, this is part of their daily work in an ever-growing business. But with the recent, unprecedented move to employees working from home, are security teams focusing enough on the potential issues that employees can create while working remotely during this heath crisis? Specifically, are privacy issues being sufficiently reviewed before new technology is implemented?

 
Whether it’s HR, sales, finance, marketing, etc., employees in all departments expect to be able to continue their professional activities from the comfort of their own homes. As employees shift to working from home, organizational leadership expects IT teams to understand how any one of a number of privacy regulations apply when the workforce is no longer protected behind the proverbial corporate firewall. While remote/mobile workers are not new, the sheer scale caused by the COVID-19 pandemic is forcing IT teams to test the limits of many internal policies.

 
In healthcare, for example, where HIPAA and HITECH have long enforced protection of patient information, employees that previously would never have been allowed to work from home, are now safely ensconced in their home office with potential access to vital patient data. The Personal Information Protection and Electronics Documents Act (PIPEDA) in Canada regulates how Canadian organizations collect, use and disclose an individual’s personal information. The Payment Card Industry Data Security Standard (PCI DSS) regulates merchant or a service provider storing, transmitting, or processing cardholder data (especially with cash payment declining) in order to ensure card data remains safe. But now, with employees moving in droves to work from home, the scope of data for any of these compliance frameworks has been dramatically expanded and the methods of sharing this data are being stretched to their limits.

 
All organizations, whether beholden to a regulatory framework or not, should be very concerned about accidental personal and sensitive data disclosure through the usage of sharing tools. Recently, a very popular video conferencing solution has made the headlines for all the wrong reasons. Between a privacy policy that states customer data is not very “private” or a known issue where video conferences could be easily hacked, this company is finding that being the darling of the tech world comes with a price. Consider both scenarios where employees now have the potential to share information, such as the COVID-19 health status of employees, through such tools. Insecure tools can result in personal data leaking into the unknown realms of the internet, never to be recovered again. Some of these products will take it all, words spoken, transcripts generated, videos, documents shared on screen, names of participants, your face and the background attendees are sitting in front of. The terms of use allow these sharing tools to gather and re-use information collected at the time of usage and thereafter. Regulatory frameworks very likely consider this information sharing unacceptable.

 
Information sharing is vital, especially with the workforce now spread across the globe. Everyone using any “sharing” tools, which includes social media, should consider whether business-sensitive or personal information is required for the conversation at hand. Security teams must also perform a thorough review of all sharing tools, including the review of data privacy policies as well as known application vulnerabilities, before deciding whether to implement the tool. In times like these, you can’t be too careful with personal information.