Data Privacy During Work From Home (WFH): Best Practices

Introduction

With most businesses choosing to operate entirely or with a substantial portion of their workforce outside the office, data privacy and security becomes an increasingly important policy decision for employers. While several individuals have hailed work-from-home (WFH) as a panacea from a business continuity and cost perspective, that should not divert attention from the issues surrounding it. 

Office networks are generally better protected against data loss, security and privacy risks as significant investments are made in installing Virtual Private Networks, firewalls, anti-virus software as well as blacklisting dangerous IP addresses. A home network probably does not have the same level of security and therefore the aforementioned issues around data privacy in a remote work setting are a major concern for employers.

Despite the landmark judgement in the case of Justice K.S. Puttuswamy vs Union of India which affirmed the right to privacy, India is still in the process of creating a national data privacy law. The Personal Data Protection Bill, 2019 is under consideration before a Joint Committee of Parliament. There are also calls for the introduction of a law regulating non-personal data with the Ministry of Electronics and Information Technology setting up The Gopalakrishnan Committee for Non-Personal Data in September 2019.

However, companies must note that during work from home they become intermediaries under the Information Technology Act, 2000. The term is defined under Section-2(w) which explains that an intermediary is any person who on behalf of another receives, stores, or transmits electronic records or provides any service with respect to that record. Therefore, there is a degree of liability that is attributed to employers when it comes to data being handled by employees remotely.

While the future holds a lot of promise, employers’ concerns revolve around what can be done in the present to ensure that the data of their organisation, clientele and employees remains secure. Through the course of this lockdown, Simpliance has received several questions pertaining to the same, therefore we have come up with the following set of practices that should be followed to ensure company data remains secure.

Best Practices to Minimize Risk 

It is important to note that while there is no absolute guarantee of data security, the following measures significantly result in a reduction of risk and are beneficial from a governance perspective. These are as follows:

Internal Privacy Policies

While this might come across as an obvious policy measure with most companies having some sort of governing document, there are certain measures that must necessarily be a part of such a policy. Especially in the absence of a national legislation regulating the same. First, the policy must be periodically reviewed operating system patches and ensure that the same is up to date. Default access codes and passwords should be reviewed and changed to ensure employees use strong passwords that are less vulnerable to breaches. To this end, providing employees with unique IDs is another way security can be ensured.

Second, all company-owned hardware must be provided with antivirus programs that are up to date and all information systems must be periodically reviewed to ensure that they are updated with the requisite security controls.

Third, implementing a ‘clear desk and clear screen’ policy ensures that all forms of confidential information are secured from unauthorized access when devices are left unattended. To this end printing confidential emails, agreements and client data should be avoided as much as possible and any device left unattended should be locked so any information on the screen is not visible. This is a measure that may be difficult to monitor when employees are working remotely, however companies can encourage use of soft copies by using cloud-based sharing to ensure that confidential data can be shared easily.

Fourth, all customer data must be handled through documents that are password protected. It is recommended that a list of employees who have access to customer data be maintained and updated periodically. The same can be shared with the customer for full transparency and no other person outside these set of employees shall have access to such data. It is also recommended that such employees be trained and made to sign a declaration stating that they are aware of the rules relating to the handling of customer data.

Fifth and last, provisions relating to asset management and password management is essential to any internal privacy policy. The former relates to company hardware such as laptops, cell phones, USB drives etc. The objective of such a policy is to ensure that security controls are applied to all information assets and that they are managed properly by employees. To this end, a register of such assets with the individual in whose possession it is should be maintained. The latter addresses password security with regards to employees at all stages of their employment. It must comprehensively deal with the exit of employees as well as a periodic reset of passwords to ensure company data is secure.

Data Breach Incident Monitoring

Sometimes data breaches might occur despite the employer taking requisite security measures. Therefore, businesses should develop a response framework that includes provisions relating to communication of the breach, containment and analysis of the incident that results in a post-incident report. The same must be recorded carefully and used as a point of reference for future investigations. Breaches also reveal gaps in a company’s security framework, thus having an effective framework to deal with them would ultimately lead to better security overall.

Backup Policy

This aims to maintain a secure backup of all company data through appropriate mechanisms to ensure that even if the information is lost due to a breach, it can be easily restored from the relevant duplicate. To this end, all laptops must be backed up periodically and backup data should be classified based on confidentiality. Any data that is backed up to hardware devices such as external hard drives or USB drives must strictly be kept under lock and key at a secure location outside the office premises.

Remote Work Access

Several companies have taken steps to ensure that their employees are provided with company hardware. They have also implemented measures to ensure that their employees’ home networks are protected by VPNs (Virtual Private Networks). This ensures that data is safe during transit from the home network to the company’s core systems as it encrypts data during the same. VPNs also ensure that the IP address remains hidden thereby masking the location of the sender and receiver of the data. Here it is important to note that the VPN service that is deployed uses a strong level of encryption to ensure that vulnerability to hacking is low.

Another measure taken up by companies in this regard is using MAC (Media Access Control) binding which essentially ensures that work can be carried out only on company hardware. It links the MAC addresses of the LAN and WiFi interface of the company hardware with the VPN and thus only approved MAC addresses can use the VPN interface.

Another measure companies have implemented is multi-factor authentication that includes a password as mentioned above as well as a captcha or set of images to include another barrier to malware or hacking. There is also the implementation of Voice Over Internet Protocol (VOIP) that essentially converts the analogue services of cell phones to digital signals that can be sent over the internet. This ensures that incoming phone calls are automatically routed to your VOIP phone and are thus protected as your network is secure. The Department of Telecom has provided approval for the use of this technology as well making it the favoured choice of several companies especially call centres.

Client Services Contract Review

While the above measures relate to ensuring company data is secure, this one addresses liabilities the companies might have with respect to its vendors, clients, and service providers. All contracts must be reviewed to what rights and obligations are affected by remote work. Companies must then speak to the concerned party to request for a waiver or agree on a stop-gap arrangement until normal working conditions resume. Reviewing risk allocation is essential to ensure that disputes do not arise as they would be an added burden in challenging times.

Conclusion 

From the above, it is clear that ensuring data privacy is of utmost importance in any remote work setting. Companies must be willing to incur the costs associated as the alternative would be leaving confidential data prone to breaches. This would result in litigation and loss of goodwill which is far more valuable than the monetary expense associated with implementing such measures. Businesses should also keep in mind the nature of their undertaking while assessing the cost of such measures. For example, IT services firms who deal with large amounts of confidential data would require a greater degree of security and thus more expensive technology compared to someone engaged in businesses like manufacturing goods in a factory.

What measures has your organization taken to ensure data remains secure? Are there any additional measures that can be implemented?

Drop your thoughts in the comments below.

Disclaimer: This blog is meant for informational purposes and discussion only. It contains only general information about legal matters. The information provided is not legal advice and should not be acted upon without seeking proper legal advice from a practicing attorney. Simpliance makes no representations or warranties in relation to the information on this article.