When companies were forced to send workers home quickly at the onset of the Covid-19 pandemic, they inevitably had to make certain compromises. For example, physical security requirements, which are possible in an office setting, were forgone in workers’ homes. On the other side of the coin, workers who normally would not have to invite their coworkers into their homes suddenly had at least part of their living situation exposed on videoconference meetings for all to see.
As the pandemic eases and businesses move towards permanently changing their operations — including an increased focus on allowing (or even requiring) people to work remotely some or all of the time — they need to grapple with the long-term privacy and information security implications of these changes. While a temporary business continuity program inevitably results in certain compromises, a business-as-usual approach to remote work requires security and privacy risks to be addressed to ensure compliance with industry practices, customer commitments, and regulatory requirements.
New Security Considerations
A key part of any information security program is physical security: how are devices, credentials, printers, and workspaces protected from intruders? Once a physical barrier is breached, it can be easier for a malicious party to access digital assets and exfiltrate data. Even if no malice is involved, family members can overhear sensitive conversations or see information over a worker’s shoulder, which raises confidentiality concerns. Or a worker could surreptitiously outsource their work to another person who has not been vetted or trained by the employer. A worker could also decide to start working from an unapproved jurisdiction, raising compliance concerns about cross-border data transfers.
While some highly sophisticated at-home workers can dedicate a room in their home to work, and allow their employer to install centrally controlled access controls and monitoring, that is the exception rather than the rule. Most workers do not have a spare room to dedicate solely to work, and the prospect of remote work is less appealing if it creates massive new physical security costs for the employer. After all, it is far easier and cheaper to secure one central location than hundreds or even thousands of individual remote work locations.
However, where one security barrier is lowered, others can be raised to compensate. Many solutions are available to businesses, and the best approach will depend on the nature of the business and the work. Some examples include robust multi-factor authentication tools, including biometrics or human visual checks through webcams to ensure the person doing the work is indeed the approved worker; privacy screens to limit shoulder surfing; headsets to limit eavesdropping; and strict limits on remote workers’ data access to minimize the sensitivity of information visible on screen, discussed on the phone, or available to be exported by the worker. Various tools and guidelines are available both from the private sector and from regulators to help understand and mitigate these risks, available both from the private sector and from regulators to help understand and mitigate these risks.
Of course, knowing your workers is the first step towards trusting them, and a comprehensive pre-hire background check, as well as ongoing monitoring as appropriate for the industry, jurisdiction and role, are must-haves before entrusting a remote worker with access to an organization’s systems, data, and assets.
Many of the tools available to businesses to improve security in remote workplaces involve compromises of worker privacy: increased monitoring of system usage and even webcams to watch workers live; audit rights to allow the employer to physically or remotely view the workspace, which is part of the worker’s otherwise private home; and authentication techniques that require the use of identifiers which are intrinsic to the worker’s identity, like fingerprints, retina scans, facial geometry, or other biometric information.
Corporate decision makers must take these privacy compromises into account, both from a compliance perspective and from the point of view of worker morale. Will workers feel comfortable giving up some privacy, or will they chafe at the intrusion? Of course, where a particular type of data collection is outright forbidden — as is the case with biometric data in some jurisdictions — alternative means must be used, like an occasional visual check-in with a supervisor (one human seeing another is not categorized as biometric data processing in most privacy laws, whereas a computer analyzing facial features may very well meet that standard and be subject to stringent rules). More often, though, the privacy assessment of new technologies will depend on what constitutes a reasonable and proportionate balance of the employer’s obligation to maintain a secure environment and the worker’s right to privacy. This requires businesses to consider different approaches to mitigating privacy risks and, all other things being equal, selecting the ones that best protect worker privacy while still meeting the business’s security obligations. If system activity needs to be monitored, can that monitoring be turned off while the worker is on a break? If visual check-ins are required, can workers use a privacy filter to avoid showing their home in the background? And perhaps most importantly: can workers be offered the opportunity to remain in an employer-controlled workspace if they do not wish to be monitored in their home at all?
Businesses that choose to move towards allowing (or mandating) more workers to work remotely will need to balance these security and privacy considerations in the context of their business. As more businesses move in this direction, tools will continue to proliferate in the marketplace to support these considerations and, perhaps, a consensus will eventually emerge as to how best to mitigate security and privacy risks in a remote work environment.
This blog post is part of a Compliance blog series, diving into compliance trends, best practices, and updates.
Sterling is not a law firm. This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.