By Dana Howard and Nealy Williams
Stoll Keenon Ogden
The COVID-19 pandemic has cast a spotlight on the importance of cybersecurity for newly remote-workplaces. As the number of teleworking employees increases, so too does an employer’s exposure to cybersecurity threats. After first ensuring that your employees have secure internet connections at their homes, there are additional data privacy related issues companies should consider and steps you can take to help you safely operate their businesses remotely.
Utilize Best Practices for Video Conferencing
Video conferencing platforms provide an efficient and convenient means to hold meetings with remote workers. Use of the platforms without proper safeguards, however, can expose the sensitive information of your company to attackers. Specifically, an attacker could enter a video call undetected and eavesdrop. A simple way to protect your company’s information from video conference eavesdropping is to require meeting participants to enter a password to gain admission. While most video-conferencing platforms permit meeting organizers to set passwords or even automatically generate default passwords, research conducted in January of 2020 suggests that unencrypted meetings are still routinely scheduled and held.
Companies should update their technology policies to require each video conferencing meeting to be password protected.
Companies should also require that the selected password be “secure” and define that term in the company policies. Below are a few tips to construct your company’s “secure” password policy:
- Consider establishing a password character length;
- Consider requiring the inclusion of numbers, special characters, upper-case letters, and lower-case letters;
- Consider require unique passwords for each conference call;
- Consider requiring a “passphrase;” and
- Consider requiring the use of a password manager.
Companies should also remind their employees to be cognizant of the backgrounds during their video calls with clients or third parties. Specifically, employees should ensure that there are no posters, post-it notes, computer screens, or other visuals in the background that reveal confidential and proprietary company information during video calls. Employees may consider altering the default settings of their video calls to blur or distort their background, e.g., Zoom allows users to “blur” the backgrounds.
Exercise Vigilance Against Phishing
Some studies have estimated that 90 percent% of data breach incidents originate from phishing and social engineering schemes. Phishing is a form of fraud in which an attacker disguises itself as a reputable entity or person in email or other communication. The objective of a phishing attack is to obtain information from the victim, which may then be used to execute other phishing schemes or access business or financial accounts. An attack may be made through an email tricking the victim into clicking on a link or opening an attachment that installs malware on the victim’s device or an email directing victims to phony websites set up to trick them into divulging confidential information.
A popular goal of phishing schemes is to obtain company credentials (log-in and password information) that may be used to access company systems and databases. Attackers can use this information to make it appear as if they are legitimate users of the systems. One way that companies can avoid the impact of such schemes is to require multifactor authentication for access to their virtual private networks (VPNs) and important company databases. Multifactor authentication is a security enhancement that requires you to present two pieces of evidence from two different categories when logging into an account. For example, employees may enter a password on their computers to access the company’s VPN and then confirm the log-in attempt through an app installed on their personal devices.
Another emerging phishing technique is voice-spoofing, whereby an attacker creates a realistic voice impersonation of a trusted individual using artificial intelligence. As with traditional phishing attacks, the objective of voice-spoofing, or vishing, is to trick people into disclosing their sensitive information. Employees should be trained not to provide sensitive business information over the phone without first confirming the identity of the caller through other means and then calling the individual back. Employees should also be extra vigilant when answering unexpected calls or receiving unexpected texts from supposed business contacts.
Companies should train employees to identify common phishing schemes and instruct them on how to report suspected phishing attempts. Below are a few tips to help detect phishing messages:
- Beware spelling and grammar errors in the body of the email;
- Beware spelling errors in the sender address;
- Beware unsolicited messages containing attachments, links, or log-in pages;
- Beware generic and/or informal email greetings (i.e. “Hi Dear”); and
- Beware phone calls from unknown numbers ostensibly made by trusted individuals.
This is also a good time to review and revise cybsecurity/data breach response policies and protocols to account for contingencies related to the new remote work environment, including ensuring that each member of the cybersecurity/data breach response team is equipped to perform their designated response function from their remote workspaces should a data breach occur. Companies should also consider testing their data breach response plans with a mock data breach drill.
Health Care Providers Should Offer Telehealth Services with Remote Video Technologies
If you are a covered health care provider wanting to provide or providing telehealth to patients during the COVID-19 public health emergency, the Office of Civil Rights (OCR) at the Department of Health and Human Services has issued guidance regarding compliance with regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Specifically, OCR has issued a Notice providing that covered health care providers subject to HIPAA Rules “may [in good faith] seek to communicate with patients, and provide telehealth services, through remote communications technologies,” even where the technologies and/or manner in which they are used may not fully comply with HIPAA requirements. In such cases, the OCR has determined not to impose penalties for noncompliance with HIPAA rules. To take advantage of this opportunity, you should adhere to the following guidelines:
- Use any non-public facing remote communication products. For clarity, Facebook Live, Twitch, TikTok, and similar video communication applications are public facing and may not be used;
- For best practices, provide telehealth services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAA) in connection with the provision of their video communication products; and
- Consider using the following vendors that have represented they provide HIPAA-compliant video communication products and will enter into a HIPAA BAA: Skype for Business/Microsoft Teams; Updox; Vsee; Zoom for Healthcare; Doxy.me; Google G Suite Hangouts Meet; Cisco Webex Meetings/Webex Teams; Amazon Chime; and GoToMeeting.
Thankfully, OCR’s notice applies to all telehealth services provided during the COVID-19 public health emergency regardless of whether the services are related to the diagnosis and treatment of health conditions related to COVID-19.
Continue Implementing Policies and Procedures to Comply with The California Consumer Protection Act
If you were in the midst of efforts to ensure your company is compliant with the California Consumer Protection Act (CCPA) rules and regulations before the COVID-19 public emergency, do not stop those efforts.
Although addressing compliance issues from a remote location and with a remote workforce certainly poses additional challenges, the California Attorney General has declined requests to delay enforcement actions stating publicly that the Attorney General’s office is committed to enforcing the law no later than July 1, 2020.
If your company collects personal information from California residents and you are still unsure whether the CCPA applies to you, now is the time to make that determination.
Dana Howard is a member at Stoll Keenon Ogden; Nealy Williams is an attorney at Stoll Keenon Ogden.