Business Disruption Planning – Part 2 – Data Privacy and Information Security

Business as Usual.  Remote or otherwise.

For many businesses, moving to a remote workplace as an adaptation to the Coronavirus is an effective and efficient means of business continuity.  However, the logic and rationale of doing so falls apart if the data privacy and security procedures and processes you have (or should have) in your office fall apart when people start working remotely from their homes.  Of course, it does not need to be that way.  Please consider the following broad data privacy and security checklist for your business, your employees and contractors to minimize the chance of further business disruption, damage or of a data breach:

  1. Beware of phishing or related scams that attempt to take advantage of employees’ desire to learn more about, or fear of, COVID-19.  Both nation-state actors and scammers are looking to profit and disrupt by taking advantage of the current state of public uncertainty.
  2. Make sure all devices used for work, including home computers if they are used for remote work, have up-to-date firewalls and security software (i.e., anti-malware/spyware) installed.
  3. Do not download anything to the computer or other device (i.e., tablet, smart phone, etc.) used for work without proper security scanning and/or confirmation with your IT department or provider.  This includes Apps on your phone or tablet as many include spyware or otherwise obtain access to your device, and your business information, in ways that could be very harmful.
  4. Do not save or share work product or information on any personal hard drive or cloud account.
  5. Use a VPN or other similar interface to access and use business data and information.
  6. Check your download file several times a day and do not inadvertently save sensitive information not meant to be saved.
  7. Implement two-factor authentication if not already in use, and if in use at the office, make sure it is also used for remote workers.
  8. Encrypt and protect any external devices containing work materials.
  9. Consider imposing limitations on where people can work so third-parties are unable to physically view work product or client information.  While remote work may be confined to individual homes today, that possibility could change in the future.
  10. Do not ever use public WiFi for work.
  11. Be aware of and consider both employee privacy and applicable rules, regulations and laws (which typically take into account the public interest and health/safety of employees) in making decisions about who to inform and how to inform in the event any employee, contractor or vendor is or may be infected with COVID-19 as there are numerous considerations.  For example, do you identify the individual to some or all co-workers, or just to management, or just to certain employees, or to nobody?  What if the individual does not want anyone to know?  Do you inform public health officials?  Do you inform clients?
  12. Know what your rights are to obtain, inspect or download information from an employee’s computer or device used at home for work when that computer or device belongs to the employee.
  13. Make sure you check in on your employees to make sure they are following your data privacy and security guidelines and rules.

In addition to the above, it is even more critical than ever that you develop and implement a business continuity plan and an Information Security Policy and that your employees are properly trained their terms.  Many businesses are struggling today because they are trying to recreate the wheel when they should have been prepared to just hop in the car.  The foregoing is not just in connection with COVID-19.  With such policies and procedures in place in advance, transitioning to alternative working arrangements for any situation (disaster or simply for an office remodeling) becomes easier and less fraught with problems.

Plan ahead, plan intelligently and learn to thrive in an adverse environment.

For more information, assistance or guidance, please contact our Data Privacy and Information Security group leader, Michael J. Feldman ( or 908-964-2486).