Cyber Security, Data Protection and Covid-19
Home working has become the new norm and may even remain that way for the foreseeable future. It is important that businesses ensure that data protection requirements are not forgotten, and that cyber-security is sufficient to meet the demands of scattered, remote workforces.
The Cyber Security Breaches Survey 2020
Businesses have been busy in recent months updating security systems. The Cyber Security Breaches Survey 2020, recently published by the Government, concludes that cyber security is now higher on the agenda for many businesses than it has ever been before. In part, this is down to GDPR raising awareness of the risks posed to businesses by weak cyber security now that consequences for security breaches have become much more serious. Businesses have been taking active steps to combat those security risks.
The nature of threats has also evolved, with businesses more frequently on the receiving end of phishing attacks than virus attacks or ransomware (although these attacks still happen) which the survey concludes may be partly due to the very success of the security measures implemented by businesses lately to combat viruses and malware.
The survey also points out that supplier risk, audit processes and the reporting of breaches are areas where performance is not so good and there is more work to be done by individual organisations.
However, since the survey was carried out, the world has been turned upside down by COVID-19. Businesses have had to react quickly and adopt brand new working practices in very short timescales. Whilst many organisations may previously have allowed some flexibility for people to work from home, this was usually the exception rather than the rule, but is now essential to maintain business.
The new reality
The new reality is that whole workforces are now locked down at home. Businesses have had to reinforce existing systems or introduce totally new ones to cope with the increased remote working demand. Many have quickly adopted the use of existing third-party platforms for collaborative working. With such a dramatic change of practice in such a short space of time, it is possible that gaps in cyber security, data protection and intellectual property protection may have been overlooked.
The recently changed data protection legislation imposes weighty requirements for the security of personal data. To what extent do businesses’ new home-working arrangements take this into account?
The security principle of GDPR and UK data protection legislation requires businesses to have in place ‘appropriate technical and organisational measures’ to protect personal data. ‘Appropriate’ is not defined, but it is considered in its specific context. Whilst that may mean that businesses are cut some slack during the pandemic, it could also imply that where the workforce and therefore the information it uses is more physically widespread, the risks are increased and additional technical and organisational measures need to be implemented to address them. As well as technical measures, the provisions require businesses to undertake a risk assessment before any new software or system of working is introduced.
What you should do to minimise risk
What steps should businesses be taking to ensure that current and new working practices do not increase risks to cyber-security and data protection?
We recommend undertaking a risk assessment, if not already completed. This should include reviewing the security of all new hardware, software, systems and procedures that are in use, and mapping the new data flow through the organisation to reflect the new working methods in place across the business. Also, revisit any analysis of risks posed by suppliers to business assets which may include intellectual property and personal data. Suppliers will also be working in a different way and their different approaches may impact on the security of your business’s intellectual property and the personal data your business is responsible for.
Where new third party software or collaborative platforms have been adopted, they should be properly evaluated from a security perspective. Also, check the associated terms and conditions and make sure that terms concerning data privacy, data location and routing, and data ownership meet with the UK legislation requirements. Make sure that you know who has access to any data or communications on the software platform and that it complies with legal and organisational business and security requirements. Do intellectual property provisions align with your business strategy? Check which law governs the terms and conditions because this is most likely where you would have to deal with any disputes. Make sure that you are aware of what analytical information may be derived from your use of the software or collaborative platform, so that you can protect commercial or competitive advantage that might otherwise unwittingly be divulged.
Technical steps such as encryption of data and introducing remote disabling of devices will increase data security for devices used outside of the office. However, breaches will always remain a possibility and businesses should ensure that staff are aware of how to report security issues when they are not in the office and that they feel confident and comfortable to do so.
Communicate with your workforce
Remind staff periodically about spotting phishing emails or other cyber security risks, about locking screens when away from them, using strong passwords, storing equipment at home safely, updating software regularly to ensure security updates are installed and taking regular backups if not on a central system, and switching off devices when not in use.
The Information Commissioner’s Office has outlined that it will take a pragmatic and proportionate approach to data protection, including security breaches, during the COVID-19 pandemic. However, they are clear that data protection legislation still applies during this period to protect people and their personal information and they will not ignore serious breaches or flagrant abuse of the circumstances. One day, when hopefully we all return to ‘normal’ (whatever that new normal may be) these new working practices may remain, and at that time there will be less leniency.
Short-term fixes do not always translate into the best long-term strategy. If homeworking is here to stay, it is worth investing time now to ensure that software is right for your business, is sufficiently secure, and protects your business, its intellectual property and your customers’ personal data.
Contact us if you need advice on data protection during the pandemic, including dealing with security breaches, guidance on intellectual property matters or reviewing terms and conditions, please contact Keith Kennedy, Head of Corporate & Commercial on 0161 684 6942 or at firstname.lastname@example.org. Our lawyers combine technical expertise on the above issues with fast, practical advice on how to ensure you meet your continuing legal obligations in these challenging times.
Please note that the information and opinions contained in this article are not intended to be comprehensive, nor to provide legal advice. No responsibility for its accuracy or correctness is assumed by Pearson Solicitors and Financial Advisers LLP or any of its members or employees. Professional legal advice should be obtained before taking, or refraining from taking, any action as a result of this article.
Subscribe to our newsletter
Please note that the information and opinions contained in this article are not intended to be comprehensive, nor to provide legal advice. No responsibility for its accuracy or correctness is assumed by Pearson Solicitors and Financial Advisers Ltd or any of its members or employees. Professional legal advice should be obtained before taking, or refraining from taking, any action as a result of this article.
This blog was posted some time ago and its contents may now be out of date. For the latest legal position relating to these issues, get in touch with the author - or make an enquiry now.