In our third blogpost on this series covering the trickier challenges faced by employers during the coronavirus pandemic, we offer 4 practical tips on managing confidential information in lockdown.
Up until now the natural focus of many employers has mainly been about business continuation and finding ways to continue to function under unprecedented restrictions. This blog takes a slightly different tack. As a result of the current lockdown, many of us are now working from home, but without the office infrastructure that previously hummed silently alongside us, carefully shielding the organisation’s confidential information.
Video conferencing, now ubiquitous, presents its own challenges. Reports of hackers infiltrating webcams and software flaws enabling third parties to gain access to virtual meetings have already started to become part of business folklore. The truth is, however, that procedures to manage the circulation of confidential information are being stretched to their very limit, and in many cases are completely inadequate in this ‘new normal’. And yet, now more than ever, employers need to keep a tight reign on their confidential information to avoid damaging information breaches and the risk they pose to the business further down the line.
So here are our top 4 tips for managing confidential information in lockdown:
Tip 1: Carry out a confidentiality risk assessment
Working from home pre-coronavirus was deemed by many employers to be a privilege, and one extended only to those employees who were deemed to be most trustworthy. Often this “privilege” would be limited to a day or so a week and, even then, strict procedures may have been put in place to prevent confidential information (or material which was considered to be too sensitive to be allowed out of the office) from being taken home . Prior to agreeing such arrangements there may well have been a conversation around the measures those employees would take to manage the risk of a breach of confidentiality.
Fast forward to the 2020 lockdown and the number of employees working from home has increased exponentially, in many cases suddenly and with little or no preparation. The risk to a company’s confidential information has increased in parallel.
So what might a confidentiality risk assessment look like? Well, having seen rather too many photos of home “offices” in the last few weeks, an obvious risk to understand is how many of your employees have dedicated working spaces, and how many are sharing the kitchen table with non-employees (and potentially competitors). You will also need to understand the kinds of information your employees are accessing, the facilities they have to lock confidential information away, whether they are able to securely destroy hard copy documents, and the means by which they are accessing confidential information.
Your risk assessment can be carried out by email, but remember that if you are collecting personal data you will need to consider your lawful basis for doing so under the GDPR. That lawful basis may, for example, be the company’s legitimate interests (ie to protect its confidential information). In any case you will need to balance your company’s legitimate interests against the interests, rights and freedoms of your employees. Once you have considered this you should document your reasoning and communicate it.
The results of your confidentiality risk assessment will inform your actions. You might, for example, if the individual doesn’t have a secure place to store them, consider banning home printing of sensitive documents. This has obvious practicality issues (particularly among those of us who haven’t quite embraced “paperless” working) so you should ensure that you are realistic about what will work. An alternative might be to provide lockable storage and a shredder to those employees who need access to documents containing some form of confidential information. If this is impractical, or you are concerned that documents may still be left lying around, then think about making arrangements for the collection of those documents to be centrally and securely destroyed. For those employees without a dedicated and secure workspace or who are accessing highly confidential information, consider privacy filters for laptops, computers and mobile devices. These are relatively low cost and block light from all angles other than the front of the screen. This may be a worthwhile investment if you have concerns around third parties viewing your confidential information.
Tip 2: Lockdown your IT
Another risk to your confidential information is your IT hardware. A quick look at my laptop, even as I type this blog, reveals that there are 8 WiFi networks available for me to join. Of those, 2 are unsecured (one of which is named “Batman’s network” which I find unlikely). Ensure that your employees are following good IT security protocols. Access to public or otherwise unsecured WiFi networks should be banned, and Virtual Private Networks (VPNs) and dual-authentication should be used wherever possible. Passwords on local network routers should be strong, changed from the default, and certainly not “password”. Take advice from your IT team for specific guidance.
Make it a requirement for your employees to lock their devices when they are not actively working. This might not have seemed necessary in pre-coronavirus times when the only people who would have been able to see an un-monitored screen would be those authorised to be on the premises but, with your confidential information more exposed to the world than ever before, this is no longer the case. Bolster that protection by making it a further requirement that screensavers kick in after a very short period. If your IT supports biometric identification (for example a fingerprint scan), consider making its use mandatory.
Be aware that many employees will be tempted to use their own devices to work, and these may not be secure or kept up to date with the latest patches and anti-virus software. Consider carefully the risk to your business and its confidential information and whether it would be sensible to prohibit the use of non-corporate IT.
Tip 3: Give good guidance
There has been much mirth on social media about how couples are suddenly discovering what their partners do for a living by overhearing their telephone calls and video conferences. While this may be amusing, it is less so if those overheard discussions are sensitive, commercially valuable or otherwise inadvertantly disclose confidential information. Don’t forget that information breaches are not always malicious. What might seem like an hysterical anecdote for a teen to post on social media, could be damaging if your clients or competitors get wind of it. Bear in mind also the temptation among your employees to share their corporate devices, particularly if home-schooling. Your employee’s children are not your allies, and any attempt to subject them to your disciplinary procedure for a confidentiality breach is highly unlikely to be successful. Remind your employees of the need to protect your confidential information. They can do this by conducting their calls and video conferences away from other household members. Consider expressly prohibiting the sharing of devices.
In simple terms, be clear with your employees that they must take all necessary precautions to protect your confidential information, and that a failure to do so may be a disciplinary matter.
Tip 4: Encourage a “fess-up” culture
Accept that mistakes will be made in lockdown in the same way as they were made pre-coronavirus. The difference in lockdown is not only that the risk of a confidential information breach is increased, but that the perception among your employees will be that the chances of being “found out” are lower. Encourage a “fess-up culture” and consider in advance how you will respond to such breaches. Remember that a heavy-handed response will adversely inform the willingness of your employees to “come clean”.
Conclusion. Your company faces employee risks that it may not have had to consider before. Think now about the confidential information within your business (and how this might be put at risk during the lockdown ‘new normal’) and communicate guidance to your employees in order to deal with the risk.