Cyber Risks and Legal Liability During Era of Mass Telecommuting
With several states advocating social distancing and closing schools, thousands of people will now work remotely from their homes. This is excellent news for cyber terrorists.
Remote work often requires the use of virtual private networks (VPNs) to connect employees to their employer’s network and online infrastructure, which are accessible 24/7 from any internet connection. On March 13, 2020, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) posted an alert warning employers using VPNs that failure to “use multi-factor authentication (MFA) for remote access are more susceptible to phishing attacks.” Noting that many entities have a limited number of VPN connections for teleworking employees and with that “decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks.”
Suggested tips to prevent lapses in cybersecurity during this era of mass teleworking are:
1. Alert employees to increased phishing attempts and provide links to online training (some are available through CISA’s Training Resources);
2. Ensure all software patches and updates are installed.
3. Require teleworkers to update and enhance passwords, including the implementation of multi-factor authentication.
4. Remind employees to safeguard confidential business information, trade secrets, protected intellectual property, work product, customer information, employee information, and other sensitive personal information. NOTE: Limit employee access to (and the duration thereof) sensitive or confidential information to that specifically required for his/her job performance.
5. Ensure all personal identifying information is encrypted.
6. Issues policies to teleworkers that PROHIBITS the following:
Sharing of work devices with anyone – including family members within the home to mitigate the risk of unauthorized disclosure or potential violations of the Computer Fraud and Abuse Act, which provides criminal and civil penalties for exceeding authorized access to certain information.
Downloading company information to personal devices, unencrypted cloud services, or local files.
Connecting to public Wi-Fi at any location, whether or not using the VPN, with a company device.
Utilizing the “Remember Password” function often offered by Google while using the company device.
It is critical for employers and businesses to remember that under the theories of respondeat superior and vicarious liability, the business can be held liable for the negligent actions of its employees. While the concept of negligence as applied to cybersecurity in business is still novel in many states (including Louisiana), it remains a real risk. Negligence is a legal theory that can be applied to almost any scenario in which there is a potential danger, known or knowable to an individual or entity with the duty to cure the danger, a failure to cure the danger, and a resulting injury.
To help protect itself from such negligence claims, businesses should review existing cybersecurity policies, update them to reflect the dangers of remote work, and immediately disseminate the updates to their employees and staff.