Prepare for slower data breach detection, higher costs with remote workforce
As more remote employees spread corporate data across personal electronics and services, data incident monitoring and compliance will be hindered.
Corporations are allowing employees to work remotely to avoid coronavirus spread, but that could come at the expense of their cybersecurity health.
A largely remote workforce during COVID-19 will likely slow the detection of data intrusions and increase the overall cost of data breaches, cybersecurity lawyers said.
Corporate clients also expect challenging cybersecurity days ahead as employees continue to work remotely, according to IBM’s recent “Cost of a Data Breach” survey. A majority (54%) of the respondents said their corporation required remote work in response to COVID-19. Of those working remotely, 76% said the change would increase the time to identify and/or contain a data breach, while 70% said remote work would raise the cost of a breach.
Indeed, the plethora of personally owned electronics and services employees are leveraging to work complicates data security monitoring and extends investigations, lawyers noted.
“The legal analysis will be the same,” said Ballard Spahr privacy and data security partner Kim Phan. “What happens, who is impacted, what data was involved, who do they have to notify, those questions remain the same. But it’s the ability to get the answers that may take longer that increases the time and cost of a data breach.”
Phan noted employees remotely working on personal electronics and networks expose their company to unknown cybersecurity threats. “It introduces risk and a potential for vulnerabilities to be introduced and of course when folks are working from home companies have less oversight, monitoring and control of what their employees are doing from home,” she added.
To be sure, one benefit of keeping company data on corporate-owned electronics and networks is the ease of monitoring for cyber intrusions or unusual activity. But decentralized monitoring can inhibit an organization’s compliance with regulations if a breach occurred.
“If you’re relying on an employee to detect a breach rather than network monitoring systems it may take longer to discover a breach,” said Potter Anderson & Corroon data privacy and security partner William Denny. “It may impact the compliance with data breach disclosure laws because some of those laws require notification to regulators within a very short time frame.”
Meeting a regulatory deadline may also run into a roadblock if employees aren’t willing to provide their personal electronics for an investigation. But such uneasiness is a new common problem facing outside counsel’s investigations, said Baker & Hostetler partner Daniel Pepper.
Previously “you limit your investigation to within the business premises versus now having to look at the systems or other setups employees may have in their homes,” he said.
To be sure, a data breach impacting a remote corporate workforce doesn’t only entail a larger pool of electronics and services to search. Outside counsel must also work more frequently with clients remotely. While lawyers noted that their practice, colleagues and clients worked remotely pre-coronavirus, Debevoise & Plimpton partner Avi Gesser said there were benefits to having the option for in-person counseling.
“Ideally in a data breach you want to get all the decision-makers all in one room, but you can’t do that now,” Gesser said. “If you’re meeting for the first time for a data breach over Zoom or Microsoft Teams or whatever platform you’re using for communication, it’s not that easy to read body language and get a decision-making process down.”
As potential data threats grow while employees continue to work from home, companies are also dealing with COVID-19′s economic impact on their business. But Mayer Brown partner and former executive assistant U.S. attorney Marcus Christian of the Southern District of Florida noted regulators haven’t eased their compliance oversight.
Christian noted regulators have made clear: “We are in business and we expect others to be in the business of cybersecurity, too.”
Related: