In response to the COVID-19 crisis, nearly all companies and organizations were abruptly forced to transition portions of, and in many cases, their entire workforce to remote work. After a few weeks, it seems that many companies have adjusted to this “new normal” and settled in, albeit with some lingering technical and connectivity issues. As companies raced to get their employees up and running remotely, it is likely many were primarily focused on connectivity and security, while necessarily ignoring the complex privacy, security, compliance, and document preservation challenges lurking below the surface of the “new norm.”
Companies will begin to realize that transitioning to a remote workforce can lead to unintended consequences that can and should now be addressed. Some of these unintended consequences include:
- Information Technology (“IT”) departments deploying software and systems such as Microsoft Teams, Slack, etc that have not yet been properly tested, including establishing retention periods, back-up procedures, and acceptable use policies.
- “Shadow IT” issues relating to employees using whatever services and products they think will help them do their remote job better, even when those products or services are not vetted by, supported by, or welcomed by corporate IT.
- Informal communications using messaging tools or social media platforms that are either not preserved subject to an active litigation hold notice, or that violate company policy, or frame the company in a negative light.
- Remote employee use of unauthorized external or cloud-based storage for company data.
- Information subject to a litigation hold notice being lost due to the inadequate back-up of laptops and other systems being used off-premises.
- Recycling of laptops, desktops, and mobile devices subject to a litigation hold notice in order to ensure rapid deployment of remote workforce.
- Employees using personal devices to store information and communications that are or could become subject to a litigation hold notice.
- Risking breach of confidential, sensitive, or personally identifying information (“PII”) due to lack of adequate remote security.
- Employees using unauthorized, unsecured, commercial collaboration tools.
- Employees using unsecured endpoints or endpoints with consumer-grade antivirus or antimalware.
- Employees operating off-network such that corporate firewalls for phishing and network intrusion are not engaged.
- Terminated employees subject to a litigation hold notice.
Thankfully, each one of these issues can be addressed if IT, legal, security, and information governance stakeholders are working collaboratively and proactively to attend to issues. The first line of defense in minimizing the risks associated with working remotely are your employees. Because of this, it is imperative that all relevant stakeholders quickly, clearly, and repeatedly provide guidance to its remote employees.
Guidance can be disseminated through policy development, including developing, reviewing, and updating acceptable use policies. Acceptable use policies should include input from all relevant stakeholders. They should specifically identify approved software and tools that employees should use, and the appropriate use of those tools. Further, acceptable use policies should specifically identify items and software that employees should not use due to security concerns. For instance, an acceptable use policy that has been modified in response to the COVID-19 crisis could allow the use of personal mobile phones for conducting conference calls, but specifically prohibit the use of mobile phones for sending text messages. As another example, given the increased necessity of videoconferencing for remote users, companies should mandate use of company-tested collaboration tools that are secure, as opposed to free commercial products that have been hacked in recent days. If external storage devices (such as USB flash drives) are approved for use, an acceptable use policy should prohibit their connection with any personal or non-company device.
In addition to acceptable use policies, stakeholders should also issue guidance as to where company documents and work product should be saved. Companies should encourage saving documents onto network or cloud-based resources that are regularly backed-up as opposed to laptops or external storage devices or personal cloud services that are off-network and therefore not being backed up or within the data governance/records retention sphere of influence. Similar to the acceptable use policy, appropriate locations for document storage should be listed, as well as an explicit list of locations where documents should not be saved (e.g., “please do not save documents to your “C: drive”). Finally, acceptable use policies should specify both acceptable and prohibited uses on both a system and endpoint level. This means policies should clearly address the use or prohibition of using corporate and personal email, instant messaging, text messaging, web-based storage, external media storage, corporate and personal computers/laptops, corporate and personal mobile devices, and other software and collaboration tools. Companies should regularly audit all remote employees and users to inventory all devices, software, or media platforms they are using to assess the efficacy of its use policies.
In addition to guidance to employees regarding acceptable use, IT departments must work with Legal and Information Governance teams to establish document retention periods, policies, and practices consistent with all applicable internal and external record retention requirements. This includes legal hold compliance as well as regulatory records retention requirements. There is no “exception” to the duty to preserve potentially relevant information simply because it is stored on a newly deployed system. If the information is subject to a litigation hold notice, and is not preserved by establishing appropriate retention periods, a company could face serious spoliation risk and sanctions for breaching its duty to preserve potentially relevant information.
The failure to properly test and evaluate new software products in the face of rapid deployment is also a critical issue. Indeed, many companies have been forced to roll out software and collaboration tools on an enterprise-wide scale. To illustrate, by the third week of March 2020, as most companies transitioned to a remote workforce, Microsoft reported that it saw 12 million new users in one week alone, and 44 million total users in one day! The demand for Microsoft cloud services rose by nearly 800%, which triggered Microsoft to enact prioritization rules on network traffic. Given this widespread and rapid deployment, it is likely that retention periods were not evaluated in conjunction with company information governance policies, and that users and custodians subject to an existing litigation hold notice may not have been considered. Not only is it imperative that retention periods for any new software be evaluated in conjunction with company records retention policies, but protocols must be put in place to prevent users who are, or who become subject to a litigation hold notice, from deleting information that should be preserved. Additionally, existing employees subject to a litigation hold notice should be sent a reminder highlighting that they are still on legal hold, despite the current crisis, and that the obligations of that hold extend to potentially relevant information accessed, created, or modified using newly deployed remote collaboration software, and that they also extend to any personal mobile device, cloud storage, or external storage media.
Another unique challenge associated with the rapid deployment of a remote workforce is lack of resources. Employees accustomed to working in the office may have needed laptops and mobile devices in a matter of a few days. Companies with a large number of employees may not have had the requisite amount of devices to distribute in a timely manner. Under normal circumstances, many organizations recycle devices by re-imaging and re-deploying them to other employees during times of turnover. As employees who are subject to a litigation hold leave employment, their devices are typically taken out of the recycling rotation. However, companies in a pinch may need to re-deploy these devices despite the hold. Prior to doing this, it is imperative that these devices are imaged, or any relevant information is captured prior to their redeployment. While impractical, it is critical to avoid spoliation risk and avoid sanctions.
Relatedly, it is an unfortunate fact that many employees will lose their jobs as a result of the COVID-19 crisis. Despite terminating employees on a litigation hold notice, companies are required to continue preserving potentially relevant information for those employees after they have been terminated. Exit interviews should be conducted with alacrity for departing remote employees to ensure that they are reminded not only to return any company-issued devices, but that they also not delete or alter any information on those devices. They should also be reminded to return any company information that may exist on their personal devices, personal emails, or in their home offices, as such information could also be subject to the company’s preservation obligations. This is also particularly critical practice if the information in the user’s possession is of a proprietary nature or contains trade secrets.
Finally, one of the unintended consequences of a remote workforce is the expected increase in cybercrime, which was already a significant corporate risk. PII and confidential business information are more valuable than ever. By transitioning to a remote workforce, this information becomes more susceptible to loss or misuse. Policies and controls should be developed and edited to account for the proper treatment of this information. Access to, or activity on, company servers should be logged. Only authorized software should be downloaded to avoid malware, and training should be implemented to prevent users from falling prey to phishing scams. And, eventually, this crisis will pass. A plan should be put in place for the secure return of all company information after shelter-in-place mandates come to an end. Seyfarth’s COVID-19 Resource Center has several articles that address the cybersecurity threats in greater detail:
As we all face this “new normal”, new legal risks have quickly moved to the forefront. With proactive collaboration, communication, and policy development, companies can mitigate and in most cases, avoid these risks. Seyfarth Shaw’s Trade Secrets practice group has developed the following checklist to assist you in complying with these risks. It can be found here. They have also produced a webinar about Best Practices for Protecting Trade Secrets and Intellectual Capital. Should you have questions about the legal, compliance, regulatory, and privacy risks your company could now be facing, please reach out to an attorney from Seyfarth Shaw’s eDiscovery and Information Governance group for counseling. Together, we can help you avoid unnecessary risk at a critical time in your company’s history. Stay safe. Stay home. Keep your data safe. At home.