Coronavirus pandemic: Extra precautions needed for data protection and cybersecurity?

The novel coronavirus pandemic has undeniably disrupted the way people do business around the world. In January 2020, the Hong Kong SAR government announced work-from-home arrangements for civil servants (with emergency and essential service exceptions). Private sector organisations soon enforced similar work-from-home and flexible hour practices to minimise social contact. The government has announced quarantine measures for travellers to avoid spreading of the virus. In a place like Hong Kong where people are generally familiar with the use of advanced digital technology, most businesses are able to continue operations in an uninterrupted manner. Without being physically in the office, employees can still get their job done efficiently: edit documents, exchange information, and confirm orders through remote access to the company’s IT infrastructure, personal computers, mobile devices, instant messaging, and digital audio and video conferencing.

Data and confidentiality protection

In this new mode of work, businesses are facing a challenge to maintain a high level of data and confidentiality protection. Employees who work from home may possibly transfer data, which may include sensitive and confidential business data or trade secrets, using unsecured devices. The flexible workplace policy aggravates the problem when people are required to get the job done using alternative or innovative ways without physical presence or contact. In this respect, businesses are reminded that:

a. 

Companies should not forget the importance of maintaining confidentiality of sensitive business information. It is particularly the case if companies have given legally-binding undertakings to other parties to keep certain information confidential. It is not untypical that a confidentiality agreement or undertaking requires the company to disclose confidential information to its employees only on a “need-to-know basis”. The company may also be obliged to require its employees to keep the information confidential. A work-from-home setting may compromise the company’s ability to uphold protection of confidentiality. Companies should remind employees of their legal obligations and the need to refrain from circulating confidential information outside of the company’s VPN. Companies should formulate a policy to regulate sensitive data flow in a work-from-home environment, and restrict employees from sharing work stations or passwords.

b. 

As far as personal data is concerned, businesses shall comply with the Data Protection Principles (DPPs) contained in the Personal Data (Privacy) Ordinance (Ordinance) which outline how data users should collect, handle and use personal data. Specifically, DPP4(1) in the Ordinance requires data users to take all practicable steps to ensure that the personal data  it holds is protected against unauthorised or accidental access, processing, erasure, loss or use. Consideration should be given to, among others, the physical location of where the data is stored, security measures incorporated into the equipment to safeguard such personal data, and measures taken for ensuring the secure transmission of the data. Companies should take proper actions to ensure these DPPs are observed. Once personal data is transferred outside of the company’s secured system say by an employee through a personal device, how can the Company ensure proper storage, and that it will be erased if needed? The Company’s privacy policy should address these issues and it should be brought to the attention of the employees.

Cybersecurity

With social distancing being the principal method for combating the virus worldwide, businesses have become more dependent on digital infrastructures and tools. The devastating result of a cyberattack would be unimaginable. Hackers may attempt to take advantage of this challenging time by sending phishing emails with health related topics like “last chance to buy cheap surgical masks” or “coronavirus vaccine” to bait people to click on links embedded with malicious malware. This could have disastrous results including possible damage to IT infrastructure, sensitive data exfiltration or malware infection. Hong Kong has been ranked as one of the top global destinations for cyberattacks in recent years. Digital security should be high on the priority list of businesses in terms of crisis management in this pandemic era.

Companies should:

  • review IT policies to ensure enhanced level of security measures are implemented, especially in light of increased remote access to the company’s systems under the work-from-home policy;
  • have a proper disaster recovery plan in place, and ensure the plan is viable in a work-from-home context;
  • review emergency contingency plans and data breach protocols to ensure they can be implemented remotely;
  • require employees who use digital means to communicate (in particular with apps like Whatsapp and WeChat) to consider whether such means are secure and appropriate for that particular communication, and whether separate records need to be kept of such communications for evidence purposes; and
  • ensure employees at all levels are aware of all of these policies so that any problem that arises can be tackled swiftly to keep any damage to a minimum.

The novel coronavirus pandemic has presented the world with unprecedented threats – stay agile and alert.