Regulatory/Law
Home Sweet Workplace?

• Theodore P. Augustinos
• May 2020
• 

The current environment created by the coronavirus pandemic creates a host of issues and challenges for insurers and producers. Claims and coverage issues already have emerged and will continue to do so. Insurers and producers now also face issues and challenges that are arising in the remote work environment necessitated by the need for physical distancing that has resulted in the closures of offices. Among the most important and difficult are those related to privacy and cybersecurity.

Existing privacy and cybersecurity programs of insurers and producers should be designed to specifically address remote access. Most, however, would not contemplate that all or nearly all personnel would be working remotely, simultaneously, and for an extended period. It is important to maintain sound privacy and cybersecurity practices in the face of the need for insurers and producers to keep personnel as productive as possible while working remotely over a period of weeks and perhaps months.

From the perspective of privacy and cybersecurity, what should insurers and producers be addressing in the remote work environment?

• Revisit your risk assessment. Consider the new and increased risks presented by more personnel working remotely, in many cases for the first time. The updated risk assessment will drive decision-making related to privacy and cybersecurity enhancements appropriate to the remote work environment.

• Technical safeguards. Personnel working remotely will need equipment. Many will not have company-issued laptops and other devices, but will be using home computers and other personal devices. To the extent that personnel will be using home computers and personal devices, deploy technical safeguards such as secure portals, apps and programs to protect the environment. Virtual private networks and multifactor authentication facilities will need to accommodate the increased population of users. Personnel should be required to update technical settings including auto-logoff, and to update and strengthen passphrases to keep information secure.

• Administrative safeguards. Privacy and cybersecurity policies should be reviewed and refreshed as necessary to address new challenges and vulnerabilities. For example, if the existing remote access policy restricts remote access to particular personnel or to company-issued devices, make well-documented adjustments necessary to avoid violations of the existing policy while maintaining the appropriate level of privacy and cybersecurity. Similarly, existing policies could restrict the removal of data, including paper, from the company's facilities. Given that personnel may expect to be working remotely for an extended period, with little or no on-site support, they may need more access to more data for a longer period. Administrative safeguards should be amended accordingly, including by implementing enhanced or new ways of monitoring the removal and off-site use and retention of data.

Personnel may be using new, third-party facilities to interact remotely with others, including services designed for videoconferencing, such as Zoom.

Existing policies should restrict the engagement of third-party services to host these events. Given the potential vulnerabilities, as illustrated by the recent publicized problems with Zoom, privacy and cybersecurity personnel should focus on all types of services for which personnel may be looking to third parties in the effort to perform their job functions remotely. Administrative safeguards should restrict the ability to use these services unless they have been vetted by the appropriate privacy and cybersecurity staff.

Policies should also account for, and attempt to control, the shared home environment, where personal devices that use Alexa, Google, or Siri can listen to conversations occurring in the background, thereby potentially exposing confidential work-related calls and virtual meetings.

Best’s Review contributor Theodore P. Augustinos is a partner at Locke Lord LLP, where he serves on the steering committee of the firm’s Privacy and Cybersecurity Practice Group and is managing partner of the firm’s Hartford, Connecticut office. He can be reached at ted.augustinos@lockelord.com.