Curbing Privacy Risks When Working From Home

All Canadian workplaces are obligated under Canadian Privacy Laws to secure the use, collection, retention, disclosure or disposal of sensitive data. In the legal world, this obligation is doubly compounded by our professional duty to protect the confidentiality of our clients. Law firms therefore, invest in all precautions necessary to secure against risks of unauthorized use of data. This often translates into strict technical and organizational measures to insulate against privacy breaches in practice.

With the rapid spread of COVID-19, the world has witnessed an extraordinary turn of events that could not have been anticipated. To keep operational, law firms have had to promptly adapt to a remote workplace model where employees are working from home. However, given the speed at which this arrangement was implemented, many organizations may not have had systems in place to insulate against the security risks that may arise.

Many employees working from home share equipment and spaces with other family members. Such settings can present situations of unattended documents and notes with sensitive information recorded. Additionally, electronic information may be accessed on devices that are not exclusively for the use of the authorized person. The device itself, may not be equipped with passwords and technical guards that are offered at an office. Employees are now presented with the challenge of discharging the same duties to secure confidential material, but without the infrastructure in place to do so. Therefore, the current climate of mass disruption, has made organizations particularly susceptible to privacy breaches or cyber attacks.

It is important for organizations to take immediate steps to ensure the protection of sensitive information. These steps include:

Updating and implementing security measures

  • Employers need to update their privacy policies and procedures to reflect the current needs, issues, and solutions surrounding a remote workplace;
  • Employers need to consider the risks of cyber attacks and have measures in place to respond to any security breaches;
  • Employers need to invest in revamping their IT infrastructure to ensure employees have access to a secure remote platform. These measures may include providing a protected VPN connection to employees which encrypts confidential communication;
  • Employers should utilize access-based security features such as a multi-factor authentication protocol to protect their employees’ accounts; and,
  • Employers should closely monitor network-related activities to flag security breaches.

Training employees

  • Employee training should focus on how to manage security risks from home. Some of these measures include the use of a secure location such a locked cabinet to limit the exposure of confidential information to family members;
  • Employees should password protect all devices, and access confidential documents through a centralized and secured device; and,
  • Employees should use electronic platforms enabled by the organization so they are connecting to the workplace network through a secure VPN connection that is protected by firewalls and antivirus software.

It is imperative to maintain the integrity of this profession by ensuring that the duty of confidentiality owed to our clients is not compromised under any circumstance. It is incumbent on the prudent organization and employee to jointly make best efforts to conduct our business as securely as possible.