As the U.S. economy and educational system adapt to work and life at home, it is important to remember that cybersecurity (and related privacy) risks remain and are evolving. Remembering to think through measures that are in place to protect personal information, proprietary information, confidential information, and information needed for ongoing operations can help businesses avoid and mitigate these risks. Appropriate protective measures are specific to changing circumstances, but fortunately, guidance and helpful resources have quickly emerged. We have set forth below some important considerations in assessing administrative, technical, and contractual cybersecurity safeguards in virtual business and educational settings.
New tools bring new vulnerabilities
Many entities whose employees are now working from home for the first time are implementing new, sometimes expensive, tools to help their employees collaborate and maintain business operations. These new tools include videoconferencing, file-sharing, and other communication platforms. Even if the employer does not provide the tools, employees may find and use their own.
There are good reasons for implementing these tools at the business level, including consistent-use practices in the entity’s system, a process for regular software patches and updates, and discounted pricing. When selecting and implementing these tools, or modifying the manner and extent by which these tools will be used, it can be easy to overlook or minimize better practices for use of third-party information technology services: reasonable and appropriate diligence, contractual protections, and ongoing oversight and validation.
In addition, it is important to remember that the cybersecurity posture of many (if not most) online tools can vary widely depending on how the tool is configured, maintained, and used. This means considering whether the right virtual-IT skill set has been engaged and applied, and helping ensure that users have the information they need to make better privacy and data security decisions. Addressing these issues effectively can be especially challenging as work and learning environments change radically.
Ransomware – the stakes may be higher and the options more limited
As with other disaster situations, we are already seeing an increase in related cyberattacks, including phishing emails (discussed below) and associated ransomware deployments. Bad actors consistently look for opportunities in the social and computing landscape so that they can best capitalize on new or heightened vulnerabilities.
The risk for critical infrastructure businesses, especially highly data-dependent businesses such as medical and financial services providers, may be especially pronounced. These businesses may have less time to reconstruct digital data and systems (where backups are available) or seek other technical solutions, or even to negotiate much with the bad actors. And, in many instances, these businesses may be less prepared generally to adapt to remote and virtualized operational environments. Also, it is likely that even more pressure than usual may exist to pay a ransom (and hope for a good decryption outcome), which means that prioritizing preparedness measures could be especially helpful as a mitigation strategy.
Phishing and other email scams
As companies drastically change the way they conduct business during the pandemic, many have seen a spike in the number of phishing, fraudulent payment, and other scam emails their employees are receiving. This is not surprising – not only are workers more vulnerable, but they also are adapting how they work to new processes, which increases the likelihood that they might fall victim to social engineering and other efforts to exploit the current situation. The precautionary measures here are essentially the same as in the normal business setting, except that employees should be reminded to be especially vigilant as to emails from other-than-trusted sources on topics where there are perceived areas of heightened vulnerability and interest today – COVID-19, health care needs, stock market news, webinar technology, consumer goods in short supply, federal fiscal stimulus, and so forth.
With this in mind, some activities can help businesses mitigate associated risks during this time, including:
- Training employees (including through standard employee training outlets as well as direct email from internal, trusted email sources);
- Implementing and publicizing communications channels for reporting scams and potential scams (including immediate reporting to financial institutions when a wire transfer or other payment scam is discovered);
- Deploying additional tools to monitor and evaluate suspicious activity;
- Updating and reviewing internal payment transaction procedures;
- Monitoring and blocking potentially harmful website access from Internet browsing using company systems; and
- Taking steps to test that software security patches and updates are being appropriately reviewed and implemented in a timely manner.
In addition, as with other heightened cybersecurity concerns, a heightened risk of phishing or other malware attacks is a good reason to review cyber insurance coverage so that businesses with limited resources can assess and prioritize areas of potential risk.
Existing contracts. Many companies who are customers of service providers are receiving force majeure notices as states and countries implement restrictions and order people to stay at home. These notices may or may not properly invoke force majeure pursuant to the underlying agreement(s); regardless, pragmatism and cooperation can go a long way toward mitigating the consequences of these types of situations. Assuming that a customer company is willing, able, or obligated to make an accommodation, it may be helpful to recalibrate and document any accommodations and modifications. For example, if a service provider is moving to a more remote work environment, the underlying contract terms and requirements should be reviewed and modified as necessary to address the associated risks. In many instances, regulators are also specifically addressing or relaxing some existing requirements, so checking on these developments, which are emerging each day, can be important to managing these decisions.
New contracts. For new contracts entered into during the pandemic, contracting parties may benefit from expressly acknowledging and addressing the situation that currently exists, and flagging any provisions that are temporary or specifically adapted to the situation. The force majeure clause may acknowledge the fact that the parties understand that the current situation is not to be considered a force majeure (most particularly, because it is not “unforeseen”) but that a similar situation in the future could be. And parties may think through the lessons being learned now about the need for recalibration of requirements and, in some circumstances, even business terms. In some cases, it will be helpful to include process details for addressing force majeure events. As we are realizing, many businesses may not want or be able to completely suspend or terminate particular products and services when a widespread emergency situation presents itself.
In response to customers’ increased need to conduct business electronically, many companies are assessing the opportunity to make use (or more use) of electronic signatures to execute certain transactions and documents. It is worth remembering that relevant federal and state laws generally provide that an e-signature, contract, or other record relating to a transaction generally may not be denied legal effect, validity, or enforceability solely because it is in electronic form or because an e-signature or electronic record was used in its formation. In addition, the technical assurances provided by many e-signature solutions provide authoritative and quick verification if implemented correctly, reducing the opportunity for fraud and the likelihood of a party successfully repudiating their signature. Major providers are even starting to offer online ID verification and authentication services as part of the signature process.
Notably, the execution of a contract or agreement using e-signatures must still otherwise meet all the requirements for the formation of a contract under applicable law. Also, companies face additional hurdles in order to send any required consumer disclosures electronically or where there is a need for a notarized document or power of attorney.
The framework has not really changed. It has simply become an even better fit for how business is currently being conducted.
Control what you can control
Many businesses are implementing company-wide work-from-home strategies and policies for the first time, and sometimes on a global basis. The current situation creates an opportunity for many companies to put extra thought into enhancing and improving well-known information practices for protecting remote communications and enabling and facilitating business strategies that are location agnostic. Some examples include secure VPN technology, multifactor authentication, and limiting access to data and systems based on evaluations of need.
For additional information and resources, see the following:
- Recent publication, “Risk management for novel coronavirus (COVID-19)” by the Cybersecurity and Infrastructure Security Agency of the U.S. Department of Homeland Security; and
- National Institute of Standards and Technology, Guide to enterprise telework, remote access, and bring your own device (BYOD) security