Data Breach In The Home Office – And Now?


In addition to protecting the data itself and complying with existing compliance requirements, companies must ensure that they react correctly when data protection violations occur. A data breach that occurs at a home office can differ in some respects from a “regular” breach. Existing processes and response plans in this area should therefore be reviewed and, if necessary, updated.

Data security insights Women with laptop seated - SEC Consult

A prerequisite is, of course, that there are general reaction processes for dealing with data mishaps that have occurred. They should provide for clear procedures and, in particular, consider existing legal and, if necessary, contractual obligations.

Some questions should be clearly answered by the company in order to avoid ambiguity and complications when handling data mishaps:

  • What are the responsibilities for responding to a data breach that has occurred?
  • What measures are to be taken initially and in the short, medium and long term?
  • What records are to be documented?
  • Who must be informed?
  • What contractual and legal reporting obligations and deadlines exist? Who is responsible for their perception?
  • What is the cooperation with external parties (business partners, customers, consultants, etc.)?


From Digital Forensics To Responsibilities

In addition to general points, these aspects are particularly important in connection with increased teleworking:

1. dealing with digital forensics

Here, IT systems are analyzed in detail after a protection violation has occurred in order to understand the actual effects on the company or the persons affected. The data protection interests of all parties involved must be safeguarded, which may lead to problems if a person’s private devices are affected by the analysis.

2. use of alternative communication channels

As security experts often work from their home offices, alternative channels should be established for fast and effective communication in the event of a security incident (e.g. via video conferencing solutions or messenger services).

3. restrictions regarding physical accessibility

When planning a response, it must be considered that an employee’s home office may be located further away from the company headquarters, which can further delay physical access to relevant IT systems.

4. responsibilities of individual employees

It may be necessary for employees to take on additional responsibilities if a security breach occurs in the home office. They are often the only people who can take immediate action. This should also be reflected in the organization’s existing privacy policies and response plans.


Caution With Smart And Iot Devices

The increasing private use of IoT or “smart” devices must also be considered in connection with teleworking. These devices are usually integrated into an employee’s private home network, just like the company devices on which work activities are performed.

There are concerns about both security and effective privacy when using IoT devices. Many IoT devices hang unsecured on the home network and have serious vulnerabilities over long periods of time. In many cases, these vulnerabilities serve as a gateway for attackers.

Use in the home office can lead to serious compliance and security risks. An example: in the course of an unintentional activation of voice assistants, recordings of company-related calls are transmitted abroad and analyzed there. This is not only a violation of relevant data protection obligations, but also of obligations – often “secured” with contractual penalties (e.g. secrecy and confidentiality obligations).

Companies are therefore advised to clearly regulate the use of IoT and “smart” devices in connection with teleworking for their employees. Caution is particularly advisable in the case of technologies which, by their very nature and intended use, could lead to profound intrusion into the data protection or privacy of users.


More home office tips for employees and managers can be found in this blog article:



More On The Topic

About the author

Gerald Steiner
Andréewitch & Partner

Gerald Steiner is a lawyer in the law firm andréewitch & partner in Vienna, where he started his career as an associate in 1999. After his studies at the University of Vienna, he worked as a legal assistant at Harnik & Finkelstein in New York and at Baker & McKenzie in Munich. His main areas of practice are employment law, data protection law, public procurement law, real estate law, construction law, warranty/compensation and litigation. He is a certified data protection officer by Austrian Standards. Mr. Steiner has published numerous professional articles and gives lectures and seminars, especially on labor law, tort law, data protection law and public procurement law.