A prerequisite is, of course, that there are general reaction processes for dealing with data mishaps that have occurred. They should provide for clear procedures and, in particular, consider existing legal and, if necessary, contractual obligations.
Some questions should be clearly answered by the company in order to avoid ambiguity and complications when handling data mishaps:
- What are the responsibilities for responding to a data breach that has occurred?
- What measures are to be taken initially and in the short, medium and long term?
- What records are to be documented?
- Who must be informed?
- What contractual and legal reporting obligations and deadlines exist? Who is responsible for their perception?
- What is the cooperation with external parties (business partners, customers, consultants, etc.)?
From Digital Forensics To Responsibilities
In addition to general points, these aspects are particularly important in connection with increased teleworking:
dealing with digital forensics
Here, IT systems are analyzed in detail after a protection violation has occurred in order to understand the actual effects on the company or the persons affected. The data protection interests of all parties involved must be safeguarded, which may lead to problems if a person’s private devices are affected by the analysis.
use of alternative communication channels
As security experts often work from their home offices, alternative channels should be established for fast and effective communication in the event of a security incident (e.g. via video conferencing solutions or messenger services).
restrictions regarding physical accessibility
When planning a response, it must be considered that an employee’s home office may be located further away from the company headquarters, which can further delay physical access to relevant IT systems.
responsibilities of individual employees
It may be necessary for employees to take on additional responsibilities if a security breach occurs in the home office. They are often the only people who can take immediate action. This should also be reflected in the organization’s existing privacy policies and response plans.
Caution With Smart And Iot Devices
The increasing private use of IoT or “smart” devices must also be considered in connection with teleworking. These devices are usually integrated into an employee’s private home network, just like the company devices on which work activities are performed.
There are concerns about both security and effective privacy when using IoT devices. Many IoT devices hang unsecured on the home network and have serious vulnerabilities over long periods of time. In many cases, these vulnerabilities serve as a gateway for attackers.
Use in the home office can lead to serious compliance and security risks. An example: in the course of an unintentional activation of voice assistants, recordings of company-related calls are transmitted abroad and analyzed there. This is not only a violation of relevant data protection obligations, but also of obligations – often “secured” with contractual penalties (e.g. secrecy and confidentiality obligations).
Companies are therefore advised to clearly regulate the use of IoT and “smart” devices in connection with teleworking for their employees. Caution is particularly advisable in the case of technologies which, by their very nature and intended use, could lead to profound intrusion into the data protection or privacy of users.
More home office tips for employees and managers can be found in this blog article:
DATA SECURITY AND COMPLIANCE IN THE HOME OFFICE
Mag. Gerald Steiner
Gerald Steiner is a lawyer in the law firm andréewitch & partner in Vienna, where he started his career as an associate in 1999. After his studies at the University of Vienna, he worked as a legal assistant at Harnik & Finkelstein in New York and at Baker & McKenzie in Munich. His main areas of practice are employment law, data protection law, public procurement law, real estate law, construction law, warranty/compensation and litigation. He is a certified data protection officer by Austrian Standards. Mr. Steiner has published numerous professional articles and gives lectures and seminars, especially on labor law, tort law, data protection law and public procurement law.
Dipl.-Ing. David Rieger
Dipl.-Ing. David Rieger is the data protection officer of the SEC Consult Group and also advises numerous companies as a security consultant in the implementation of extensive and complex information security and data protection requirements. His focus is on the development of information security management systems according to ISO/IEC 27001:2013, risk management, data privacy impact assessments, implementation of data security compliance programs, as well as support and operational consulting in dealing with information security incidents and data breaches. David Rieger is also a multiple certified data privacy expert, ISO 27001 Lead Implementer & Auditor and Fellow of Information Privacy of IAPP.