The unprecedented move for entire workforces to work remotely has introduced unique risks to cyber and data protection. These were addressed in a recent Thomson Reuters webinar on Cyber Security and Data Protection: COVID-19 Legal Risks.
The panel featured four subject matter experts, with Tyrilly Csillag, Head of In-House and Commercial – Practical Law, Thomson Reuters Asia and Emerging Markets as the webinar moderator. We’ve pulled some highlights from the session into this article, but if you’re looking for more, join the 90-minute session on-demand.
Cyber session highlights
Wheels of collaboration
Peter Leonard is Principal, Data Synergies Pty Limited and Professor of Practice at the UNSW Business School.
During the webinar, Peter said that what is seeing in the market is a departure from what he calls a ‘hub and spokes’ model. Such a model is where organisations have been reorganising how they work on an organisation’s specific basis.
“In particular, enabling their ‘infotech’ security so that their employees can work remotely with each other and communicate and collaborate within the organisation,” Peter added.
“Now we’re moving to a much more complex cross-organisational model, where organisations, and in particular, consultancy businesses, such as law firms, are working with other organisations, and therefore have to manage wheels of collaboration across organisations.”
Of course, as Peter said, it’s far more complex than that. Namely, you have to manage different systems and data moving between organisations, all in a secure environment.
During the ‘new normal’, Peter argued that although many organisations have been focusing on data privacy as an initial concern, now they must be acutely aware of how they manage trade secrets and business confidentiality.
Peter also noted the legal risks attached to remote working. With many employees still working from home, there’s not only the risk of data breaches through external threats, but one where employees could inadvertently expose confidential information.
“Cyber security in the post-COVID world is not only about stopping bad actors, it’s also about ensuring that employees know what they should do and shouldn’t do when handling data in remote workplaces”– Peter Leonard, Principal – Data Synergies Pty Limited and Professor of Practice – UNSW Business School
Peter said that to manage these risks, firms and organisations must have a dialogue with their employees. One may ask, does this play out among organisations who do this right? To this, Peter said:
“It’s about balance, balancing the individual interests of employees, and the interests of others, including their families and the organisations with whom they work. So it’s a delicate balance and good organisations, I think, have learned through COVID-19, how to renegotiate that balance and engage with employees in a more collaborative way.”
Contact tracing and the COVIDSafe example
The public debate following the release of the Australian COVIDSafe app was described by Dr Katharine Kemp, Senior Lecturer – UNSW Law, on the webinar as “intriguing”.
“Many people saw downloading the app as a matter of public duty, an obligation people owed to each other as a community. And that’s the way the government promoted it: as a ‘Team Australia’ moment,” said Katharine.
“We saw a number of lawyers and representatives of technology businesses very publicly support the app and its protections and argue that others should also download it. They highlighted the health needs of the community, including people in vulnerable health situations.
“…I think, though, that we should also be considering [in regards to the COVIDSafe app] whether we have a civic duty in a situation like this to consider people who are or will be particularly vulnerable, if privacy protections are not good enough, or if there is discrimination against those who don’t use the app, bearing in mind that there are very significant sections of our population who cannot use an app like this”– Dr Katharine Kemp, Senior Lecturer – UNSW Law and Academic Lead – UNSW Grand Challenge on Trust
Will there be more instances of contact tracing as countries edge slowly into a post-pandemic environment? As Katharine pointed out, similar technologies are being proposed regularly and already in use around the world.
“I think it’s a highly relevant illustration of surveillance technology being promoted in the interests of public health due to the pandemic. We’re seeing more and more proposals for surveillance of our daily activities on that basis, and we’re quite likely to see some “purpose creep” as more extensive data is collected,” she added.
Data breach response plans
Tyrilly Csillag asked Jacques Jacobs, Partner, Norton Rose Fulbright, on how legal departments can update their data response plans to be fit for the pandemic.
“I think there are a number of ways that we need to have a look at our data breach plans to make them fit for the pandemic. The first thing is really to build in increased vigilance to ensure that cyber events are spotted,” Jacques replied.
Particularly in the early days of the pandemic, where normal routines were disrupted, it was an easy time to miss the signs of an attack. In one example, Jacques has seen a number of phishing attacks where threat actors have been extremely sophisticated in how they present emails. It is critical, in Jacques view, for organisations to increase processes around vigilance and implement further training for staff on these risks.
The legal risks attached to data privacy are not always cyber related. For example, Jacques said:
“We’ve seen incidents where people have taken files home or not destroyed confidential documents securely (or even put them in the rubbish area of their apartment building). The information somehow found its way into the wrong hands!”– Jacques Jacobs, Partner, Norton Rose Fulbright
Jacques offered a few pointers on developing a COVID-19-fit cyber response plan. You want to make sure your employees are contactable, should a breach be spotted. Additionally, it’s very easy to create a secondary breach, through insecurely emailing information about the breach for example.
“In terms of your service providers, such as your IT professionals or the other companies that you might need to assist you, what are their remote working capabilities? Are they able to still undertake the task for you with the same level of efficiency?” said Jacques.
Cyber incidents add pressure for organisations
Governments are taking action to address the evolving landscape. Just last month, the Australian government pledged it would invest $1.35 billion dollars into the country’s cyber capabilities. This marks the nation’s largest ever cyber security investment.
Chris McLaughlin is Director in the Cyber Solutions Group at Aon, the global insurance company. He has seen his clients experience heightened pressure and strain, when it comes to managing external security risks and when employees are working from home.
“We’ve seen a huge rise in cyber criminal activity against our clients. If you read some of the statistics, phishing attacks have increased some 500% since pre-COVID and are increasing in sophistication and persistence.”
From an insurance perspective, Chris reminded that during past crisis situations such as 9/11 and the global financial crisis, insider threats have increased. Therefore, it is not surprising that the global health crisis has prompted many organisations to review their cyber insurance policies and data breach response schemes.
“We know that threat actors are actively targeting individuals at home. They target virtual private networks in order to try and get access to corporate systems, and some organisations have actually had their physical premises broken into”– Chris McLaughlin, Director – Cyber Solutions Group at Aon
As Chris acknowledged, the reality of living in this heightened threat environment with active external threats and also increasing internal threats during lockdown continues.
For further information on data protection and cyber security during the global health crisis, visit Practical Law’s complimentary COVID-19 resources.
Can you trust legal technology while working remotely? One Practical Law Editor delves into this question for Legal Insight in a piece on lessons to be learned during lockdown.