For some time, government agencies such as the National Institute of Standards and Technology (NIST) have recognized that a “one size fits all approach” is not practical from an information security standpoint. Instead, companies were encouraged to take a risk-based approach and develop information security policies that were aligned within the context of their business operations. As a result, while both an international public company, with a large distributed workforce and offices across the globe, and a smaller company with one or two offices and a limited number of employees, were expected to have adequate information security in place, the determination of what was considered adequate was significantly different because their risk profiles were very different.
However, one of the impacts of COVID-19 is that businesses are now operating with most, if not all, of their staff operating from home. This changes the information security risk profiles for many organizations. As a result, companies of all sizes should review their existing information policies and procedures to verify that they address the additional risks associated with what are essentially numerous satellite offices. In addition, they should continue to keep abreast of cybersecurity developments as there are reports that criminals and nation states are attempting to take advantage of the new entry points into organizations through the distributed workforces.
Here are some measures to consider:
Another benefit to updating information security policies and procedures is that it may provide additional legal protections in the event of a data breach. For example, a recent Ohio law provides safe harbor from the state’s data breach provisions for companies that have implemented cybersecurity measures that conform with recognized information security frameworks: many of which provide for a risk-based approach.
If you have any questions about this topic, please contact Kevin Pomfret.
Please note: This alert contains general, condensed summaries of actual legal matters, statutes and opinions for information purposes. It is not meant to be and should not be construed as legal advice. Readers with particular needs on specific issues should retain the services of competent counsel.
Please click here for additional legal updates from Williams Mullen regarding COVID-19.