Since the start of the COVID-19 epidemic, and following the lockdown measures put in place in affected countries, the use of new communications tools by companies and their employees is booming, thus multiplying the risks of cyber threats. With remote working, some employees are also working on their personal devices, which often do not offer the same level of security as company equipment. Home office work also involves more intense use of third-party apps and websites, some of which may have cybersecurity vulnerabilities.

While governments are progressively lifting lockdown measures, work from home may still become the new normal. It is thus more important than ever to make sure that companies and their employees apply sufficient security measures when using new communication platforms and new devices for professional purposes.

In response to this growing threat, the French data protection authority (Commission Nationale de l’Informatique et des Libertés, the “CNIL”) and the French government platform dedicated to cybersecurity (cybermalveillance.gouv.fr) issued recommendations on how to create a safe cyber environment for employees working from home (here and here). Here is a summary of these recommendations, with some practical tips for companies and employees.

Cybersecurity Tips for Companies

  • Company policies. As employees are working remotely, it may be a good time to update, if necessary, and redistribute company policies on cyber hygiene governing the use of company-issued devices such as computers, smartphones and tablets and to remind employees that these policies still apply when they are working from home. Companies should ensure that their IT policies (password requirements, updates, backup of data) are acknowledged and continuously implemented by employees.
  • Use of personal emails and devices. Employees should also be reminded not to use their personal emails for professional purposes. (It is, for example, often the case that employees will email documents from a work account to a personal account in order to print documents from home.) Home Wi-Fi networks should be secured by changing the manufacturer’s default password; employers should assist their employees in setting up secure printing and scanning options. To the extent possible, and especially for employees handling confidential information, personal devices used for remote work should be protected and encrypted by companies’ IT services.
  • Beware of phishing. It may be helpful to use consistent format and subject lines for COVID-19 company updates in order to avoid confusion and ensure that employees do not mistake those internal updates with external phishing; using color coding or another warning for emails from an external source is also very helpful in reducing phishing risks. For the same reasons, it is recommended not to include links or attachments in these emails and to use professional antivirus software.
  • IT protection. To the extent possible, the company’s IT department should remain functional to advise employees and to liaise with the company’s legal teams regarding any security breaches or attempted attacks. IT should also keep documenting all attempted attacks and breaches. Employers should be watching for cybercriminals impersonating either the IT help desk or employees and consider ways to authenticate remote requests, which are now often coming from new devices and phone numbers.
  • Securing the network. It is important to secure the network, for example through firewalls, antivirus or VPNs, and blocking access to malicious sites. Backups should also be made on a routine basis and segregated from the network; this is an important protection against ransomware attacks, in which attackers also try to encrypt backups.
  • Videoconference. Companies can share with their employees a list of communication tools that they believe are appropriate for remote collaborative work. Users should read data protection policies for the videoconference apps they use to make sure that users’ data is protected and should download these apps only from official websites (Apple App Store, Google Play Store). On April 9, 2020, the CNIL issued guidance on the use of videoconference apps and advised to use apps certified by the French National Cybersecurity Agency (Agence Nationale de la Sécurité des Systèmes d’Information, the “ANSSI”).
  • Online services providers. For companies providing online services, the CNIL recommends using safe protocols, including HTTPS and SFTP protocols; updating security patches; using two-factor authentication for remote servers; maintaining access logs to help identify any suspect activity; and, finally, securing access to interfaces.

Cybersecurity Tips for Employees

  • Use professional equipment. Employees who have company-issued IT devices should use them for company purposes only and use their personal devices for their personal needs. Working from home should not provide reasons for employees to do what they would not do when in the office.
  • Maintain a secured environment. Employees should follow cybersecurity rules imposed by their company. Employees should update their devices on a regular basis and make sure that they are protected by an antivirus program.
  • Reinforce security. It is recommended that employees increase the password security level of their home Wi-Fi network and use the WPA2 encryption system.
  • Preventive measures and vigilance. Employees should regularly save their work on their company’s secured system. In addition, employees should beware of unexpected messages (email, text, chat messages, etc.), specifically alarmist emails, and especially those including attachments or links that could lead to compromised websites. Also, employees should obtain their company’s IT team’s authorization before installing apps on their company-issued devices, and as noted above, they should only source apps from official websites (Apple App Store, Google Play Store).

In addition to these recommendations, we refer to our cybersecurity checklist for COVID-19 and our previous update providing three key COVID-19 data protection tips for companies subject to the EU’s General Data Protection Regulation.

Also, as a reminder, a company facing a cybersecurity incident should consider whether it must notify the relevant authorities (see our previous update). Under GDPR, personal data breaches must be notified within 72 hours to the competent data protection authority unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. A company should also notify the personal data breach to the affected individuals when the data breach is likely to result in a high risk to the rights and freedom of individuals. In France, companies operating in sectors considered as essential or of vital importance as well as digital services providers may also be required to notify cyber incidents to the ANSSI. Health institutions should also report serious cyber incidents to the regional health agency. Companies should check too whether their contracts with third parties contain notification obligations—for instance, whether notice is owed to a company’s commercial counterparties, lenders or insurers.

To subscribe to the Data Blog, please click here.

Author

Antoine Kirry is a Debevoise partner based in the Paris office and a member of the firm’s Litigation Group. Mr. Kirry has substantial litigation and arbitration experience, with particular emphasis on M&A-related disputes. He can be reached at akirry@debevoise.com.

Author

Alexandre Bisch is an international counsel in Debevoise's Paris office and a member of the firm’s Litigation Department. He can be reached at abisch@debevoise.com.

Author

Alice Stosskopf is an associate in the Debevoise's International Dispute Resolution Group, resident in the Paris office. Her practice focuses on commercial and civil litigation and international arbitration. She can be reached at astosskopf@debevoise.com.

Author

Fanny Gauthier is an associate in Debevoise's Litigation Department, based in the Paris office. Ms. Gauthier is a member of the firm’s International Dispute Resolution Group, as well as the firm’s Data Strategy & Security practice. Her practice focuses on complex commercial litigation, international arbitration and data protection. She can be reached at fgauthier@debevoise.com.

Author

Line Chataud was formerly an associate in Debevoise's Litigation Department, based in the London office.

Author

Ariane Fleuriot is an associate in Debevoise's Litigation Department. She can be reached at afleuriot@debevoise.com.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Jim Pastore is a Debevoise litigation partner and a member of the firm’s Data Strategy & Security practice and Intellectual Property Litigation Group. He can be reached at jjpastore@debevoise.com.