Careers

Diversity, Equity & Inclusion

Experience

Innovation

Interactive Maps

Locations

About

Pages

Meet our team of innovators
Ask us how we do it

Professionals

Insights

Services

Thompson Hine LLP, a full-service business law firm with approximately 400 lawyers in 8 offices, was ranked number 1 in the category “Most innovative North American law firms: New working models” by The Financial Times and was 1 of 7 firms shortlisted for The American Lawyer’s inaugural Legal Services Innovation Award. The firm has been recognized by the National Law Journal as a Legal Technology Trailblazer and featured by Bloomberg for its innovative service delivery models, which drive accuracy and predictability. The firm’s commitment to innovation is embodied in Thompson Hine SmartPaTHTM – a smarter way to work – predictable, efficient and aligned with client goals. For more information, please visit ThompsonHine.com and ThompsonHine.com/SmartPaTH.

Home | Thompson Hine LLP

Atlanta

Chicago

Cincinnati

Cleveland

Columbus

Dayton

Los Angeles

Minneapolis

New York

Washington, D.C.

core/separator

core/heading

core/list

In response to concerns about COVID-19, many organizations are requiring their employees, contractors and other business partners to telework and use remote access technologies to perform their daily work or furnish services. While this may be unavoidable given the current health crisis, permitting access to an organization’s internal resources from external networks can create risks for the organization’s information technology (IT) environment. In fact, the U.S. Department of Homeland Security (DHS) recently issued a <a href="https://www.us-cert.gov/ncas/alerts/aa20-073a" target="_blank" rel="noopener">Cyber Awareness Alert</a> warning organizations “to adopt a heightened state of cybersecurity” as teleworking increases.

contentpilot/introduction

When authorizing telework, an organization needs to consider the physical, technical and administrative security of all its remote access solutions and IT assets, including internal and third-party devices, remote access networks and servers, and the internal resources being accessed. DHS and other federal agencies have indicated that organizations should prioritize the following areas to mitigate information security risks in the telework context.

core/paragraph

Unsecured networks. Organizations usually lack the ability to secure the external networks used by teleworking employees and vendors, such as broadband and cellular networks, which makes them more susceptible to compromise through eavesdropping and “man-in-the-middle” attacks. According to the <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf" target="_blank" rel="noopener">National Institute of Standards and Technology</a> (NIST), “[r]isk from use of unsecured networks can be mitigated, but not eliminated, by using encryption technologies to protect the confidentiality and integrity of communications, as well as using mutual authentication mechanisms to verify the identities of both endpoints.” The DHS Cyber Awareness Alert highlights the importance of using virtual private network (VPN) technologies to offer a secure communication tunnel between a teleworker’s device and an organization’s IT resources. Yet, according to DHS, “[a]s organizations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors.” In response, DHS recommends the following actions:

In addition, the organization should remind employees of their data incident notification and response procedures and be on heightened alert to respond to an <a href="https://www.thompsonhine.com/services/cyber-attack-data-breach-response" target="_blank" rel="noopener">actual or reasonably suspected security incident</a> as the number of teleworkers continues to increase.

Infected devices. An organization needs to be concerned with devices used for teleworking that are later brought into, and connected directly with, the organization’s IT environment. According to NIST, “[a]n attacker with physical access to a client device may install malware on the device to gather data from it and from networks and systems that it connects to.” In other words, if a device is infected with malware during its use for teleworking, once the device is connected to the organization’s internal environment, the enterprise risk for malware infection increases significantly. To mitigate these threats, an organization should strongly consider employing antivirus and antimalware technologies, using network access control solutions to test the security of a device prior to allowing it to connect to an internal network, and using a separate network for all external client devices.

Physical security. An organization can implement security tools to restrict and monitor employees and guests and their IT assets and infrastructure on its premises. But employees and other third parties who are teleworking use their devices from a broad range of locations outside the organization’s control, such as homes, hotels and coffee shops. These devices, whether laptops or phones, are susceptible to being lost or stolen. NIST states that organizations “should assume” that telework-related devices may be stolen by criminals seeking to exploit the data on them or use the devices to gain access to the organization’s network. “The primary mitigation strategies for device loss or theft,” according to NIST, “are to encrypt the client device’s storage or just the sensitive data itself so that it cannot be recovered from the device by unauthorized parties, or to not store sensitive data on client devices.”

To avoid legal risk and minimize security concerns, an organization should formally adopt a written telework policy that, among other things:

In addition, the policy should address how broadly internal resources are granted to individuals working remotely. According to NIST, “[o]rganizations should ensure that any internal resources they choose to make available through remote access are hardened appropriately against external threats and that access to the resources is limited to the minimum necessary through firewalling and other access control mechanisms.” Moreover, when establishing telework and remote access policies, an organization needs to specify which employees must, at all times, have access to its IT infrastructure to perform critical security functions, which is especially important during times of emergency and business continuity.

An organization also needs to consider its potential obligations under the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). If an employee working remotely will have access to protected health information, which may occur if the organization is a covered entity or if the employee is working on behalf of the organization’s health plan, the organization should revisit and update its HIPAA security risk analysis and policy. It should document any new risks presented by the teleworking arrangement, as well as any steps taken or new policies developed to mitigate those risks. If no changes are needed, the organization should nevertheless document that it performed the analysis.

Deborah S. Brenneman 513.352.6638 <a href="mailto:Debbie.Brenneman@ThompsonHine.com">Debbie.Brenneman@ThompsonHine.com</a>

Steven G. Stransky 216.566.5646 202.263.4126 <a href="mailto:Steve.Stransky@ThompsonHine.com">Steve.Stransky@ThompsonHine.com</a>

Kim Wilcoxon 513.352.6524 <a href="mailto:Kim.Wilcoxon@ThompsonHine.com">Kim.Wilcoxon@ThompsonHine.com</a>

Julia Ann Love 216.566.5686 <a href="mailto:Julia.Love@ThompsonHine.com">Julia.Love@ThompsonHine.com</a>

Thomas F. Zych 216.566.5605 <a href="mailto:Tom.Zych@ThompsonHine.com">Tom.Zych@ThompsonHine.com</a>

or any member of Thompson Hine’s <a href="https://www.thompsonhine.com/services/privacy-and-cybersecurity" target="_blank" rel="noopener">Privacy &amp; Cybersecurity</a>, <a href="https://www.thompsonhine.com/services/employee-benefits-amp-executive-compensation" target="_blank" rel="noopener">Employee Benefits &amp; Executive Compensation</a>&nbsp;or <a href="https://www.thompsonhine.com/services/labor-amp-employment" target="_blank" rel="noopener">Labor &amp; Employment</a> practice group.

We have assembled a firmwide multidisciplinary task force to address clients’ business and legal concerns and needs related to the COVID-19 pandemic. Please see our <a href="https://www.thompsonhine.com/services/covid-19-task-force" target="_blank" rel="noopener">COVID-19 Task Force</a> page for additional information and resources.

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel. This document may be considered attorney advertising in some jurisdictions.

https://admin.thompsonhine.com/wp-content/uploads/2022/05/COVID-19_Update_-_Review_Teleworking_Cybersecurity_Policies_and_Practices.pdf

Review Teleworking Cybersecurity Policies and Practices

Services