Home Office

What We Have Learned About Remote Workforce Safeguards During COVID-19

Beckage lawyers have been working with businesses to put them in a legally defensible position in pivoting their workforce to a distributed workforce. We have learned a few things from our work and watching what is happening around the globe.

Technical Safeguards Have Had To Quickly Pivot:

Companies are working to narrow their threat surface.

Organizations are working toward making their workforce 100% remote to safeguard employees but with that advantage there is an increase in exposure of company assets “in the wild.” With this increased risk it becomes necessary for those responsible to implement technical safeguards to offset this increased risk. Where preventative controls are not realistic, an organization should look to implement detective controls.

Beckage has evaluated various control options for access management. A few of these are:

• Shortening screensaver times

• Session lockout times

• Tiered approach for modifying user access to high risk platforms, applications, and, where possible, data

• Multi-factor authentication for email and high-risk applications/systems

• VPN and Virtual Desktop Infrastructure

With so many tech vendors selling a variety of services and products, companies are getting lost in the hype and simply want to know how they balance it all as part of a larger game plan.

Organizations Valuing Importance Of Administrative Safeguards:

Companies are realizing how essential it is to have more administrative safeguards in place.

Beckage has reviewed the most relevant policies and procedures that relate to remote workforce. Organizations should analyze if those policy and procedures contain steps or tasks that require key stakeholders to be present.

Additionally, organizations need to confirm that their Incident Response, Disaster Recovery, and Business Continuity Plan are all sustainable with a remote workforce. They should verify that such policies and procedures (including call-trees and responsible party contact lists) are accessible to those who need access. Beckage has suggested that organizations look at cloud-based solutions for storing their policies and procedures. This would enable workforce to access documents even if their network is down.

Physical Safeguards Are Very Important:

With buildings becoming vacant, physical safeguards will become more indispensable than ever. If an organization’s facility is going to have a skeleton crew then there are several questions which need to be addressed such as:

• Who will be responsible for safeguarding assets onsite?

• Does this person(s) have an intimate knowledge of the protocols in the event there is a breach or other criminal activity?

• Does the workforce understand what steps to take in the event they lose a device while working remotely?

• Is the procedure documented and has it been distributed?

• Has the organization walked through the process to commission and decommission devices remotely?

Struggle In Addressing Pandemic & Complying With New Laws:

In the middle of the pandemic, companies have still had to meet the compliance milestones of the NY SHIELD Act and California’s Consumer Protection Act (CCPA), especially where the Attorney Generals responsible for enforcing them have not provided extensions of time to comply despite the organizational disruption of the pandemic.

***

Beckage attorneys, who are also technologists, former CISO and current Certified Information Systems Auditor (CISA) are available to answer any questions you have about the foregoing safeguards and their impact and compliance with NY SHIELD Act, the CCPA, the

European Union’s General Data Protection Regulation (GDPR) or any other privacy or data security statute. Visit us at Beckage.com or call us at 716 898 2102.

Beckage is proud to be the only firm in 2019 named for its “Technology Transactions” practice in Upstate New York Super Lawyers and routinely cited by Law.com for our insights in this fast-moving arena, along with several other awards and recognition in tech and law. We thank you for your business and encourage you to visit our blog regularly for updates on this area of law and others.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

Risk Management

What the Recent OCC Bulletin Means For Your Risk Management Program

The Office of the Comptroller of the Currency recently produced a supplemental “Frequently Asked Questions” to Bulletin 2013-29, “Third Party Relationships: Risk Management Guidance”  which was originally issued October 30, 2013. This bulletin provides guidance to banks for the assessment of risks and more broadly, managing risks associated with third-party relationships. The FAQs stress the importance of a sound risk management program and how banks can operationalize their assessment of third-party risk.

The OCC Bulletin 2013-29 defines a third-party relationship as any business arrangement between the bank and another entity, by contract or otherwise. Neither a written contract nor monetary exchange is necessary to establish a business arrangement. All that is necessary is an agreement between the bank and the third party. Once a business arrangement has been established, a bank should adopt risk management processes commensurate with the level of risk and complexity of the third-party relationships. This will require a bank to measure the risk of each of its business arrangements, and plan accordingly.  

The OCC requires an effective third-party risk management program that addresses the following:

Planning – develop a plan to manage the relationship.  When critical activities are involved, this is required; Conducting a thorough due diligence review prior to signing a contract;

Contract Negotiation – develop a contract that clearly defines the expectations and responsibilities of the third party; review the enforceability, limitations of liability and provisions addressing disputes about performance;

Termination – develop a contingency plan in the event the third-party does not deliver. This analysis should consider the process to transition to another third-party, bring in-house, or discontinue the service altogether;

Oversight and Accountability – a third-party risk management program should be integrated with the broader enterprise risk management framework;

Independent Reviews – management reviews of the effectiveness of the risk management process allow for overall assessments of whether the process aligns with the bank’s business objectives and strategy.

Practically speaking, bank management is often limited in its ability to conduct the type of due diligence, contract negotiation, and ongoing monitoring that it normally would, despite the critical nature of the service being provided. This could be for any number of reasons, including the third-party does not allow the bank to negotiate changes to their standard contract, or as a matter of policy, they do not share their disaster recovery and business continuity plans, also more commonly, they do not respond to a bank’s due diligence questionnaire. In these circumstances, bank management still needs to take steps to manage the risks presented. Despite these limits in its ability, banks should perform a “sound analysis” to support the decision that the third-party is still the most appropriate provider available and maintain supporting documentation to demonstrate the analysis. The OCC Bulletin 2013-29 (October, 2013) outlines the following suggested attributes related to due diligence a bank should incorporate:  strategies and goals, legal and regulatory compliance, financial condition, business experience and reputation, fee structures, personnel qualifications, internal risk management, information security, IT operational management, resilience, and incident reporting, physical security, HR management, reliance on sub-service providers, Insurance coverages, and conflicting contractual arrangements with other parties. Additional suggested attributes to be included in contracts is also outlined in the 2013-29 Bulletin.  

The risk management function may sit in different places depending on the bank and how it structures its risk management function. There is no one-size fits all. Regardless of the structure, the various business lines within the bank can provide valuable input into the third-party risk management process. They may for example complete risk assessments as it pertains to their function, review the due diligence questionnaires received from third-party entities, and ultimately provide feedback on the adequacy of the controls over the third-party relationship.  

The recent release of FAQ’s provides a significant amount of information for an organization and its journey toward managing third party risk. The complexity of the third-party relationship with a bank, the type of data handled, and overall risk presented, are just a few of attributes to be considered when evaluating the level of due diligence, and ongoing monitoring to be applied. For additional information and guidance on third party risk management, you can contact Beckage attorneys and risk professionals.  

Our team includes nationally-recognized leaders in data breach response and cybersecurity and privacy law, as well as former federal regulators, former in-house counsels of international companies, tech entrepreneurs, business owners and public–company executives. Our lawyers and technology specialists help you grow your business and achieve strategic objectives, adapt to new technologies and regulations, identify and reduce risk, and manage the response to data breaches, cybersecurity incidents, privacy matters and other crises.

*Attorney Advertising: Prior Results Do Not Guarantee a Similar Outcome

Subscribe to our newsletter.