WorkforceTweaking Your Incident Response Plan to Address A Distributed Workforce

Tweaking Your Incident Response Plan to Address A Distributed Workforce

With the sudden, drastic increase of distributed workforces came implementation of new practices and access solutions, which in turn created more surface area for bad actors to attack and more potential gaps for them to exploit.  

A business’s Incident Response Plan is its playbook for deploying a rapid, proportional response to a potential security threat, with the goal of complying with applicable data privacy and security laws while maintaining client services. Such a plan generally lists the roles and responsibilities of staff positions as they work through phases of Detection, Analysis, Containment and Eradication, Recovery, and Reporting. The collection of key staff members is commonly understood to be the Incident Response Team (IRT) and their familiarity with the plan and preparation in advance of a potential incident are often key to successful responses.  

Here are some important considerations in evaluating your current Incident Response Plan:

Communication

Communication is always key, but now it may need to be handled without face-to-face meetings or assembling the IRT in a conference room. An Incident Response Plan, similar to a Disaster Recovery Plan or Business Continuity Plan, should plainly state the methods of communication IRT members will rely on, in order of preference, in response to a potential incident. Thought should be given to what forms of communication are likely to be interrupted or compromised in an incident, and what back up communication method(s) will be relied on. With IRT members working from home, which communication methods yield lower risk of interruption, are more secure, and are available to all IRT members? Be careful of using free platforms or apps to communicate.  Many are not secure, there is no expectation of privacy, and the data stored can be discoverable or subject to subpoena.

Relatedly, does the Plan identify which leaders are responsible for internal or external communications regarding an incident? For example, in an office setting business phone lines and clustering of staff could allow a team to efficiently direct all inbound questions or concerns about an incident to a VP of Communications. Pick a title not a department. Now, with cell phones serving as a primary tool of communication, does your team need a refresher of how to address communication from external parties or a reminder of professional responsibilities when confronting a potential incident? Also remember, during an incident, systems are likely not accessible because they are encrypted. So, does every member of the IRT have a printed version of the Incident Response Plan at home with everyone’s contact information?

Resource Allocation

The first phase of most Incident Response Plans revolves around detection – identifying what is happening and collecting details about a potential incident. Your Incident Response Plan might implicitly assume that IT staff or others with specialized knowledge related to identifying a security or privacy issue are on hand or available at the same location as a point of compromise. When considering your new work from home environment, it is time to consider how your IT staff will be available in the earliest moments after a potential incident is reported. Where possible, it may be time to consider end point detection and response solutions – an addition to your IT management environment that can provide remote insight and management of laptops being used by employees from their homes. Such a solution can speed the collection of important forensic details while hastening the containment and wider response.  

Role Adaptation

Work from home environments may change a member of the IRT’s ability to address the role or responsibilities they were previously assigned. Often times Incident Response requires confidential conversations, privileged communication and/or discussion about sensitive data and it is important to address with members of the IRT whether they can meaningfully, and responsibly participate in incident response when working from home. There are often more competing interests in a homebound setting than in an office and when updating and reviewing an Incident Response Plan, your company has the chance to address with each member of the IRT whether they can still satisfy their role while potentially handling such competing interests.  Such review can allow for updates and edits to IRT members’ roles and responsibilities in advance of a potential incident, instead of in the midst of one, saving valuable time, energy and focus.

Practice

An Incident Response Plan best serves its purpose when it is regularly reviewed as part of a tabletop exercise.  Such an exercise promotes clarifying questions amongst members of an IRT and familiarizes everyone involved with their roles and expectations for others. Additionally, an Incident Response Plan rehearsal reminds all IRT members of the importance of communication and how critical legal determinations, such as what constitutes a data breach, must be considered when discussing or communicating about an incident.

Now that your IRT is working from home, how will they make use of your Incident Response Plan? The best way to find out is to schedule time to run a remote tabletop exercise. The updated exercise can provide insight into new strengths or weaknesses created by a distributed IRT.  Such practice can highlight the differences created by an at-home response, such as does everyone on the IRT have a hard copy of the Incident Response Plan in the event one is not accessible online?

Coordinated Vigilance

Updating your Incident Response Plan is key, but it should be done in coordination with improvement to other safeguards.  In parallel with rolling out new work-from-home measures, companies should consider adjusting relevant policies, such as the Acceptable Use Policy, and assess how new access controls or encryption measures, such as virtual private networks, can mitigate risks to security. While employees are adjusting to an array of new norms, it may be less disruptive to add a few more, including multi-factor authorization, new password complexity standards, and other access control measures. By remaining vigilant and keeping continuous focus on the issues of security and privacy, companies stitch best practices into the cultural fabric of their team.

If you have questions about creating a legally defensive Incident Response Plan contact sophisticated tech counsel, we would be happy to help. Beckage is a law firm focused only on tech, data security and privacy. Its lawyers are also technologist and former tech business owners. Beckage is also proud to be a certified Minority and/or Women Owned Business Enterprise (MWBE).

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

CoronavirusDigital Transformation in the Time of COVID-19

Digital Transformation in the Time of COVID-19

In response to the COVID-19 pandemic, businesses around the globe have made a major pivot to online or virtual operations, hitting fast forward on digital transformations that usually take time and careful planning. Everything from university classes to corporate board meetings to wine tasting at your local bar have jumped online, opening a whole new world of possibilities—and potential data security and privacy risks that should not be overlooked. With privacy and data security concerns more important than ever before, it is important to remember that even emergency digital transformations must use a “measure twice cut once” strategy that factors in Privacy by Design at the outset.

Why Privacy Considerations Can’t Wait Until Later

In the rush to move business online, it may seem like a necessity to gloss over privacy risks and deal with them later. However this approach is inefficient at best and can be disastrous if there’s a security breach. Digital transformation has to start without an intentional focus on data protection and a solid understanding of the regulatory landscape.

This understanding is becoming increasingly important as privacy laws like the GDPR and CCPA, along with a host of new regulations on the horizon, highlight Privacy by Design principles in their consumer privacy guidelines. That means in many cases, putting consumer privacy first isn’t just good business—it’s a legal requirement. In fact, article 25 of the GDPR demands that organizations practice “privacy by design and by default,” meaning organizations must integrate data protection up front in any design or business practice and maintain those protections throughout the data lifecycle.

How to Make Privacy a Cornerstone of Digital Transformation

A good digital transformation strategy will define goals, identify appropriate technologies, establish leadership and educate staff on the new technologies and protocols. But each of those steps should be driven by data privacy and security considerations.

Therefore even if the digital transformation needs to happen quickly, it’s critical to make sure privacy is the cornerstone of the plan. At Beckage our experienced team of attorneys can work with you to assess potential privacy pitfalls and blind spots, especially in this ever-shifting legal landscape. Beckage attorneys provide on-site and around-the-clock counsel to clients on data protection and information security practices required under state or federal law, for example, or advise on security risks and responsibilities. Taking the time to employ Privacy by Design is an upfront investment that will help ensure your digital transformation strategy is built on solid ground.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

0
COVID-19Insights Into the COVID-19 Health Data Bill

Insights Into the COVID-19 Health Data Bill

This update concerns the COVID-19 Health Data Bill, recently introduced to the New York State Senate by State Senator Kevin Thomas (S8448A), and in the State Assembly by Assemblywoman Linda B. Rosenthal (AB 10583). The COVID 19 Bill could have significant implications on businesses that collect information as part of their federal and state COVID-19 compliance measures, including the NYS-Required Safety Plans.  

The COVID-19 Bill applies to any company/person that collects, uses, or discloses “emergency health data,” which is defined to include data that is “linked or reasonably linkable to an individual or device, including data inferred or derived about an individual or device from other collected data” and that “concerns the public COVID-19 health emergency.”  

Emergency health data includes information that reveals past, present, or future physical or behavioral health or condition of, or provision of healthcare to, an individual including:

• data derived from testing or examination;

• whether or not an individual has contracted or been tested for, or an estimate of the likelihood that a particular individual may contract, such disease or disorder; or

• genetic data, biological samples, and biometrics.

Emergency health data also includes “other data collected in conjunction with other emergency health data that can be used to infer health status, health history, location or associations”. This includes: geolocation data, proximity data, demographic data, contact information, and other data collected from a personal device.  

The Bill requires businesses that collect, process, or use emergency health data in connection with the COVID-19 crisis to:

1. Obtain Affirmative Opt-In Consent: The Bill requires that businesses obtain an individual’s “freely given specific, informed, and unambiguous opt-in consent” to process individual emergency health data and prohibits collection without such consent except in certain narrow circumstances.

2. Comply with Data Retention Requirements: The Bill contains rigid data retention time periods (30 days or 14 days for proximity tracing or exposure notification data). If a business stores emergency health data for more than 30 days, The Bill requires the business to “reengage consent” from the individual from whom the information was collected in the first instance.

3. Maintain Written Privacy Policies and Transparency Reports: The Bill requires the posting of Privacy Policies which detail the business’s collection and use of emergency health data and the preparation of written Transparency Reports describing the business’s collection of emergency health data every 90 days.  

4. Limit Use: Data collected for responding to the COVID-19 public health emergency (e.g., tracking, screening, monitoring, contact tracing) must be collected “at a minimum level of identifiability reasonably needed for tracking COVID-19”. The Bill clarifies that for covered entities using proximity tracing or exposure notification, this includes changing temporary anonymous identifiers “at least once in a 10-minute period.” The Bill also prohibits the use of emergency health data for any purpose beyond what is adequate, relevant, and necessary to perform the transaction consented to by the individual, or for any purpose not authorized by The Bill (e.g., commercial purposes, advertising, selling, etc.).

5. Provide Individual Right to Access and Correction: The Bill gives individuals the right to access and correct their emergency health data.

6. Maintain Reasonable Security Measures: An entity that collects emergency health data must have reasonable administrative, physical, and technical controls in place to safeguard the information from misuse and unauthorized disclosure.

7. Maintain Minimum Necessary Access Restrictions: The entity must have access restrictions in place limiting access to the emergency health data to authorized essential personnel only.

8. Complete Compliance Audits: Covered entities are subject to data protection audits, which include the requirement for risk assessments and evaluation of the technologies used in connection with the information gathering. The results of the compliance audits shall be made available to the public.

The Bill also has notable enforcement teeth, authorizing the State Attorney General to bring enforcement actions and seek civil penalties of up to $25,000 per violation or up to 4% of a business’s annual revenue. As The Bill is for the purposes of the COVID-19 public health crisis, it purports to expire and be repealed on January 1, 2023.

To date, the bill is not on a committee agenda and there is no scheduled testimony for the COVID-19 Health Data Bill. It is not clear whether the bill will move through committee to the floor for a vote before the legislative session ends. However, we anticipate that legislators will be back in Albany at least a few more times this year, and Senator Thomas has been vocal in his desire to make progress on the Bill.

Beckage will monitor the progress on this and other relevant data privacy bills. Beckage is in communication with lobbyists and is closely monitoring for opportunities to provide input on behalf of the business community. Please do not hesitate to reach out if you are interested in discussing the bill’s potential impact on your business. Beckage is privileged to work with clients in a variety of sectors and industries in building efficient, repeatable, and scalable privacy and security programs.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

Home OfficeWhat We Have Learned About Remote Workforce Safeguards During COVID-19

What We Have Learned About Remote Workforce Safeguards During COVID-19

Beckage lawyers have been working with businesses to put them in a legally defensible position in pivoting their workforce to a distributed workforce. We have learned a few things from our work and watching what is happening around the globe.

Technical Safeguards Have Had To Quickly Pivot:

Companies are working to narrow their threat surface.

Organizations are working toward making their workforce 100% remote to safeguard employees but with that advantage there is an increase in exposure of company assets “in the wild.” With this increased risk it becomes necessary for those responsible to implement technical safeguards to offset this increased risk. Where preventative controls are not realistic, an organization should look to implement detective controls.

Beckage has evaluated various control options for access management. A few of these are:

• Shortening screensaver times

• Session lockout times

• Tiered approach for modifying user access to high risk platforms, applications, and, where possible, data

• Multi-factor authentication for email and high-risk applications/systems

• VPN and Virtual Desktop Infrastructure

With so many tech vendors selling a variety of services and products, companies are getting lost in the hype and simply want to know how they balance it all as part of a larger game plan.

Organizations Valuing Importance Of Administrative Safeguards:

Companies are realizing how essential it is to have more administrative safeguards in place.

Beckage has reviewed the most relevant policies and procedures that relate to remote workforce. Organizations should analyze if those policy and procedures contain steps or tasks that require key stakeholders to be present.

Additionally, organizations need to confirm that their Incident Response, Disaster Recovery, and Business Continuity Plan are all sustainable with a remote workforce. They should verify that such policies and procedures (including call-trees and responsible party contact lists) are accessible to those who need access. Beckage has suggested that organizations look at cloud-based solutions for storing their policies and procedures. This would enable workforce to access documents even if their network is down.

Physical Safeguards Are Very Important:

With buildings becoming vacant, physical safeguards will become more indispensable than ever. If an organization’s facility is going to have a skeleton crew then there are several questions which need to be addressed such as:

• Who will be responsible for safeguarding assets onsite?

• Does this person(s) have an intimate knowledge of the protocols in the event there is a breach or other criminal activity?

• Does the workforce understand what steps to take in the event they lose a device while working remotely?

• Is the procedure documented and has it been distributed?

• Has the organization walked through the process to commission and decommission devices remotely?

Struggle In Addressing Pandemic & Complying With New Laws:

In the middle of the pandemic, companies have still had to meet the compliance milestones of the NY SHIELD Act and California’s Consumer Protection Act (CCPA), especially where the Attorney Generals responsible for enforcing them have not provided extensions of time to comply despite the organizational disruption of the pandemic.

***

Beckage attorneys, who are also technologists, former CISO and current Certified Information Systems Auditor (CISA) are available to answer any questions you have about the foregoing safeguards and their impact and compliance with NY SHIELD Act, the CCPA, the

European Union’s General Data Protection Regulation (GDPR) or any other privacy or data security statute. Visit us at Beckage.com or call us at 716 898 2102.

Beckage is proud to be the only firm in 2019 named for its “Technology Transactions” practice in Upstate New York Super Lawyers and routinely cited by Law.com for our insights in this fast-moving arena, along with several other awards and recognition in tech and law. We thank you for your business and encourage you to visit our blog regularly for updates on this area of law and others.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.