6 minute read
COVID-19: DATA PRIVACY
By Zachary S. Heck Co-Chair DBA Editorial Board Taft, Stettinius & Hollister, LLP
Advertisement
Although Governor Mike DeWine’s Stay at Home order exempts legal services, many DBA members, and their clients, have found themselves learning the ropes of how to work from home in an effective manner. For many, the learning curve has been pretty steep as we participate in conference calls with barking dogs and homeschooled kids in the background. Although you have a million concerns competing for your attention during this unprecedented time, it is extremely important to avoid creating data security risks while working to flatten the curve.
This March, as people scramble to identify trustworthy information about the spread of COVID-19, how they can protect themselves, and how they can get tested, spammers and scanners have taken advantage of vulnerable telecommuters. For example, in just the last few weeks, media outlets have reported on the following scams: • Email Phishing: According to both the Federal Trade Commission and data security firm Kaspersky, email phishing schemes frequently include the use of organization names that would normally appear legitimate. Such emails appear to be coming from representatives of the Centers for Disease Control and Prevention (CDC) or the World Health Organization (WHO). These emails have CDC or WHO logos and headings, or have email addresses that, after a quick glance, look to be official (such as cdc-gov.org). Such links could be spoofed and malicious, infecting the user’s device with malware after a click. In some instances, the link will direct users to a page asking them to enter their email Microsoft Outlook account username and password to be collected by a scammer. • Domains and Apps: Website domains exist that appear to track COVID-19 updates and health information, but actually prompt users to download malicious apps to access this information. In particular, an Android App (“COVID-19 Tracker”) has been circulating that, once downloaded, infects the device with ransomware and then demands payment or else the data on the device will be erased. Additionally, various websites have promoted themselves as infection map reports, but instead spread password-stealing malware. • Goods Delivery: Although goods and supplies, such as cleaning and household items, are running out at local stores, there are online entities holding themselves out as retailers purporting to have these items in stock. Instead, they are scams that take your payment and never deliver your ordered items. Anyone working from home who is tasked with the responsibility of ordering supplies for their organization should be conscious of online retails and conduct additional
continued on page 25
COVID-19: DATA PRIVACY: Working From Home? Online Scammers Are Not Social Distancing continued from page 24
research into the seller to verify their legitimacy. For example, many retailers on Facebook Marketplace or Craigslist may not be who they represent themselves to be.
• Fake Charities: As with any major event or crisis, scammers will try to take advantage of our good intentions. This can take the form of fake charities and fake donation pages. Fake charities may be a completely made up organization (think George Costanza’s “The Human Fund”), or they can resemble or imitate established charities.
Establishing vigilant information security practices while telecommuting is more important than ever to guard against bad actors eager to exploit a global crisis. Regardless of the size of your practice (or the size of your clients’ businesses), entities of all shapes and sizes should incorporate the following into their information security practices:
• Establish Secure Home Networks: Open Wi-Fi networks at home continue to expose individuals and organizations to significant risk for intrusion. Open networks allow anyone to connect to the network and potentially access connected devices, such as phones, laptops, and listening devices such as Amazon’s Alexa. Open networks may also allow intruders to access connected company-owned hardware that contains confidential, sensitive, or privileged information. The Federal Trade Commission recommends that when using devices for work from home, individuals should ensure their router has WPA2 or WPA3 encryption enabled. Individuals should check with their internet service provider to confirm this is in place.
• Secure Laptops and Sensitive Files: While moving equipment and files from the office to the home, individuals should make sure their laptop and files remain safe and secure. It can be easy to lose a file or forget to lock a laptop while moving out of the office or just walking away from your kitchen table. Removable hard drives and thumb drives should largely be avoided, because both can easily be lost or contain malware. If a company must use thumb drives, then encryption must be available and used. To provide some perspective on the importance of encryption, simply encrypting a drive may remove any duty to report the loss of that drive as a “breach” under most state laws. Considering the shifting priorities of companies in a challenging economic environment, dealing with a breach is surely not in any attorney or client’s budget, and could mean the end of a business.
• Update Software & Applications on Laptops and Devices: Updates are important to correct vulnerabilities in the software. These updates may run automatically or manually, and individuals should take steps to make sure their devices are up-to-date. All computers and devices should be running antivirus software with the latest updates from the manufacturer. When possible, updates should happen automatically.
• Slow Down & Be Aware of Surroundings: Most successful data incidents and breaches occur due to human error. Typically, someone in a rush opens an attachment from a suspicious email, forwards a file to an unintended recipient, or visits a site or link with malicious content. Generally, many of these mistakes can be avoided by simply slowing down and scrutinizing the content you receive. Individuals should be wary of emails or text messages containing links or attachments from unknown senders. Instead of clicking or opening those suspicious links, individuals should report all content to their firm or company’s IT Department, if applicable. When in doubt, call the sender of a message and confirm that the message they sent is legitimate.
• Do Not Forget About Physical Security: We must all protect against unauthorized access to devices and company/client data in remote locations, including from family members, friends, and others. Hard copies of sensitive, confidential, or privileged material should be shredded prior to disposal or recycling. Such documents should be crosscut shredded whenever possible, or otherwise rendered incapable of re-assembly or reading. Additionally, home or remote offices, closets, or desks in which company data and devices are being used or stored should be physically secured using locks or other means to prevent theft or unauthorized use.
For some of our DBA members and their clients, these terms and practices may seem foreign. The best thing to do during this period of increased reliance on remote work technology is to take the time to understand the benefits, risks, and impacts of each. Hasty decisions made in an effort to keep a practice or business running in the face of a crisis can have severe consequences, including opening the door to security vulnerabilities that can harm the business, customers, and clients you are seeking to protect.
