Security, Data Protection, and Compliance

8 minutes, 13 links

You’re reading an excerpt of The Holloway Guide to Remote Work, a book by Katie Wilde, Juan Pablo Buriticá, and over 50 other contributors. It is the most comprehensive resource on building, managing, and adapting to working with distributed teams. Purchase the book to support the author and the ad-free Holloway reading experience. You get instant digital access, 800 links and references, a library of tools for remote-friendly work, commentary and future updates, and a high-quality PDF download.

Security, Data Protection, and Compliance

Common questions covered here
Do I need additional security or compliance measures for remote workers who work from home?
How do you provide security when employees work from home?
What are potential security risks of having remote employees work from home?

When everyone worked in the same office, maintaining good data privacy, security, and compliance practices was fairly straightforward (and the requirements were much simpler!). Everything was stored on central servers; no one lugged their desktop computer home to work for a few more hours; and few people even knew what a “hacker” was. The largely good news for remote workers is that in the intervening few decades, the explosion in smartphones, laptops, and cloud-based services means that most organizations had to rapidly adapt to an increasingly mobile workforce and rapidly changing regulations regarding protecting consumer data.

Given that this guide is largely for startups and high-growth companies, it’s outside our scope to delve beyond the basics of data security and privacy.

What’s important to know is that generally speaking, privacy and security laws apply more to where your customers are, not where your employees are. If you have solid policies and practices for everyone in your company, remote or otherwise, then you should largely be in good shape.

importantThere’s one noteworthy exception, which doesn’t fit squarely within data protection or privacy per se, but does govern invention assignment agreements.

An invention assignment agreement is a contract that grants an employer certain rights to inventions created or conceptualized by an employee while they were working for that employer. The two most common forms of invention assignment agreements are patentable inventions and copyrightable works.

At least nine states have statutes governing employee invention assignment agreements. Seven of those states—California, Delaware, Illinois, Kansas, Minnesota, North Carolina, and Washington—all have nearly the same set of requirements. If your agreements are in line with any of those, you should be similarly covered in any other states with comparable laws. Foley & Gardner provide a good summary of what may vary in these cases.

Notable Privacy and Security Legislation

Adhering to a general set of guidelines—which we lay out below—will get most organizations where they need to be. That said, in the U.S., as of 2020 there’s one new development that companies of a certain size will be required to pay attention to, regardless of where their employees are, and it’s worth mentioning because it’s likely to set the stage for other state-based regulations.

newThe California Consumer Privacy Act (CCPA) went into effect as of January 2020. It applies to companies that:

  • serve California residents

  • have at least $25M in annual revenue, or

  • have personal data on at least 50K people, or

  • collect more than half of their revenue from the sale of personal data.

Companies don’t have to be based in California or have a physical presence there to fall under the law. They don’t even have to be based in the United States. In many ways, this is much closer to the General Data Protection Regulation (GDPR) laws that rolled out in 2018, which also affect any company with over 250 employees that does business with residents of the European Union over the internet.* (GDPR does stipulate requirements for businesses with fewer employees—even sole proprietorships or other small entities—they just have less strict reporting requirements.*)

A couple other states have their own noteworthy data protection and security laws, including Massachusetts** and New York.* The burden of these data privacy and security breach disclosure requirements is generally alleviated to some extent for a “small business,” which in the New York statute is defined as a “person or businesses with fewer than 50 employees, less than $3M in gross annual revenue, or less than $5M in year-end total assets.”

Data Privacy and Security Guidelines for Remote Companies

This is a set of practices that any company should follow, but with remote and more mobile employees, it’s especially important to have these in place:

  • Device security. It’s critical to be clear what your company’s device policies are. Can people use their own phones and laptops (aka “bring your own device” or BYOD)? If they are, it’s even more important that any data or tools they’re using have appropriate information management (see below) to ensure that access could be shut down in the event that their device is lost or stolen. Many companies side-step this by offering their own laptops and cell phones for employees to use.

  • Passwords. Make sure everyone is using a password manager, and never share passwords in writing or locations where guests or non-authorized people might have access (like Slack).

  • Two-factor authentication (2FA). 2FA requires people to use a code sent to their phone or some other kind of authentication device, or another type of authentication service, in order to log in to any tools, portals, or services for their work.

  • Wifi/VPNs. It seems like common knowledge that employees should refrain from using unsecured wifi networks, but that’s painfully tone-deaf advice for remote or mobile employees. Providing guidance around not accessing certain information or systems when on unsecured wifi is far more helpful for most growing companies. Companies can also consider providing VPN solutions to help when wifi network security isn’t guaranteed.

  • Information management (or access control). Information management aims to make sure people are who they say they are, and that they have the appropriate access. A simple example is: who is invited to specific channels within Slack, or who has access to company data and/or tools? Access control can become significantly more complex for larger, enterprise companies, but for growing remote organizations, what matters most is to make sure people only have access to tools and data that they explicitly need to do their job.

  • Cloud-based storage. Employees shouldn’t be storing sensitive information on their own devices. Thanks to the widespread availability of cloud services, this is much easier than it used to be. Using tools like Google Suite, Docusign, Dropbox, and similar services—with appropriate information management and access controls—allows remote workers to access documentation and data they may need without storing it locally.

  • Write it down. Document what your data privacy and security measures are, making sure it’s included in your onboarding material and company handbook, and revisiting these policies with everyone at a cadence that makes sense for the growth of your company.

  • HIPAA, ITAR, PCI-DSS, GLBA, SOX, ISO 9000, et cetera.

    • Why these can be important (for example, to get certain customers you might need documentation or certification)
  • Organizational controls

  • Financial controls

  • Physical security (perimeter, MFA, biometric, et cetera.)

  • Mandated trainings

Further Reading on Data Privacy, Security, and Compliance

If you found this post worthwhile, please share!