The business disruption caused by COVID-19 has created a number of new cyber security risks for companies to manage.
In addition to a significant increase in opportunities for malicious actors to engage in cyber-crime, temporary measures and work-arounds put in place by business to deal with the disruption can expose companies to legal and regulatory risk.
As a result of COVID-19, many companies have needed to:
- rapidly expand their IT systems and cloud capability to cope with the need for staff to work from home, bypassing or rushing the usual security, legal and acceptance testing processes;
- adopt publicly available communications and file sharing solutions, many of which were designed for social use and not the transmission of confidential business information (some of these platforms, such as Zoom, have well known security flaws, but remain in popular business use); and
- reconfigure staffing, including standing down or reassigning staff within the organisation, creating risks that the usual personnel and procedures in place to protect companies against cyber security issues or detect fraud are away, suspended or focused on other things.
Staff are also highly likely to introduce ‘Shadow-IT’ (unauthorised programs and devices) into their home working environments, to enable them to operate. This can be as simple as e-mailing or transferring company documents to their home devices via e-mail or USB, for printing on home printers. Another common example of Shadow-IT is the creation of team groups communicating on platforms such as Facebook and WhatsApp.
An up-tick in cyber-crime activity
There is evidence of a strong up-tick in cyber-crime activity exploiting the COVID-19 crisis, particularly social engineering and phishing attacks. Such attacks exploit people’s need for information by impersonating government authorities, major corporations or business leaders to encourage users to enter credentials or open attachment files to access ‘important information’. Some attacks are specific enough to appear to be a communication from business leaders to staff, for example a ‘Working from Home Statement’ purporting to be from a company’s CEO to its staff and customers.
The legal risks that arise from these actions require active management. COVID-19 will not be an excuse for actions that reduce security for personal or confidential business information, nor those that amend contractual or regulatory privacy and confidentiality obligations.
Further, COVID-19 does not reduce the obligation under Australian Privacy Principle 11 to ensure that reasonable steps are taken to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. It also does not operate to extend the notification period for data breaches or other compliance obligations.
There is need for particular vigilance in relation to cyber security during COVID-19 and we recommend that General Counsel be in regular contact with their CIO and CISO about:
- the effects of changes to the IT infrastructure; and
- critically assessing the legal consequences of changes to the IT environment.
The OAIC has recommended that companies undertake a Privacy Impact Assessment to ensure that personal information is handled in a way that is necessary, reasonable and proportionate.
Guidance issued by government authorities provides a reasonable basis for assessing risks and taking steps to ensure that the company meets its legal obligations. In particular, it is worth drawing attention to the Australian Cyber Security Centre’s (ACSC) recommendations in relation to the use of video-conference software:
“Prior to agreeing to a service provider’s terms and conditions, organisations should seek privacy, security and legal advice. Notably, the terms and conditions should include specific clauses that address organisations’ legal, privacy and security requirements. Without privacy and security requirements being specified, organisations may not be able to verify a service provider’s security claims or whether their information is being appropriately used or not. In particular, attention should be paid to whether a service provider claims ownership of any recorded conversations and content, metadata, or files that are created or shared when using their web conferencing solution. Finally, when seeking legal advice, organisations are less likely to inadvertently accept terms and conditions that breach financial or liability rules.”
Adjusting IT policies
Businesses should also consider if their internal IT policies are fit for purpose in the current environment or whether they need amendment or a temporary update to give their employees clear guidance on what they can and cannot do.
Some of the matters that should be expressly addressed or re-enforced in IT policies include:
- ensuring computers are locked when not in use and re-booted every day to allow the application of patches and software updates;
- company rules in relation to the protection of confidential information, particularly personal information or highly sensitive IP, with particular reference to the use of solutions designed for social, not business use;
- company rules in relation to the use of Shadow-IT and reinforcing prohibitions on the use of unauthorised technology;
- videoconference and teleconference use, including ensuring security on these platform (as a general rule, all business calls should require a password or passcode, and consideration needs to be given to the recording capability of these platforms and whether that capability should be disabled or centralised);
- who to contact when a business solution is needed and the process for getting approval to use unauthorised software (for example, when a client wants to have a videoconference using their technology, or share files using an unauthorised service);
- the need for home IT systems to have basic security in place (for example, home Wi-Fi routers need to be kept up to date with patches and password protected – staff may need to be provided with specific assistance to minimise this risk);
- ensuring all corporate devices are encrypted, and that encrypted mobile device management is in place for personal devices with access to corporate information;
- the use or prohibition of home printers (and how that can securely occur if allowed) and the security of physical copies of confidential/sensitive information in the home environment; and
- reiterating to staff that COVID-19 will be used by hackers to perpetrate fraud and attempt to gain opportunistic access to company and personal information.
Keeping employees updated about known phishing and social engineering attacks will help them avoid inadvertently becoming victims of cyber security fraud. This could be as simple as passing on the ACSC’s warnings in updates to staff.
Five key takeaways
We recommend that General Counsel keep the following five things under constant review during COVID-19.
- Ensuring that IT measures being adopted on an ad-hoc basis are consistent with:
- regulatory requirements specific to industries (for example financial services, health care, defence, government contracting and telecommunications);
- the maintenance of best practice and compliance with ISO27001 or other standards – noting that these may be contractual obligations or representations that the company has made;
- any specific contracts that impose privacy or data protection obligations.
- The schedule for the application of critical software updates and patches, and the methodology for ensuring that these can be applied. For example, staff operating with limited or metered broadband capacity may need to be provided with USBs containing the updates and patches.
- Whether geo-security measures can be tightened during COVID-19. Given there will be little to no international travel, there is likely no need for anyone to access corporate systems from locations where the company has no staff presence. Geographically restricting access to cloud platforms and Office 365 will decrease the risk of unauthorised access from internationally based criminals.
- Whether measures to prevent exfiltration of data, including blocking USBs on company laptops, and increasing monitoring of data outflows on key systems is prudent in the current environment.
- Considering the impact of COVID-19 on critical third party and supply chain partners. If they have been severely impacted by COVID-19, they may need specific support to continue to ensure they can meet their cyber-security obligations. Further, it may be appropriate to reiterate contractual obligations regarding their access to your IT systems and their obligations to protect confidential information and personal information they hold on your behalf.
The rapid evolution of working practices under COVID-19 has added further complexity to the cyber security landscape for companies, and General Counsel have a significant role to play in ensuring that companies manage their data security and privacy obligations through the COVID-19 crisis. Those companies that pay attention to these issues will reduce the risk that their broader recovery is complicated by cyber-security threats and fraud.
About Corrs Cyber
Corrs Cyber is a unique, coordinated legal, forensic and cyber offering. Our multidisciplinary team includes our market-leading technology, media and telecommunications (TMT) and disputes lawyers, working closely with some of Australia’s leading forensic technology practitioners, a Certified Ethical Hacker and IT security specialists.
To learn more about Corrs Cyber please click here or contact a member of our team.
Cyber Virtual Event
We invite you to register your interest for a virtual event in the form of a panel discussion on the key cyber risks General Counsel need to be aware of during the COVID-19 crisis. We can consider recent matters we have acted on to ensure you are better armed to think about how these scenarios could play out in your own organisation.
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.