Global menu

Our global pages

Close

Coronavirus – Risks and challenges of remote working – Global

  • Global
  • Coronavirus - Country overview
  • Intellectual property
  • Technology

26-05-2020

In a normal setting, when considering offering employees more means to work from home, a firm would initiate a multidisciplinary project. Such a project can easily take several months, with a thorough assessment of solutions, and candidates being considered carefully. Upon selection of the right solution, one would then enter a phase of testing the preferred solution and offer functional and awareness training to staff and end-users. In general, both the legal and compliance department would already have done their part, and HR would have carefully considered employees’ rights and the possible position of the Works Council.

None of this was possible when COVID-19 entered our lives, and from one week to another entire offices were forced to work from home. Companies, and more specifically IT-departments, struggled to enable the huge move to remote working. There was no time to prepare a proper project plan, no time for awareness training, and no time for careful selection of solutions. It was an emergency situation which called for immediate solutions to be rolled out.

In many instances, personnel communicating with one another chose to do so via their preferred applications such as WhatsApp, Messenger, Zoom, MS-Teams. This resulted in employers being confronted with a variety of platforms and apps suddenly being in operation. Undoubtedly this was done with the best of intentions but this has presented organizations with a multitude of risks. It is likely only some of these risks have been mitigated since, however no organization will have been able to cover themselves from all legal and compliance perspectives. This article aims to highlight some of the challenges firms face in their rush to address these risks.

Scoping remote working risks

In order to scope your legal and compliance project on remote working, you will first need to assess which solutions are being used by your employees. If only existing platforms are being used (those already present on company laptops and devices), it is still highly likely these are being used in a way that is outside of the company infrastructure, or is in breach of company policies. If there were no specific platforms and apps in place to enable efficient working from home, employees will likely have rushed to a vast number of solutions that first need to be scoped.

Private devices will likely have been used such as phones, laptops or home desktop computers. Depending on your policies on company proprietary devices, new applications may also have been downloaded on such devices. Only when the scoping exercise is complete, will you be able to assess the risks that have come into existence by the use of these platforms and devices over the past few months.

Another aspect to be aware of is that even if you decide to limit use to a certain number of preferred applications, and remove or un-install other applications, there is still the legacy of use - and the associated risks need to be assessed. An example on why this is important is below:

Employees at Company A have used several new communication applications that are not in line with the company’s policies, including an online storage platform. After thorough scoping, Company A has decided to cease use of these applications, and all have been un-installed from devices. Company A assumes it has now mitigated the associated legal and compliance risks, however it has not considered the terms and conditions that were agreed to when downloading these applications initially. Several state they have the right to access certain information such as contact details, and some even reserve the right to access the content stored.

How can Company A determine if these risks pose a real threat? If confidential information was uploaded, how can Company A make sure the information has been deleted by the platform provider?

Legal and compliance projects for remote working in The Netherlands

After thorough scoping, ideally your legal and compliance projects will split into two. One project is to assess the risks that the organization has taken in this emergency situation where people needed to rush implementing means of working from home. The other project is how to, in an orderly fashion, un-install certain applications, cease the use of certain platforms, migrate data to preferred platforms, and set up a proper legal and compliance structure for the “chosen” alternative solutions.

Once your overview of the solutions that have been used is as complete as it can be, you will need to delve into:

(i)           the user terms of all those platforms

(ii)          scope the actual use

(iii)         identify the security level and data flows

(iv)        retention of information (on devices and in the cloud) enabled by that solution

These steps are all necessary to properly assess the risks taken. This will also reveal what rights and obligations your employees have committed to when starting to use the concerned solutions. This investigation will also help you in selecting the solutions that will be used by your organization in the future.

However, not all risks and challenges can be found by simply reading the license terms and conditions of those solutions, or by delving into the technical workings of them. Another aspect to consider lies within the domain of the employee.

Private network risk when remote working in The Netherlands

In an ideal world (from a cyber security perspective) all company devices will use 4G/5G only (no WLAN), multi-factor identification, encryption, and will be subject to network surveillance and end-point detection software. As this is realistically not the case in most organizations, you will likely find that employees have been using poorly secured home networks to access the internet. Private networks can have serious security vulnerabilities. Many privately owned routers are not or rarely updated, and are simply outdated. Even if a private network is deemed to be relatively secure does that security level of data measure up to the standards required in your sector, for example in the regulated financial sector these requirements may be more onerous than for other sectors.

Is it safe to use a printer when remote working in The Netherlands?

Within a private network, there are also often one or more printers present. It is often overlooked that network printers have hard-drives that keep copies of the documents they have printed. Many companies have meanwhile implemented procedures within their own offices that such hard-drives are wiped regularly. However it’s likely nobody has done this for their home situation.

This means that any printing done through the home network has created risks. Firstly, the printer has stored a copy of the employer’s confidential information, and secondly the home network itself could have been hacked. Lastly, there are probably highly confidential print-outs lying around an employees’ homes. There is no way of knowing whether any of these risks have materialized without asking the proper questions, and by creating awareness about the possible (and serious) consequences.

Furthermore, in some cases those working from home have children around, and will have knowingly or unknowingly given them access to a company device. It is also possible that calls are held (possibly on loudspeaker) with others within earshot and able to listen into confidential information – perhaps there are housemates, or even neighbors if windows are open or an employee is working in their garden.

GDPR and remote working in The Netherlands

Another challenge comes from GDPR. This regulation forces an employer to respect the rights of its employees, but to especially take care of all personal data they have collected from any data subject. So how do you know what personal data was collected and shared in the home working situation? Furthermore, if non-company solutions have been used, how will you be able to, for example, fulfill a Data Subject Access Request (DSAR)?

In a recent matter we were faced with a DSAR aimed at a financial institution, where a certain department had made unauthorized use of WhatsApp for a departmental app group. Because of the DSAR the employer needed to get access to that departmental app group because personal data about that person had (in all probability) been shared in that app group. This is specifically related to WhatsApp, but this can be broadened to any solution that has chat-functionality, including Messenger, Zoom, MS-Teams etc. Regarding platforms that enable uploading and screen-sharing, how do you know what was shown and down - or uploaded in such a platform? And what means can you now put in place to find out?

Commercial impact of remote working in The Netherlands

The above not only relates to cyber security and GDPR, but also to confidentiality in the broadest sense possible, as many companies rely on trade secret protection in line with the trade secrets directive. However, you can only successfully call upon trade secret protection if you have put the proper confidentiality and security safeguards in place to protect that information in the first place.

So how does the unauthorized use of communication apps and platforms measure up to those standards? Will their use mean that your organization has lost the possibility to call upon trade secret protection? It goes even further if you consider proper confidentiality obligations in most commercial contracts. In a vendor-customer setting confidentiality is often agreed upon, setting high standards for means of communication and storing of information. Have those agreements been breached by the uncontrolled rush by your employees to unauthorized communication platforms?

Confronted with such an alleged breach, will you be comfortable enough to just call upon force majeure protection? It might be wise to open up conversations with your customers and agree upon amendments of the confidentiality aspects of your agreements, based on the working from home situation. We have meanwhile drafted a specific template for this – please feel free to send me an email if you need assistance in this regard.

Other concerns could be that any agreements might have not been signed properly, due to a lack of electronic signature and remote signing instruments in the working from home environment.

Remote working in The Netherlands: conclusion

By scoping the risks and challenges occurred over the past few months, you will collect ample information to choose the solutions that you, as an organization, will use in the future. You can then set up a proper legal and compliance framework around it.

Based upon the above we would emphasize that when looking to set this up, you would (at least) need to address the following issues and challenges:

  • cyber security policy for home networks, what is going to be your standard, will you help employees and will you audit this?
  • strict policy to use only company devices (be it in your private network or will you enable 4G or 5G) or amendment of (Bring-)Your-Own-Device (‘BYOD’) policies
  • will you start using end-point monitoring and detection on these devices?
  • review and amend your fair processing notices and your internal privacy policies
  • implement specific guidelines on the use of solutions and the storage of both confidential information as any information relating to personal data
  • printing from home, archiving and retention or can you disable that functionality for a home network within your company network?

These are just a few important examples that hopefully provide more food for thought than one would initially consider. There is no one-size-fits-all approach; every organization should do their own careful assessment, considering the needs and characteristics of the organization.

The good news is that we have all faced these sudden issues, without time for proper preparation and planning. One would expect, or at least hope, that for instance Data Protection Authorities will take this into account and won’t act too aggressively at this stage of adaption of this new reality. However, we would recommend it is an urgent topic on your board agenda. Within a few months, force majeure arguments will no longer let you off the hook with the supervisory authorities, or with your clients.