Why Paper Should Be Part of Your COVID-19 Remote Work Cybersecurity Planning
Keeping your business running and your employees safe during the COVID-19 pandemic is a complex and involved pursuit. As a good, conscientious employer, you are likely urging employees to work remotely, when and where possible. You are working with your IT department or vendor to make sure that your existing remote access capabilities are appropriately expanded to all necessary employees, working to account for the heavier demand, allowing access to all necessary IT system components, and ensuring that all such access is secure. But is that enough?
One additional thing that you should consider is the movement of non-electronic materials out of the office during this period of increased remote access. Here are a few things you should consider as you navigate these difficult times.
Don’t forget the paper
While businesses increasingly have been moving towards paperless, electronic documentation and operation, paper and non-electronic materials remain a significant component of business operations. Employees often print out frequently used materials for quick reference. Other forms and documents, like invoices or original signed documents, initially exist in paper form until later scanned into IT systems. Blueprints, schematics, plats, and other technical documents, especially if older, may be available solely in paper form. This is important because data privacy regulations often apply to paper as well as electronic documents. Many regulations are directed simply to the disclosure of personal or sensitive information to unauthorized individuals (no matter the format of the information). While focus rightfully may be placed on the security of personal and confidential information found in electronic form, you should make sure that you also plan for the movement of confidential documents or documents containing sensitive information in paper form out of your secure environment.
Unlike electronic documents, which when accessed remotely are still found in their secure location on the IT system, paper documents that are removed from the business are no longer within the possession, custody, and control of the business. Whether in locked file cabinets, stored in locked rooms, or just indexed in boxes in a warehouse, these paper documents, when removed from the physical place of business, are going to be less secure. Documents left in briefcases or boxes in cars are susceptible to theft, loss, or destruction. Documents left on tables or counters in homes are susceptible to being read by unauthorized individuals. Moreover, documents removed from the business by one employee are not accessible or available to other employees. Steps should be taken to protect the security, integrity, and chain of custody of such documents.
Suggestions to Protect Paper Documents
Where possible, log all documents containing sensitive or protected information leaving your business. This should be something undertaken at all times, and especially currently during this time when your employees may be taking these types of documents with them to work remotely. Logging should include a brief description of the document being removed (including the number of pages and, where possible, a copy being made of the document so that if the document is lost or destroyed, you can know what information was in the document), from where the document is being taken, and who is removing the document. This log then can and should be used to follow up to ensure the document is returned when normal work resumes.
Try to ensure that all documents leaving the business that contain confidential, personal, or sensitive information are marked with “Highly Confidential” stamps and kept in folders identifying the same. Employees taking such documents should be instructed on policies regarding the safe use and transfer of sensitive and confidential materials (i.e., do not leave in a car, do not leave unattended, do not share with others, etc.). Further, such employees should be instructed on procedures to follow if such information is disclosed, lost, or destroyed (i.e., how to report, to whom to report, etc.).
Finally, you should also discuss with employees working remotely the need to handle confidential and sensitive information printed from your electronic network in a proper manner. Whether printed at the office and taken home or printed at home, employees need to understand the security and privacy obligations that accompany sensitive and confidential information. Of particular concern are the obligations surrounding document destruction. When employees no longer need to use the printed document, employees should be instructed on how to shield confidential or sensitive information in such documents before disposal or on the need to shred or otherwise destroy such documentation so that it is no longer accessible or usable.