Israel’s Privacy Protections and Data Security Recommendations for Telecommuting due to Coronavirus Spread
In light of the coronavirus pandemic and the constantly developing guidelines from the Ministry of Health, many companies are moving to telecommuting and working from home. This is a solution that supports business continuity even at this time of uncertainty. However, alongside the clear advantages, this form of employment also poses risks in terms of data security and privacy infringements.
Under the Privacy Protection Law and the Privacy Protection Regulations (Data Security), a company that holds a database containing personal information is required to operate in a manner that ensures protection of the data’s integrity and prevents unauthorized entry into the database, while setting internal routine protocols as well as protocols for data breach events. In doing so, the Regulations establish an active obligation to set security protocols according to the level of sensitivity of the information held, including in cases of remote access. The Regulations even encourage the prohibition or significant restriction of the use of removable media, such as external drives or flash drives, and even laptops. The reason for this requirement is the ease with which a data breach event may occur, even under simple circumstances of theft or loss.
While working out of the office allows a business relative control over compliance with the law and internal protocols as to the mode of operations and protection of documents, infrastructure that allows remote access may not only weaken the protection of computer systems, but also make supervising employees’ conduct more difficult.
On March 11, 2020, the National Cyber Security Authority published the Telecommuting Protection Recommendations for Businesses and Organizations. These recommendations primarily address security measures to reduce cyber risks, inter alia, steps relating to IT personnel in organizations. Pursuant to the recommendations, remote access must be carried out by means of a device familiar to IT personnel, be performed in a targeted and restricted manner suited to the needs of the company, and the information systems must be protected with adequate measures. The need for increased technological means, for instance settings that ensure disconnection of inactive connections to the system after an appropriate time, should be considered in order to reduce the elevated risk to the organization’s infrastructure.
In addition to the technical experts required to establish the necessary protections and protocols, an essential aspect of preparedness includes comprehensive training of employees on how to comply with security protocols. While telecommuting, we advise taking organization-wide steps, such as refreshing protocols for all employees on remote access, emphasizing rules like the prohibition on saving potentially sensitive data to personal and unsecure computers, sending warnings about email messages that may include malicious software, performing active shutdown of remote access upon the completion of work, insisting on the use of complex passwords and changing them often, using a preferred connection to known and secure Wi-Fi networks, etc.