An empty wine glass on the table in the background of a Zoom call. Personal banking data left on a work computer. An email attachment that purports to be an invoice but instead contains ransomware. Inadvertent sharing of an employee’s personal health status.
It’s tough enough for workers to protect their own privacy. But when the lines blur between personal and work lives because the office is in the home, employers have a legal duty to protect it as well.
“I would say data privacy is the number one issue,” said Mandy C. Rosenblum, an attorney who represents employers and employees through her law firm in Bryn Mawr, a Pennsylvania suburb outside Philadelphia.
Risks run the gamut from outside threats — email attachments with information-stealing viruses or ransomware that holds computer data hostage until the owner pays up — to insider actions, such as the sharing or theft of sensitive private information, she said.
Rosenblum has seen cases where hackers used phishing scams to access employee Social Security numbers, addresses or other personal or financial information that was used to steal their identities and file fraudulent tax returns or unemployment claims.
“There are some significant legal risks,” she said. Federal laws like the Americans with Disabilities Act (ADA), the Genetic Information Nondiscrimination Act and the Health Insurance Portability and Accountability Act (HIPAA), as well as some state laws say employers have a duty to protect sensitive personal employee information.
“There can be liability on the part of employers who fail to do what is reasonable to protect that information,” she added.
You can’t unsee that
Remote work may result in more intimate glimpses into employees’ private lives, said Peter Cassat, an employment-law attorney who focuses on privacy and data security and a partner at the law firm of Culhane Meadows PLLC.
“Just by virtue of work being closer to where you live … I may observe more of your behaviors than I would ordinarily observe as an employer,” said Cassat, who’s based in Washington, DC. “For example, I may observe behaviors about your family members [that] could have legal implications,” he added.
“[What] if you’re claiming that you are entitled to leave because you are caring for a family member with a serious medical condition. Well, I can see your family member [and] that doesn’t look like a serious medical condition to me,” he said. “Is it appropriate for me to have that data in my mind when I’m making those evaluations? Because I wouldn’t normally see that.”
Or if a manager sees a wine glass on an employee’s desk during a video call, should the employer take action?
“It just seems to present a lot more opportunity for tricky situations,” Cassat noted.
In Cassat’s view, it’s the employer’s responsibility to train managers so they understand how workplace policies should be applied in different contexts.
Another tricky privacy area for the remote workplace is electronic monitoring of employee keystrokes, time on the computer, web browsing and email activity, which remain subject to federal and state privacy laws, Rosenblum said.
“While a lot of employers meet [relevant legal requirements], employees have no idea that they’re being monitored and when they find out, they feel very violated,” she said. “That’s not a good way to have your employees feel about you, especially in a marketplace where employees are hard to come by. It’s not just complying with the law. It’s making sure that you’re communicating with employees.”
Stalking and threats of violence can also be stoked by information gleaned through remote work interactions, Cassat warned.
“This increased glimpse that we often get into each other’s personal lives and home working spaces is likely to fuel the fire of those who would engage in that type of behavior and create new potential security risks,” he said. “I’ve been in that awful situation where you have to decide whether you’re going to have corporate security designated because of a threat that’s been made to [an] executive.”
Imagine what would happen if the harasser could see on a video that the executive was home and “sitting on the back porch,” Cassat said.
Employers respond to the privacy challenge
What have employers been doing that has helped with the range of risks?
“Some employers are no longer letting employees use their own devices,” Rosenblum said. “And they are making sure that all work is done on an employer device and through a [secure] VPN [virtual private network] with two-factor authentication, and that the documents are only able to be saved on a company database.”
Some employers even limit employees’ ability to print out documents, she added.
Employee workshops and communication campaigns also have helped. These range from warning employees not to download sensitive personal information such as bank account, credit card or health-care information to their work computers, to classes about how to avoid hacking or phishing campaigns. Rosenblum suggested taking the education to another level: Send out fake fraud emails to see whether an employee opens an attachment or shares information.
Companies also are limiting access to sensitive databases that may have been open to more employees in the past, she continued. Now, access is on a need-to-know basis.
Cassat recommends data-loss prevention software to prohibit employees from emailing sensitive data such as Social Security numbers or financial account numbers.
There’s one last resource for protecting privacy that companies shouldn’t forget.
“Employers don’t engage their employees enough in problem solving,” Rosenblum said. “A lot of these folks have been doing this work for years and really know how the systems work. They may or may not be experts in data privacy, but by engaging employees to come up with solutions and by listening to them, [employers] could actually do a better job, which not only makes the employee take ownership of it [but also] improves the process.”