In response to the COVID-19 crisis, nearly all companies and organizations were abruptly forced to transition portions of, and in many cases, their entire workforce to remote work. After a few weeks, it seems that many companies have adjusted to this “new normal” and settled in, albeit with some lingering technical and connectivity issues. As companies raced to get their employees up and running remotely, it is likely many were primarily focused on connectivity and security, while necessarily ignoring the complex privacy, security, compliance, and document preservation challenges lurking below the surface of the “new norm.”
Companies will begin to realize that transitioning to a remote workforce can lead to unintended consequences that can and should now be addressed. Some of these unintended consequences include:
- Information Technology (“IT”) departments deploying software and systems such as Microsoft Teams, Slack, etc that have not yet been properly tested, including establishing retention periods, back-up procedures, and acceptable use policies.
- “Shadow IT” issues relating to employees using whatever services and products they think will help them do their remote job better, even when those products or services are not vetted by, supported by, or welcomed by corporate IT.
- Informal communications using messaging tools or social media platforms that are either not preserved subject to an active litigation hold notice, or that violate company policy, or frame the company in a negative light.
- Remote employee use of unauthorized external or cloud-based storage for company data.
- Information subject to a litigation hold notice being lost due to the inadequate back-up of laptops and other systems being used off-premises.
- Recycling of laptops, desktops, and mobile devices subject to a litigation hold notice in order to ensure rapid deployment of remote workforce.
- Employees using personal devices to store information and communications that are or could become subject to a litigation hold notice.
- Risking breach of confidential, sensitive, or personally identifying information (“PII”) due to lack of adequate remote security.
- Employees using unauthorized, unsecured, commercial collaboration tools.
- Employees using unsecured endpoints or endpoints with consumer-grade antivirus or antimalware.
- Employees operating off-network such that corporate firewalls for phishing and network intrusion are not engaged.
- Terminated employees subject to a litigation hold notice.