Remote Working And Data Protection: A Pandemic Year In Review

Lewis Roca


Lewis Roca logo
Lewis Roca serves clients around the world in complex litigation, intellectual property, business transactions, labor and employment, regulatory counseling, and government relations.  With legal excellence and exceptional client service, we pride ourselves on our ability to win for our clients while serving their highest goals and needs.   
The transition, however, also presented a number of challenges, particularly in the fields of data protection and privacy.
United States Privacy
To print this article, all you need is to be registered or login on

The Covid-19 pandemic caused a massive shift toward remote working in 2020. Generally, this shift was smoother than expected, with most companies indicating that the transition to working from home had been successful and productivity had remained the same or actually improved during the pandemic. The transition, however, also presented a number of challenges, particularly in the fields of data protection and privacy.

Perhaps the biggest of those challenges was (and continues to be) cybersecurity. In 2020, the FBI's Internet Crime Complaint Center or IC3 received a record number of complaints, up 69% from 2019, with reported losses exceeding $4.1 billion. Ransomware attacks, in particular, grew exponentially during the pandemic, and research suggests remote working significantly increases the risk of a successful ransomware attack.

In addition, many ransomware attacks now present a dual threat, by which the hackers not only seek to lock an organization out of its own systems but also seek to exfiltrate sensitive data. Such attacks can pose risks to a business's valuable intellectual property, customer data or employee data, and, more broadly, they can also pose risks to critical infrastructure and human lives.

What to consider when updating cybersecurity policies

As a result, businesses should continue to assess and update their cybersecurity plans and policies to meet these growing threats. In doing so, they should consider how remote or hybrid work environments may have created gaps or vulnerabilities in those plans or policies.

For instance, many organizations have utilized cloud-computing platforms or other third-party software providers to facilitate the transition to remote or hybrid working. Unfortunately, this has led to a substantial increase in supply-chain attacks, whereby hackers compromise third-party software or systems in order to infiltrate or attack the third party's customers or affiliates. The largest such attack last year, according to many reports, which involved IT monitoring and management software offered by SolarWinds, compromised several large corporations and numerous government agencies.

Accordingly, when evaluating cybersecurity plans and policies, businesses should be especially mindful of their supply-chain networks and third-party software vendors. They should also review and determine whether their contracts with those vendors and any related insurance policies adequately cover the associated risks.

New privacy laws and regulations

At the same time, businesses should also consider how remote or hybrid work environments affect data privacy, particularly in light of new privacy laws and regulations. In the U.S., many states have considered privacy legislation during the pandemic, and significant new laws were passed in California (the Consumer Privacy Rights Act or CPRA) and in Virginia (the Consumer Data Protection Act or VCDPA). Similarly, there have been several major developments at the international level, including Brazil's data-protection law (the LGPD) taking effect, China considering significant updates to its privacy laws, and the EU invalidating the EU-U.S. Privacy Shield.

Many of these developments pose particular challenges for businesses with remote or hybrid workforces. Organizations with employees in both the EU and the U.S., for example, can no longer rely on the Privacy Shield to transfer personal data of EU data subjects from the EU to the U.S. In addition, some laws and regulations may entitle consumers to notice or other rights if their personal information is being transmitted to or from remote employees using third-party services. Employees, too, may be entitled to notice or other rights if their employers are monitoring remote-working environments or implementing Covid-19 contact tracing. Existing policies or notifications might be insufficient to cover such situations, many of which simply did not exist before the pandemic.

In sum, the shift to remote working as a result of the Covid-19 pandemic has drastically altered the data-protection and privacy landscape over the past 12 months, and it has given rise to a number of difficult challenges for businesses. Thus far, most businesses have evolved to meet those challenges successfully, but organizations in all industries will need to remain dynamic, as remote or hybrid work appears to be here to stay.

Originally published by The Business Journals.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More