Smart working and company data protection compliance during the spread of coronavirus

12 March 2020 | Applicable law: Italy

With the spread of the COVID-19 ("Coronavirus") in Italy and the restrictive measures put in place by the Government to contain the virus, many companies are turning to Smart Working.

Smart Working itself is not a new phenomenon - it allows employees to work effectively outside the usual workplace, whether that be from home or from another central location (coffee shop, members club etc.). However, today, it is becoming increasingly utilised to guarantee business continuity, at least whilst restrictive measures are being imposed in quarantined areas.

There are several considerations to bear in mind when using Smart Working and we have summarised some key aspects here in relation to protecting both your personal data and confidential business information.

As a business, your network allows remote access to personal data, such as the data of your employees and clients, as well as restricted commercial information, trade secrets, contractual conditions for customers, production know how and blueprints. Any unauthorised access or even loss of this data and information could have very serious consequences for your business - not only from a commercial point of view but when potential breaches of the relevant data privacy framework(s) might lead to sanctions and penalties.

The importance of having a policy to allow the use of Smart Working in safe conditions

Regardless of how your employees connect remotely (e.g. connecting to a corporate network on a personal laptop via VPN or connecting to the company network via a corporate device with specific security credentials), the use of remote access tools must be regulated, whatever the circumstances. You should, therefore, ensure you have an internal policy, manuals and procedures for the correct use of the company network, as well as policies governing the use of individual mailboxes and devices assigned to your workforce (phone/tablet/laptop).

These policies help create a greater awareness within the business about protecting personal data and company information and, at the same time, act as a safeguard for your business to protect your information and assets in these unprecedented circumstances.

In addition to the above, it is essential for companies to verify and maintain the technical security measures already in place so that remote access through external devices or networks involves the highest degree of security available (e.g. without limitation, cryptography-protected hard disks, backup systems, firewalls).

Guidance for Smart Workers

Even if you have already adopted a policy on the use of IT tools, it is still useful to ensure that your Smart Working employees consider the following recommendations. It is important that they take the utmost care when it comes to security, the use of company IT tools and access to the network, which implies:

  • Using company devices solely for work purposes, unless personal use outside of working hours has been permitted;
  • Avoiding working in public places where a device could be left unattended and/or potentially stolen;
  • Avoiding – at least during working hours – lending any devices to a third party (e.g. friends, relatives), as they could potentially access the company network;
  • Frequently changing your password and keeping it confidential; and
  • When the device is not in use, ensuring it is left locked with any widgets minimised (lock by using CTRL+ALT+CANC Block – or – Windows+L).

When accessing the network:

  • Do not install/use any software not related to work (e.g. streaming, downloads, music, games), which has not already been installed/approved by the employer or which might infringe any third party’s licence or copyright (the company may already have restrictions in place). This also applies to accessing the company network from a personal device;
  • Avoid any links with other devices as this could risk potential connections between external and corporate networks;
  • Do not include any external source files that are not relevant to your work and do not save any work-related files on the hard drive of your device or corporate laptop/computer. Saving and storage must only take place via the corporate network;
  • Do not use external devices such as USB sticks or connect cards without company approval (unless use has already been blocked); and
  • Do not use Wi-Fi networks in public places without login passwords, unless absolutely necessary.

Employees should also bear in mind that you have the right to carry out checks and controls on the use of work devices in accordance with the relevant employment regulations (in particular the employee code “Statuto dei Lavoratori”) and, if they fail to comply, this could lead to disciplinary sanctions.

As an employer, you are required to provide all the necessary instructions to ensure secure access to its network, both through corporate and personal devices. If not already done so, you should provide a dedicated IT support network for employees.

Keeping employees focused on cybersecurity to protect your network from external attack

It is also recommended that businesses develop their employees’ awareness on how to face potential data breaches in the event of cyber-attacks from external sources (e.g. Trojan, macro malware, ransomware, phishing), which are typically spread through fake emails. For example, employees should pay close attention to:

  • Emails from colleagues or clients asking them to open an unusual link, e.g. an order confirmation or invoice. In these cases, it is recommended to verify the address associated with the user name and check whether the signature at the bottom of the message is genuine as these messages often come from malicious senders who try to steal information or credentials to log on to the system; or
  • Emails containing .doc files which, when opened, ask to install a macro. In this case, you must deny the authorization and, if it has already been done, immediately shut down the system and report the issue.

The current coronavirus crisis has already highlighted how email can be unlawfully exploited. We have already seen a number of businesses subject to cyberattacks, with examples including e-mails circulated containing an attachment titled "CoronaVirusSafetyMeasures.pdf" or e-mails sent by the fake account of Dr. Penelope Marchetti of the WHO.

At this difficult time, everyone must remember the importance of taking a responsible and proactive approach to data protection and cybersecurity. If in doubt, employees should always report suspicious emails to the relevant contact in their company before opening any attachments. Finally, employers should keep a dedicated IT support network open and active for Smart Workers should they require assistance. And remember, think before you click!  

Per leggere la versione in Italiano ….

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.


Related experience

As a full-service law firm, we are able to provide advice and information about a wide range of other issues. Here are some related areas.

Join the club

We have lots more news and information that you'll find informative and useful. Let us know what you're interested in and we'll keep you up to date on the issues that matter to you.