Client Alert: Remote Work, Data Breaches and Cybersecurity Considerations during COVID-19

March 20, 2020

Ransomware and phishing attacks are on the rise, as are the significant legal and economic considerations that follow. In 2019, a number of municipalities across Canada faced malicious online attacks that effectively shut-down city operations unless a ransom was paid.1  A recent Carbon Black survey of 250 Canadian CIOs, CTOs and CISOs found that 88% of businesses had suffered a data breach over the past 12 months, largely due to phishing attacks.2

As businesses adapt to the “new normal” of extreme uncertainty caused by the COVID-19 pandemic, countless employees are faced with the prospect of working remotely in a variety of new (and sometimes less-than-secure) environments. Cybercriminals have taken notice.

Phishing attacks related to COVID-19 began in January and have exploded online since, with some reports pointing to thousands of new sites and scams created every day. For example, regulators in the UK have identified a rise in the registration of webpages relating to coronavirus,  which is suspected to be the work of online threat actors looking to exploit the outbreak.3

Perhaps in a bid for self-preservation, a number of hackers have made clear they will not resort to ransomware and other health-related cyberattacks during the pandemic. However, businesses should be wary of these overtures and continue to maintain vigilance across their workforces, especially in light of the recent (and significant) attack on the U.S. Health and Human Services Department earlier in March.4

The minute-to-minute evolution of the pandemic can feel overwhelming and even surreal. However, organizations can consider a number of straightforward best practices when attempting to reduce the risk of phishing and other cyber incidents arising from COVID-19:

1) Implement a clear and consistent process for communicating to employees over the course of the pandemic – to address how the outbreak may impact employees long-term,5  to provide updates on IT and other policy issues, and also to ensure everyone remains connected, even if virtually, during this public health emergency.

2) Specifically, IT teams and resources should keep in touch with remote workers to ensure program updates and patches continue to be installed when available, and to quickly deal with any data incidents taking place outside of the traditional office.

3) Speak to employees frankly about using work technology for work purposes only, and reinforce the need to keep devices secure from their own online activities at home (e.g., limit online shopping or other activities that increase the risk of their clicking fake ads). Employees may also consider having these conversations with other family members/close contacts (e.g., to reduce the possibility of the use of vulnerable remote drives).

4) Continue to reinforce online IT security training while employees are working remotely so they stay abreast of the latest phishing and ransomware scams during the pandemic. Of late, these attacks have involved emails with information claiming to be from government-related health agencies offering pandemic advice or fake workplace correspondence seeking sensitive personal information and/or requesting password verification.

5) Employees should also ensure they are maintaining good cybersecurity practices at home by confirming their Wi-Fi is secure, remembering to constantly save and back-up work, and locking their screens when leaving workspaces if in a shared environment.

We are dealing with an unprecedented global event. Cox & Palmer remains available and committed to providing quality advice to all businesses faced with navigating these uncharted waters.

Please contact our legal team regarding any issue affecting your business.  We are here to help.

 

Articles referenced in the article above:

1 ‘Definite uptick’: Global wave of ransomware attacks hitting Canadian organizations – CBC, Oct 14, 2019
https://www.cbc.ca/news/technology/more-ransomware-canada-1.5317871

2 CANADA | GLOBAL THREAT REPORT | DEFENDER POWER ON THE RISE – Carbon Black
https://www.carbonblack.com/land/canada-global-threat-report-defender-power-on-the-rise/

3 Coronavirus-themed phishing attacks and hacking campaigns are on the rise – ZD Net, March 16, 2020
https://www.zdnet.com/article/coronavirus-themed-phishing-attacks-and-hacking-campaigns-are-on-the-rise/

4 Cyber-Attack Hits U.S. Health Agency Amid Covid-19 Outbreak – Bloomberg, March 16, 2020
https://www.bloomberg.com/news/articles/2020-03-16/u-s-health-agency-suffers-cyber-attack-during-covid-19-response

5 COVID-19 – How Employers Can Manage the Workplace in These Uncertain Times – Cox & Palmer, March 18,2020
https://coxandpalmerlaw.com/publication/covid-19-how-employers-can-manage-the-workplace-in-these-uncertain-times/

Related Articles

Legal Authority and Consent in Generative AI: Ensuring Compliance and Building Trust

As businesses in Canada continue to uncover the potential of generative artificial intelligence (AI), understanding the legal underpinnings of authority and consent becomes paramount. This article explores these concepts within the framework of the Office of the Privacy Commissioner of Canada’s principles, providing actionable insights and practical examples to guide businesses in their compliance efforts. […]

read more

Introduction to OPC’s Generative AI Principles: A Guide for Canadian Businesses 

In late 2023, the Office of the Privacy Commissioner of Canada (OPC) introduced a comprehensive set of principles aimed at guiding the responsible, trustworthy, and privacy-protective development and use of generative artificial intelligence (AI) technologies. This initiative reflects a proactive stance by Canadian privacy regulators to address the complex challenges and opportunities posed by the […]

read more

Canada’s Artificial Intelligence and Data Act (AIDA) 2024: A Comprehensive Guide

Introduction to AIDA In a pivotal move to navigate the rapidly evolving landscape of artificial intelligence (AI), Canada introduced the Artificial Intelligence and Data Act (AIDA) as part of Bill C-27, the Digital Charter Implementation Act, 2022. Marking a significant stride towards a regulatory framework, AIDA ensures the safe and responsible development and deployment of […]

read more
view all
Cox & Palmer publications are intended to provide information of a general nature only and not legal advice. The information presented is current to the date of publication and may be subject to change following the publication date.