If the COVID-19 pandemic caused your enterprise to make a sudden switch from an on-site business model to a diverse, dispersed network of ad-hoc home offices, it’s possible that you may have let cybersecurity and privacy measures slide a bit.
Unfortunately, cybercriminals are constantly trying to slip into any holes you might leave open. Even worse: now that more than two years have passed since COVID-19 arrived, don’t expect regulators to look the other way if you suffer a breach.
The good news is there’s still time to find and fill the compliance gaps that your remote-work environment might have created. By acting now, you can safeguard your sensitive information and that of your customers, clients, and business partners from unauthorized access, while maintaining the certifications and attestations you’ve worked so hard to achieve.
Best of all: modern technologies can do much of the work of protecting your assets and maintaining compliance for you while working from home.
Remote Employees Are Becoming the Norm
Before COVID-19 transformed many companies into tele-work organizations, remote work was already rising worldwide. In the United States alone, the number of people working offsite increased by 159 percent from 2005 to 2017, according to the U.S. Bureau of Labor Statistics. In addition, according to 2018 telecommuting statistics, 4.3 million Americans worked at home full-time, and 18 percent of full-time employees globally were remote workers.
Those numbers increased dramatically as states ordered lockdowns for non-essential businesses to slow the spread of COVID-19. According to a forecast by Gartner, 31 percent of all workers worldwide will be remote in 2022, including 51 percent in the United States.
The benefits to businesses of allowing employees to work from home can be significant: companies can save $11,000 per year per remote worker compared to on-site workers. AT&T reportedly cut real estate costs by $30 million due to remote work initiatives.
That said, remote work brings challenges. “Creating a responsive technology infrastructure to enable effective remote work is complex,” Gartner reports, recommending that enterprises “stress-test your technology infrastructure to determine its capability to support remote work.”
Even if your entity had all the proper controls in place before the pandemic, the speed and scale of changes you’re making now might risk your compliance with significant privacy and security regulations and industry standards. Plus, several security frameworks are changing, too. So how do you manage it all?
Remote Employee Compliance Considerations
Companies gain from remote work in various ways, including access to a larger field of employee potential (regardless of geographical location), decreased employee attrition, and cost savings. On the other hand, working from home may include significant compliance obligations – especially if your organization must adhere to more than one regulatory or industry standard.
Adherence to these obligations is manageable with the right tools. To help, we’ve compiled a list of regulations and frameworks most affected by the new paradigm, with the most up-to-date information entities need now.
Cybersecurity
When a crisis strikes, cybercriminals will exploit it. Malicious actors stepped up their attempts to infiltrate organizations’ systems and networks during the pandemic in several ways, including:
- Sending coronavirus-related phishing emails and text messages with phony links;
- Placing scam phone calls purporting to offer information about the virus;
- Hacking into home wi-fi networks;
- Hacking into tele-working applications.
The international security and enforcement community, including Europol and the U.S. Federal Bureau of Investigation, issued public warnings about emerging and increased threats in the wake of the coronavirus pandemic. Microsoft, too, issued notifications about threat actors’ targeting unpatched flaws in its Windows 10 operating system.
At the same time, the number of vulnerabilities has grown by leaps and bounds as workers move out of firewall-protected on-premises networks to at-home remote connections. The use of cloud services exploded overnight, even while many organizations were struggling with cloud security of information already placed in the cloud.
PCI-DSS
The Payment Card Industry Data Security Standard (PCI DSS) requires that organizations and their vendors process credit-card and debit-card payments in a secure manner, and PCI-DSS was enforced as stringently as ever during the pandemic.
The PCI Security Standards Council (PCI SSC) issued guidance for use during the COVID-19 pandemic that emphasizes the importance of maintaining security practices to protect cardholder data. The guidance, taken from an existing PCI SSC information supplement, lists card security best practices to follow at all times, including:
- Security awareness training;
- Added security controls for remote or home working;
- Multi-factor authentication for all remote connections;
- Company-approved or company-issued devices for remote work;
- Limits on applications to those necessary for employment;
- Strong password requirements;
- Virtual Private Network (VPN) use.
One factor that very well may change for some organizations: whether they are able to complete a self-assessment questionnaire (SAQ) to demonstrate compliance with PCI DSS or must undergo a lengthy and expensive on-site audit.
Only Level 1 merchants must meet the most stringent PCI DSS requirements and undergo the full compliance audit. Since compliance levels are determined by the number of payment card transactions processed per year, an increase in remote sales could shift a business upward to a level one merchant.
Reciprocity’s complete guide to PCI compliance explains the framework and its requirements in detail. And Reciprocity ZenComply software-as-a-service can update you in real-time regarding your enterprise’s compliance with PCI DSS.
CCPA
Thirty-five advertising groups requested that enforcement of the California Consumer Privacy Act (CCPA) be delayed because of the COVID-19 pandemic. Tthe California attorney general declined. Pointing out that the law took effect January 1, 2020 – and that businesses should have been compliant at that point – the attorney general declared that law enforcement would proceed on schedule, beginning July 1, 2020.
Often referred to as “GDPR Lite,” the CCPA imposes data-privacy-protection requirements on for-profit enterprises that do business in California or with Californians. Penalties for non-compliance are steep. Plus, the law gives individuals the right to sue for violations or financial harm suffered because of a breach.
For complete details on all aspects of the CCPA, check out our CCPA compliance guide. If you need help with CCPA compliance itself, there’s a tool for that.
GDPR
The European Union’s General Data Protection Regulation (GDPR) sets stringent requirements for protecting European residents’ data. Enforcement is rigorous, and can involve harsh penalties, including crippling fines.
This landmark regulation is especially valuable right now as a tool for measuring the security of your systems and networks as well as the effectiveness of your policies and procedures at guarding information privacy. Start by familiarizing yourself with the GDPR in-depth by consulting our user-friendly and comprehensive GDPR compliance guide.
Questions to ask include:
- Are remote workers using new or different ways to gain access to data than before? If so, extra diligence is required to stay apprised of breaches – not only when they occur, but how. Evaluate your networks’ compliance with the GDPR and identity access management rules to ensure compliance in a remote work environment.
- What controls do you have to assure that personal data gets pseudonymized or encrypted as the law requires before it’s transferred or stored?
- How are you respecting and protecting the privacy of your employees while ensuring they do their jobs as required from offsite locations? The GDPR protects workers as well as customers.
The EU Agency for Cybersecurity has published guidelines for the continued protection of personal data in remote-work situations.
For workers, the agency recommends the following:
- Secure wi-fi connections;
- Update anti-virus system;
- Update security software;
- Back up essential files periodically;
- Use a fast connection to your work environment;
- Ensure that encryption tools are installed.
For employers:
- Inform staff on how to react in case of problems: whom to call, hours of service, and emergency procedures.
- Give suitable priority to the support of remote access policies and solutions. Employers should provide at least authentication and secure session capabilities (encryption).
- Provide virtual solutions such as electronic signatures and virtual approval workflows to ensure continuous functionality.
- Make sure that support staff is available at all times.
- Define a straightforward procedure to follow in case of a security incident.
- Consider restricting access to sensitive systems where it makes sense.
This list is by no means comprehensive. The GDPR is a long and complex regulation, and maintaining compliance can be a challenge even during the best of times.
A sound compliance management system can help you monitor your systems, networks, policies, and procedures while transitioning to remote work. Also, the software will alert you in real-time to compliance gaps and tell you how to fill them. This software can stay on top of any changes, so you don’t have to.
NIST
The U.S. National Institute of Standards and Technology (NIST) issued its response to the coronavirus pandemic with a bulletin created to “help organizations mitigate security risks associated with the enterprise technologies used for teleworking.”
To reduce the risk caused by remote access, NIST recommends tightening security and strictly limiting access to networks and data. Its guidance, derived from NIST SP 800-46, includes the following:
- Assume that external environments contain hostile threats and implement controls accordingly. NIST lists three types of threats, with mitigations:
- Risk 1: Malicious actors will take control of digital devices and try to access data or your network. Mitigations: Limit devices’ storage of sensitive data; encrypt devices or their data; use multi-factor authentication to access your network.
- Risk 2: Eavesdropping, interception, or unauthorized changes in communications. Mitigation: Encrypt these communications and verify devices in their communications to one another using authentication.
- Risk 3: Malware. Mitigation: Use anti-malware solutions; secure your network with access controls; and segment devices on their separate network.
- Incorporate telework, remote access, and BYOD into your security policy requirements. Your policy should stipulate which forms of access your enterprise allows, which devices can be used for remote access, the type of access granted to each remote worker, and procedures for administering and patching remote-access servers. NIST recommends making “risk-based decisions” on the levels of remote access you will grant to various types of devices, perhaps using a tiered approach that allows “the most controlled devices (for example, organization-owned laptops) to have the most access; and the least controlled devices (BYOD mobile devices) to have minimal access.”
- Check your remote-access servers to assure that they will enforce your telework security policies. Malicious actors can use your remote-access servers for several criminal activities. Therefore, NIST recommends that you configure them as a single point of entry to your organization’s network, that they can enforce your tele-work security policy, that you keep them fully patched and up to date, and that only authorized administrators from trusted hosts can manage them.
- Secure the organization-owned computers your remote workers use against common threats, and maintain their security regularly. You should apply not only your normal security baseline controls to remote-work devices, but also enhanced controls as well, such as encryption of any sensitive data they might contain. In addition, your device administrators and users may need your guidance on securing these devices.
NIST sees our era of pandemic, remote work, and increased security threats as a time to be more vigilant than ever. Maintaining compliance, difficult though it may seem, is critical.
For help, check out our NIST audit guide and its comprehensive compliance checklist; or try automated software that makes NIST compliance a snap, in even the most uncertain times.
Maintaining Compliance: Laws and Regulations for Remote Employees
Here are some things you should know about staying in compliance with the rules and regulations that affect remote workers.
Payroll Requirements
Payroll can be complicated for businesses near state borders, have employees travel to working locations in other states, have employees work remotely, or are growing into new forms.
Employees are often taxed on income to the state where the job is conducted (known as the “physical presence” rule). In the case of a remote worker, this is typically the worker’s state of residence – but things get tricky if the employee works from home in one state several days a week, and then works in the office in another state the rest of the week.
To add to the complexity, double taxation applies to remote employees working for companies located in certain states: Arkansas, Connecticut, Delaware, Massachusetts, New York, and Pennsylvania. Since state laws vary and change, be sure to consult with a tax professional on the subject.
Permits
A home occupation permit is required in many municipalities for home-based employees. In addition, certain states, particularly at the municipal level, have extremely stringent permission and licensing procedures. Therefore, you may face problems if you pay payroll taxes in these states but do not have any local-level home occupation licenses.
Interconnected government entities can, and do, send audit letters and notifications of delinquency to businesses. Even if the company is not legally running a business from home, the distinctions are blurred as more work is done remotely and those employees acquire greater independence.
Check the employment laws and zoning rules in your employee’s city or county to discover whether a permit is necessary.
Foreign Qualification
If you have staff working in locations beside the state in which your corporation or limited liability company was established (which is referred to as a “foreign” state), foreign qualification may apply. You may need to “qualify” your corporation or limited liability company in that country depending on your sort of business, what your remote employee is doing, how many remote employees are there, and how long they will be doing that job there.
The process of seeking permission to do business in a territory other than the one in which the corporation or limited liability company was created is known as foreign qualification. For example, you may need to qualify if you have a permanent office in a foreign state or habitually receive orders or execute contracts abroad.
Furthermore, once approved, the corporation or limited liability company will be required to choose and retain a registered agent and file an annual report. A registered agent (either a corporation or an individual) has a physical address in the country who may receive legal papers on your behalf.
Working Arrangements
If you run a global company with remote or hybrid workers outside the United States, you may need to revise existing employment contracts or develop new ones. In addition, as a result of the pandemic, numerous nations have passed new tele-work legislation.
For remote employees, this necessitates thorough documentation. Consider using wording in your offer letters and employment contracts that define new workers’ working arrangements and objectives when you hire new staff.
Tax Nexus
The phrase “tax nexus” refers to a scenario in which a company has a tax presence or is doing business in a state other than its central physical location. Depending on your distant out-of-state employee’s conduct, your firm may become liable to that state’s sales, income, or other tax regulations. It is best to consult with your tax adviser to be sure.
Manage Compliance With ZenComply
As you try to cope with the difficulties of pandemic response, work-at-home accommodations, budgets, and new technologies, regulatory compliance issues may be the farthest from your mind. For regulators, however, it’s more important than ever.
Cybercriminals count on lapse security as they step up their efforts to access systems, networks, data, and install malware. They are most likely to strike while your attention is on other issues at hand. Staying on top of security, privacy, and compliance doesn’t have to be complicated.
Reciprocity ZenComply is a comprehensive compliance management system that can monitor your security, privacy, and compliance posture around the clock. It keeps track of changing regulations and alerts you the instant you fall short in any area.
Insightful reporting and dashboards provide visibility to gaps and high-risk areas. Its color-coded dashboards let you see in real-time where you stand, and user-friendly checklists tell you what you must do to achieve a state of compliance nirvana.
Regulations should be the last thing keeping you awake at night. Worry-free compliance is the ZenComply way. Schedule a demo to see how easy GRC can be.