The crisis created by the Corona virus in the corporate circles have put the BCP processes in these organizations to test and it appears that most companies have not been able to come out with any degree of success.
So far, companies thought that BCP issues will arise only when there is a fire or flood but they were unprepared for the situation that has developed now.
Some organizations have resolved the issue by resorting to Work From Home (WFH) which is good enough for certain types of operations. But wherever there is a security concern of the WFH facility causing a compromise, the companies are stuck in their own policy constraints.
In order to meet the current situation, the policies had to be tweaked to pack the Desktops of most of the employees to be taken home so that any security which was tagged to the device identity could be used along with the operator identity.
Had the system of homomorphic encryption been tested and installed earlier, perhaps some companies could have made use of that environment so that data security could be protected when data is processed remotely. Otherwise the virtualized environments are the best approximations.
Some organizations could have hardened the security to prevent ex filtration of data which may be confidential. But as in all such cases, the possibility of shoulder surfing in the home environment always exists and hence the data security is not perfect. In such cases the distributed model of information security responsibility envisaged under the PDPSI (Personal Data protection Standard of India) could come in handy.
While technology people may be able to find some workable solutions, what may pose hurdles in implementation could be the need for policy changes to be approved both internally and by their customers, releasing them from the indemnity obligations which are likely to be there in the contracts.
Internally there has to be a special “WFH Data Security Policy” which takes care of imposing responsibilities on the employee for not only the functional aspects of his/her work but also for the data security. A remote audit mechanism* may also have to be designed.
As regards contracts with customers, the government notifications issued for WFH may be considered as the basis on which the Force Majeure clause can be invoked. Under this provision, the contractual obligations can be modified to a reasonable extent. It may be better if a “Disaster Policy” document is drawn up as part of the “Legitimate Interest Policy ” of the organization. But a notice may have to be issued to the clients to avoid complications. A notice applicable to data subjects should also be displayed on the websites so that dilution of compliance can be justified as a temporary measure.
Draft policies for some of the above purposes may be drafted by industry leaders for the benefit of all companies.
Naavi
*(One such remote audit program had been structured by the undersigned for HIPAA compliance by home based Medical transcription workers several years ago when the Privacy and Security issues were not as grave as it is now)