Privacy & Information Security Law Blog

On April 1, 2020, the French Data Protection Authority (the “CNIL”) released guidance for employers on how to implement teleworking (the “Guidance”) as well as best practices for their employees in this context (the “Best Practices”).

Guidance for Employers

According to the Guidance, employers must implement the following measures to secure their information systems:

• Ensuring that they have an IT charter or information security policy in place covering teleworking, or, at the very least, a set of minimum rules that must be complied with by each teleworking employee. Such policy or rules should be binding for employees;
• Assessing the risks raised if the rules governing the information systems (e.g., authentication rules) need to be revised to allow teleworking, and implementing appropriate measures to mitigate those risks;
• Ensuring that all employee workstations are equipped with at least a firewall, antivirus protection and a tool blocking access to malicious sites; and
• Implementing a Virtual Private Network (“VPN”) solution to avoid direct exposure of the organization’s services on the Internet. If possible, organizations should enable two-factor authentication for VPN login.

If the organization’s services are delivered on the Internet, the Guidance further recommends the following steps:

• Using protocols that ensure the confidentiality and authentication of the receiving server (such as HTTPS for websites, and SFTP to securely transfer files), and using the most recent versions of those protocols;
• Applying the latest security patches to the equipment and software used (VPN, remote desktop solution, email and videoconference systems, etc.). In this respect, the Guidance invites organizations to regularly consult the newsletters of France's national Computer Emergency Response Team (available only in French) in order to be informed of the latest software vulnerabilities and how to protect against them;
• Implementing two-factor authentication mechanisms on all remotely accessible services to limit intrusion risks;
• Regularly reviewing logs of access to remotely accessible services to detect suspicious behaviors; and
• Not making non-secure server interfaces directly accessible. More generally, employers should limit the number of services available on the Internet to the minimum in order to reduce the risk of attack.

Best Practices for Employees

Best Practices for employees while teleworking include:

• Following the instructions of their employer—in the CNIL’s view, if the employer has issued an information security policy in the context of teleworking, employees should strictly apply it. More generally, employees should not do at home what they are not permitted to do in the workplace.
• Securing their home Wi-Fi network by using state of the art encryption (WPA2 or WPA3 with a long and complex password), turning off the WPS function and deleting the Guest Wi-Fi.
• Using the equipment provided and controlled by their employer as well as the VPN provided by their company. In this respect, employees should connect to the VPN at least once a day to apply updates, and should deactivate it only when using high bandwidth services such as video streaming that do not require passing through the company’s network.
• Sufficiently securing their own device if they do not have a company-owned device. This involves installing a firewall and anti-virus protection, and regularly updating the operating system and software used, including the web browser and extensions, etc.
• Transmitting personal data in a secure way. In particular, employees should refrain from transmitting confidential data through consumer services (storage, file sharing and collaborative editing services) or via consumer email services. If employees have to transmit such data via these services, the data must be encrypted before their transmission, and the encryption keys must be provided via another communication channel (e.g., by telephone or text message). Employees should seek to use end-to-end encrypted communication tools, if their employer does not provide a secure communication tool, as well as videoconference systems that protect the privacy of their users. In this respect, the CNIL recalls that France’s National Cybersecurity Agency has certified Tixeo (first-level security certification) for public administrations, operators of vital importance and companies concerned with their security.
• Finally, employees should be particularly aware of phishing attempts that have increased during the COVID-19 pandemic.