CNIL Releases Guidance on Teleworking
4 Minute Read
On April 1, 2020, the French Data Protection Authority (the “CNIL”) released guidance for employers on how to implement teleworking (the “Guidance”) as well as best practices for their employees in this context (the “Best Practices”).
Guidance for Employers
According to the Guidance, employers must implement the following measures to secure their information systems:
- Ensuring that they have an IT charter or information security policy in place covering teleworking, or, at the very least, a set of minimum rules that must be complied with by each teleworking employee. Such policy or rules should be binding for employees;
- Assessing the risks raised if the rules governing the information systems (e.g., authentication rules) need to be revised to allow teleworking, and implementing appropriate measures to mitigate those risks;
- Ensuring that all employee workstations are equipped with at least a firewall, antivirus protection and a tool blocking access to malicious sites; and
- Implementing a Virtual Private Network (“VPN”) solution to avoid direct exposure of the organization’s services on the Internet. If possible, organizations should enable two-factor authentication for VPN login.
If the organization’s services are delivered on the Internet, the Guidance further recommends the following steps:
- Using protocols that ensure the confidentiality and authentication of the receiving server (such as HTTPS for websites, and SFTP to securely transfer files), and using the most recent versions of those protocols;
- Applying the latest security patches to the equipment and software used (VPN, remote desktop solution, email and videoconference systems, etc.). In this respect, the Guidance invites organizations to regularly consult the newsletters of France's national Computer Emergency Response Team (available only in French) in order to be informed of the latest software vulnerabilities and how to protect against them;
- Implementing two-factor authentication mechanisms on all remotely accessible services to limit intrusion risks;
- Regularly reviewing logs of access to remotely accessible services to detect suspicious behaviors; and
- Not making non-secure server interfaces directly accessible. More generally, employers should limit the number of services available on the Internet to the minimum in order to reduce the risk of attack.
Best Practices for Employees
Best Practices for employees while teleworking include:
- Following the instructions of their employer—in the CNIL’s view, if the employer has issued an information security policy in the context of teleworking, employees should strictly apply it. More generally, employees should not do at home what they are not permitted to do in the workplace.
- Securing their home Wi-Fi network by using state of the art encryption (WPA2 or WPA3 with a long and complex password), turning off the WPS function and deleting the Guest Wi-Fi.
- Using the equipment provided and controlled by their employer as well as the VPN provided by their company. In this respect, employees should connect to the VPN at least once a day to apply updates, and should deactivate it only when using high bandwidth services such as video streaming that do not require passing through the company’s network.
- Sufficiently securing their own device if they do not have a company-owned device. This involves installing a firewall and anti-virus protection, and regularly updating the operating system and software used, including the web browser and extensions, etc.
- Transmitting personal data in a secure way. In particular, employees should refrain from transmitting confidential data through consumer services (storage, file sharing and collaborative editing services) or via consumer email services. If employees have to transmit such data via these services, the data must be encrypted before their transmission, and the encryption keys must be provided via another communication channel (e.g., by telephone or text message). Employees should seek to use end-to-end encrypted communication tools, if their employer does not provide a secure communication tool, as well as videoconference systems that protect the privacy of their users. In this respect, the CNIL recalls that France’s National Cybersecurity Agency has certified Tixeo (first-level security certification) for public administrations, operators of vital importance and companies concerned with their security.
- Finally, employees should be particularly aware of phishing attempts that have increased during the COVID-19 pandemic.
Tags: CNIL, Coronavirus/COVID-19, Data Protection Authority, France, Personal Data, Personal Information, Telecommunications
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code