Covid-19 and Telework: Data Protection Considerations – Coronavirus (COVID-19)





Covid-19 and telecommuting: data protection considerations

                    Pour imprimer cet article, tout ce dont vous avez besoin est d’être inscrit ou de vous connecter sur

La pandémie de Covid-19 a incité de nombreuses entreprises à

implement telework solutions. The implementation of this type of
method of working requires that the rules be properly followed to ensure that
The security of information systems and treaties

The French Data Protection Authority
National Commission for Computer Science and
or “CNIL”)
recommendations published to help secure personal data in this

The global health crisis in Covid-19 necessitated the implementation of
strict locking measures and travel restrictions allowing only
travel for essential reasons. Businesses, associations,
administrative authorities or communities that had the opportunity to
to do so had no choice but to implement telework in order to
at the very least preserve the continuation of essential activities
this method of working can allow.

Some were already ready to deal with telework, but certainly
not on such a massive scale and over such a long period of time. Others had
to implement it as a matter of urgency, perhaps even “remotely.” In
because it was not possible to deploy the
telework is even done from a larger basis.
personal equipment (as part of the Bring Your Own
Device Practice (BYOD), whose level of safety cannot be
evaluated, let alone guaranteed. And the use of this equipment makes
it is more difficult to draw a clear line between privacy and
working life.

At the same time, cybercrime has increased since the beginning of the
COVID-19 pandemic that cybercriminals are looking for, as in any
exceptional situation, to make the most of it.

Employers are responsible for the safety of their
company’s personal data, including when stored on terminals
over which they have no physical or legal control, but they have no
have allowed to be used to access the company’s IT

The risks against which precautions are essential
a one-off attack that affects the availability of
The integrity and confidentiality of the data
general compromise of the company’s information system
(intrusion, viruses, Trojans, etc.).

How can these risks be reduced? This article describes the best
practices to be followed in setting up and managing telecommuting.

Securing the information system

Open a company’s information system outside
world can create serious security risks that could jeopardize
even threaten its survival in the event of a cyberattack.
It is therefore essential for each company to secure its
information system by implementing the

  • publish a telecommuting security policy
    or, in the current context, at least a minimum set of rules
    follow-up, and circulate this document to your employees
    in accordance with internal rules and regulations. As regards
    possible, favour for telework purposes the use of means that are
    made available, secured and controlled by the company. When it’s
    are not possible, give clear instructions on the use of the equipment and
    employees, but be aware that their personal equipment
    can never have a verifiable level of security;
  • If necessary, change the direction
    rules of the information system to allow telework (modifying the
    authorisation rules, access to the remote administrator, etc.), measurement
    risks and, if necessary, take the necessary steps.
    In particular, provide external or remote access (Remote Desktop
    Protocol (RDP)) only for essential people and services, and
    strictly filter such access through the firewall. Preserve
    systems for which remote access is not necessary, isolate them,
    especially if they are sensitive to
  • equip all employees’ workstations
    at least one firewall, anti-virus software and a blocking tool
    Access to malicious websites
  • set up as soon as possible a
    Private network (VPN) to avoid direct exposure of services
    Internet, and enable, if possible, two-factor authentication
    Process. In addition to encrypting external connections, this
    also enhances the security of
    access by limiting access to authenticated devices only.

Internet Services

For the Internet, it is recommended to:

  • use protocols that guarantee
    privacy and authentication of the receiver server, for example
    HTTPS for websites and SFTP for file transfers, using the most
    Recent versions of these protocols;
  • apply the latest security patches to
    equipment and software used (VPN, remote desktop solution,
    messaging, video conferencing, etc.), and regularly consult the
    CERT-FR Newsletter1 to find out the latest
    software vulnerabilities and how to protect themselves from them
  • implement two-factor authentication
    mechanisms on remotely accessible services to limit the risk of
  • regularly check access logs to see
    Remotely accessible services to detect suspicious behaviour;
  • refrain from making server unsecured
    interfaces that are directly accessible. In general, limiting the number of
    services made available to the bare minimum to reduce the risk of


1 The National Cyber Security Agency newsletter

To read in French, please click on

Originally published April 29, 2020

The content of this article is intended to provide a
guide to the subject. Expert advice should be sought
about your particular circumstances.


Please enter your comment!
Please enter your name here