With the cold and flu season underway and COVID-19 still ever-present, it is a good time to take stock of the potential risks that come with working remotely. Following the lifting of pandemic restrictions allowing offices to open back up, many companies continued to offer work from home or hybrid arrangements. It is important for companies to continue monitoring adherence to the policies and procedures designed to accommodate the new working models.
The most obvious risk associated with such arrangement is related to IT security and the exposure created by unsecure IT environments. Remote employees are particularly vulnerable to inadvertent disclosure of data or cyber attacks from working at home (e.g., shared family computers and unsecure home networks) or through the use of public wireless networks (e.g., unsecured public networks such as coffee shops, airports, and hotels). Employees may also be taking part in confidential meetings from public spaces and inadvertently disclosing confidential information to anyone within earshot.
With more employees taking company documents home to work on or on the road as they travel, it is becoming increasingly difficult to track the location of records in the event of an investigation, litigation request, document retention/destruction event, or audit. Employees may also be keeping sensitive company information in a non-secure manner, such as leaving documents out openly (i.e., not stored away) in a home office that may be shared with family members or even through sending sensitive company information through personal devices (i.e., not properly encrypted). As companies transitioned to remote work models, government regulators have increased focus on the use of unofficial channels of communication, particularly in heavily regulated industries which require companies to honor their recordkeeping and books-and-records obligations. The SEC has recently targeted companies for violating record keeping provisions for using off-channel communications on personal devices to discuss business matters. (See here and here.)
Open reporting is another risk area affected by remote and hybrid working arrangements. According to consultant Gartner, Inc.’s June 2022 report, the rate of compliance reporting has dropped by 30% from before the pandemic and overall, remote employees have observed 11% less misconduct than their in-office peers. While Gartner’s report did note that this was partly driven by a large fall in observed misconduct around travel, gifts, and entertainment, it is important to keep in mind, however, the lack of interaction with colleagues clearly impacted what is arguably the most important compliance mechanism to monitor adherence to the company’s business conduct principles and ethical standards.
Keeping these risks in mind, it is important for companies to ensure relevant policies, such as protection of corporate assets and data security policies, are updated to reflect the new working environments. Training and communication programs should also be updated to incorporate the new standards. Companies should take this time as an opportunity to reinforce compliance messaging around employee obligations to report misconduct and to remind employees that there is zero tolerance of retaliation for reports made in good faith.