Common problems and suggestions for network security of enterprise remote office
Published: 2020-03-06 11:46:28
Author: Ning Xuanfeng, Wu Han, etc.
Source: King & Wood Mallory Research Institute
Share this on: WeChat Sina microblogging QQ space
Currently, it is a critical period of prevention and control of the new coronavirus. The whole country is united to fight the epidemic. In order to enhance the prevention and control, since the beginning of February, Beijing, Shanghai, Guangzhou, Hangzhou and other major cities, the government publicly stated or issued a notice, the enterprise through information technology to carry out remote collaborative office, home office [1]. February 19, the Ministry of Industry and Information Technology issued a "new generation of information technology on the use of information technology to support services for the prevention and control of epidemics and the resumption of work and production of the work of the notice", in the face of the epidemic on the small and medium-sized enterprises to resume the work of production of the serious impact of supporting The use of cloud computing to vigorously promote enterprises to the cloud, focusing on the implementation of telecommuting, home office, video conferencing, online training, collaborative research and development and e-commerce and other online work methods [2].
In the face of the national and local governments' appeal, enterprises across the country actively responded to the call. Southern Metropolis Daily launched an online survey in mid-February, showing that 47.55% of respondents work from home or take classes online [3]. In the face of the huge demand for telecommuting in special times, remote collaboration platforms are also actively taking on social responsibility, as early as the end of January, that is, there are 17 enterprises of 21 products announced to the whole society or specific organizations to open up free of charge to users of its remote writing platform software [4].
The realization of telecommuting through information technology, whether it is the network layer, the system layer, or business data, will face a more complex network security environment, in order to smoothly and effectively realize the safe resumption of work and production, reduce the impact of the epidemic on business operations and development, enterprises should be combined with the actual situation, the establishment or appropriate adjustment of the appropriate network and information security strategy.
I. Types of telecommuting systems
With the deep development of the Internet, cloud computing and the Internet of Things and other technologies, all kinds of enterprises, especially Internet companies, law firms and other professional services firms, has been promoting the realization of remote collaborative office within the enterprise, especially teleconferencing, document management and other basic functional applications. From the type of function, remote office system can be divided into the following categories: [5]
Integrated collaboration tools, that is, to provide a set of comprehensive office solutions, features include instant messaging and multi-party communication meetings, document collaboration, task management, design management, etc., on behalf of the software enterprise including enterprise WeChat, nails, fly book and so on.
Instant Messaging (i.e., Instant Messaging or IM) and multi-party communication meetings, allowing two or more people to pass text, documents and voice and video communication tools over the Internet in real time, the representative software includes Webex, Zoom, Slack, Skype and so on.
Document collaboration, for more than one person to provide cloud storage of documents and online **** enjoy, modify or review functions, representative software, including Tencent Documents, Kingsoft Documents, Impression Notes and so on.
Task management, can realize the task process, attendance management, personnel management, project management, contract management and other enterprise office automation (Office Automation or OA) functions, the representative software, including Trello, Tower, Panasonic and so on.
Design management, according to the user's requirements, systematic design research and development management activities, such as materials, tools, gallery management, the representative software, including the Creative Poster, Canvas and so on.
Two, the main body of network security responsibility under different modes of telecommuting
The main object of regulation of the Network Security Law ("Network Security Law") is the network operator, i.e., the owner, manager and network service provider of the network. Network operators shall assume responsibility for network operation security and network information security under the Network Security Law and its supporting regulations.
For telecommuting systems, the main body responsible for network security (i.e., the network operator) varies greatly under different system operation methods. According to the operation mode of the telecommuting system, the enterprise telecommuting system can be roughly divided into three categories: own system, cloud office system and comprehensive system. Enterprises should clearly distinguish the boundaries of responsibility between them and the platform operator in order to clearly judge the network security measures they should take.
(1) Owned system
In this mode, the enterprise's telecommuting system is deployed on its own servers, and the system is independently developed by the enterprise, outsourced research and development, or using a third-party enterprise-level software architecture. This type of system development cost is relatively high, but because there is no data flow to third-party servers, the security risk is lower, the common types of enterprises include state-owned enterprises, banking and other important industries and organizations, as well as strong economic capacity and large-scale enterprises with high requirements for security and privacy.
Whether or not the system is self-developed by the enterprise, since the system architecture is completed and managed by the enterprise alone, the enterprise constitutes the network operator of the relevant office system, and bears the corresponding responsibility for network security.
(2) Cloud Office System
This type of office system is usually a SaaS system or an APP, where the platform operator provides a registered remote collaboration software platform or APP service directly to the enterprise on a server under its control, for use by both the enterprise user and the individual (employee) user. This type of system construction cost is relatively economical, but often can only solve a specific type of enterprise needs, enterprises usually do not have access to the development or modification of the system, and enterprise data stored in the third-party server. A common type of enterprise for this model is the relatively flexible SME.
Because the network, database, and application servers of a cloud office system (SaaS or APP) are operated and managed by the platform operator, the operator of the cloud office system constitutes the network operator, and is usually responsible for the security of network operation and information security of the SaaS and APP.
In practice, the platform operator will transfer part of the network security supervision obligations to the enterprise users by contractual agreement through user agreements and other legal texts, such as requiring the enterprise users to strictly abide by the rules of account use, and requiring the enterprise users to be responsible for the content of the information uploaded to the platform by them and their employees.
(3) Comprehensive system
This type of system is deployed on the enterprise's own servers and third-party servers, integrating its own system and cloud office, and the operation of the system is not completely controlled by the enterprise, and it is mostly used in multinational enterprises with the demand for local servers in multiple locations.
The provider of the cloud office system and the enterprise itself may both constitute network operators, and should take the network system operated and managed by each of them as the boundary, and assume the corresponding network security responsibility for the network operated by each of them.
For enterprises, in order to clarify the boundary of responsibility with the platform operator, they should first identify which "networks" are owned or managed by the enterprise alone. In a telecommuting scenario, the enterprise should consider a combination of factors, including, but not limited to, the following:
Whether the servers, terminals, and network equipment of the office system are owned or managed by the enterprise and its employees;
Whether the enterprise has the highest level of administrator privileges over the office system used by the enterprise;
Whether the data generated in the course of the operation of the office system is stored in the server owned or managed by the enterprise;
whether there is a clear agreement between the enterprise and the platform operator on the rights and interests and management rights of the office system or the relevant data, etc.
Of course, considering the complexity and diversity of the system construction, the platform operator and the enterprise may not inevitably **** the same management of the same network system in the integrated system of remote collaborative office, and both parties bear the security responsibility as the network operator in respect of the network. However, enterprises should still fix the management responsibilities of each party in the network system and the attribution of the network system as far as possible through contractual agreements. Therefore, in the case of **** the same management and operation of the remote collaborative office service platform, the enterprise and the platform operator shall specify in the user agreement the system modules managed and operated by both parties in respect of the system, the network security responsibility of each party in respect of the system modules under its management and the ownership of the platform.
Third, the remote office involved in network security issues and response recommendations
In the following, we will review some of the recent remote office-related network security hotspots, on the network security issues involved in a brief risk assessment, and for the enterprise to put forward a preliminary response recommendations.
1. A surge in user traffic led to a "short-term collapse" of the telecommuting platform; does the platform operator need to assume responsibility for network operation security?
Recap:
On February 3, 2020, the first working day after the Chinese New Year holiday, most companies asked their employees to work from home. Although the platform operators of each telecommuting system had already done a good job of responding to the plan in advance, the huge amount of concurrent response demand still exceeded the expectations of the platform operators, and many types of online office software had a short period of "delayed message delivery", "video lag", "system lag", "system lag", and so on. ", "video stuttering", "system crash and exit" and other faults [6]. After the failure, the platform operator quickly took measures such as network traffic limitation and server capacity expansion to improve the platform's capacity and stability, while the emergence of failures also generated a certain degree of diversion. In the end, although all telecommuting platforms have resumed normal operation of the platform in a relatively short period of time, they have still been criticized by many users.
Risk assessment:
According to Article 22 of the Network Security Law (hereinafter referred to as the "Net Security Law"), network products and services should comply with the mandatory requirements of relevant national standards. Providers of network products and services shall not set up malicious programs; when they find that there are security defects, loopholes and other risks in their network products and services, they shall immediately take remedial measures, inform users in a timely manner in accordance with the regulations and report to the relevant competent authorities. Providers of network products and services shall provide security maintenance for their products and services on an ongoing basis; in the provisions or the period agreed upon by the parties, shall not terminate the provision of security maintenance.
The operator of the telecommuting platform, as the operator of the platform and the related network, shall be responsible for the operational security of the network. Whether the platform operator needs to bear the corresponding legal responsibility or breach of contract for a short period of system failure needs to be judged comprehensively by combining the causes of the failure, the harmful results of the failure, and the responsibility agreement in the user agreement.
For the above incident, based on the information we learned from public channels, although several cloud office platforms had response failure problems, which brought inconvenience to users' remote office, the platforms themselves did not reveal obvious security defects, loopholes and other risks, and there was no substantial harmful result such as network data leakage, so the platforms are likely not to be held liable for the cybersecurity legal responsibility.
Response advice:
During the special period of the epidemic, the mainstream telecommuting platform products were all open for free, so each platform would have a large number of new customers. For platform operators, good contingency plans and better user experience will definitely be more conducive to platforms retaining these new user groups after the epidemic is over.
In order to further reduce the risk of platform operators and improve user experience, we suggest that platform operators can:
Treat user traffic surge as an emergency event on the platform, and formulate corresponding contingency plans, e.g., make clear the triggering conditions of the traffic surge event, the conditions of server expansion, and the deployment of temporary standby servers, etc., in the contingency plan;
Real-time monitor user traffic, and timely deploy temporary standby servers;
Make real-time monitoring on user traffic, and timely deploy temporary standby servers.
Real-time monitoring of user traffic and timely deployment of platform resources;
Establishment of user notification mechanisms and templates to inform users of the causes of system response delays and the expected recovery time;
In the user agreement or other legal texts signed with the customer, attempts to clarify the responsibility arrangements for such system delays or crashes.
2. How can organizations mitigate the risk of external cyber-attacks in remote office environments, where phishing attacks on the theme of epidemics are frequent?
Incident Review:
During the outbreak, a cybersecurity company discovered that some offshore hacker groups were using coronavirus-themed emails for malware delivery, phishing and fraudulent activities. For example, hacker organizations disguised their identities (e.g., the National Health Commission) and launched phishing attacks using information related to "epidemic prevention and control" as bait. These phishing email attacks impersonate credible sources, and the content of the emails is closely related to the hot events that the general public is concerned about, which is very deceptive. Once the user clicks on it, it may lead to the host being controlled and important information and systems being stolen and damaged [7].
Risk Assessment:
Based on the provisions of Articles 21 and 25 of the Network Security Law, network operators should fulfill the following security protection obligations in accordance with the requirements of the network security level protection system, safeguard the network from interference, damage or unauthorized access, and prevent network data from being leaked or stolen, or tampered with: (1) formulate an internal security management system and operating procedures, identify the person in charge of network security, and implement network security protection. person in charge of network security, and implement the responsibility for network security protection; (2) take technical measures to prevent computer viruses and network attacks, network intrusion and other acts that jeopardize network security; (3) take technical measures to monitor and record the network operation status and network security events, and retain the relevant network logs for not less than six months in accordance with the regulations; (4) take measures such as data classification, backup and encryption of important data; ( (5) other obligations stipulated by laws and administrative regulations. At the same time, the network operator should also develop a network security incident contingency plan, timely disposal of system vulnerabilities, computer viruses, network attacks, network intrusion and other security risks; in the event of an incident that jeopardizes network security, immediately start the contingency plan, take appropriate remedial measures, and report to the relevant competent authorities in accordance with the provisions of the report.
The realization of telecommuting means that the corporate intranet needs to respond to extranet access requests from employees' mobile terminals. Employees are in different network security environments, and both the access network and the mobile terminal itself are more likely to become targets of network attacks. On the one hand, untrustworthy networks such as public WiFi and network hotspots may be used as employees' network access points, and these networks may have no security protection, and there are a lot of common network vulnerabilities that are easy to be attacked, which can easily become a transit station for cybercriminal organizations to invade the corporate intranet; on the other hand, some employees' mobile terminal devices may be installed with APPs or network plug-ins that are set up for malware, and employees may also click on the disguised network plug-ins in case of negligence. On the other hand, some employees' mobile devices may be installed with malicious apps or network plug-ins, and employees may click on disguised phishing attacks or ransom emails in negligence, seriously threatening the security of the enterprise's internal network.
In the case of computer viruses or external network attacks, although the attacked enterprise is also a victim, if the enterprise fails to take the necessary technical precautions and emergency response plans in advance in accordance with the requirements of the "Net Security Law" and related laws, resulting in the leakage of network data or theft, tampering, and causing losses to the enterprise's users, it is likely that it will still need to bear the corresponding legal responsibility. The company is also responsible for the legal liability of the company.
Response suggestions:
For enterprises, in order to comply with the network security obligations stipulated in the Cybersecurity Law and related laws, we suggest that enterprises can review and enhance the security of their office networks at the levels of network security incident management mechanism, mobile terminal equipment security, and data transmission security:
(1) Enterprises should review and enhance the security of office networks in accordance with the actual situation of the networks or platforms they operate
Develop an appropriate cybersecurity incident management mechanism based on the actual situation of the network or platform it operates, and the overall cybersecurity awareness of employees, including but not limited to:
Develop a contingency plan for cybersecurity incidents including data leakage;
Establish an organizational structure and technological measures for responding to cybersecurity incidents;
Real-time monitoring of latest phishing websites and ransom email incidents;
Establish an Effective notification mechanism with all employees, including but not limited to email, corporate WeChat and other notification methods;
Develop an information security training program appropriate to the employee's situation;
Set up appropriate rewards and penalties, and require employees to strictly comply with the company's information security strategy.
(2) Enterprises should take the following measures to further safeguard the security of mobile terminal devices according to the existing information assets:
Develop different security management programs for mobile terminal devices according to the authority level of the employees, for example, senior management personnel or personnel with higher database authority can only use office-specific mobile terminal devices configured by the company;
Develop a management system for mobile terminal devices for office use, and put forward clear management requirements for employees to use their own devices for office use;
Regularly update and scan for vulnerabilities in the system of office-specific mobile terminal devices;
On the terminal devices, carry out identity access authentication and security protection on the terminals;
Focus on monitoring remote access portals, and adopt a more proactive security analysis strategy, and when a suspected network security attack or virus is detected, preventive measures should be taken in a timely manner and the enterprise's information security team should be contacted in a timely manner;
Specialized training should be provided to employees on the information security risks of mobile office.
(3) To safeguard the security of data transmission, enterprises can take security measures including but not limited to:
Use HTTPS and other encrypted transmission methods to safeguard the security of data transmission. Whether it is data interaction between mobile terminals and the intranet or between mobile terminals, it is appropriate to adopt HTTPS and other encryption methods for data communication links to prevent data leakage in transmission.
Deploying virtual private network (VPN), employees can realize intranet connection through VPN. It is worth noting that in China, VPN services (especially cross-border VPNs) are regulated by telecom, and only companies with VPN service qualifications are allowed to provide VPN services. When foreign trade enterprises and multinational enterprises need cross-border networking through dedicated lines or other means for reasons such as office self-use, they should rent from basic carriers that hold the corresponding telecom business licenses.
3. Internal employees enter the company's intranet through VPN and destroy the database. How should enterprises prevent "insiders" and safeguard data security?
Event Review:
On the evening of February 23rd, the SaaS business service of WeChat's headquartered service provider, Weimeng Group, had a sudden failure, with the system collapsing, and the production environment and data suffered serious damage, which resulted in millions of merchants being unable to carry out their business smoothly and suffering significant losses. According to the statement issued by Weimeng at noon on the 25th, the accident was caused by human beings, He Mou, a core operation and maintenance personnel of the operation and maintenance department of Weimeng R&D Center, logged into the company's intranet springboard machine through his personal VPN on the evening of February 23 at 18:56, and maliciously damaged Weimeng's on-line production environment due to his personal mental and life reasons. At present, He was criminally detained by Shanghai Baoshan District Public Security Bureau and admitted the crime [8]. Due to the serious damage to the database, Weimeng was unable to provide e-commerce support services to the cooperative merchants for a long period of time, and the accident here is bound to bring direct economic losses to the cooperative merchants. As a Hong Kong-listed company, Weimeng's share price also dropped sharply after the accident.
From Weimeng's announcement, it can be seen that one of the conditions contributing to the incident of Weimeng's employee deleting libraries is that "the employee, as a core operation and maintenance staff of the operation and maintenance department, logged into the company's intranet board machine through his personal VPN and had the authority to delete libraries". This incident is a cause for reflection and introspection, both for SaaS providers and for ordinary business users.
Risk assessment:
Based on the provisions of Articles 21 and 25 of the Net Security Law, network operators shall, in accordance with the requirements of the network security level protection system, fulfill the following security protection obligations to safeguard the network from interference, damage or unauthorized access, and to prevent the network data from being leaked or being stolen or tampered with: (1) formulate an internal security management system and operating procedures, identify the person in charge of network security, and implement the network security protection system. person in charge of network security, and implement the responsibility for network security protection; (2) take technical measures to prevent computer viruses and network attacks, network intrusion and other acts that jeopardize network security; (3) take technical measures to monitor and record the network operation status and network security events, and retain the relevant network logs for not less than six months in accordance with the regulations; (4) take measures such as data classification, backup and encryption of important data; ( (5) other obligations stipulated by laws and administrative regulations. At the same time, the network operator should also develop a network security incident contingency plan, timely disposal of system vulnerabilities, computer viruses, network attacks, network intrusion and other security risks; in the event of an incident that jeopardizes network security, immediately activate the contingency plan, take appropriate remedial measures, and report to the relevant competent authorities in accordance with the provisions of the report.
Leakage by internal employees has always been one of the main reasons for corporate data leakage accidents, and is also a typical behavioral pattern of the current "crime of infringing on citizens' personal information". In a telecommuting environment, companies need to provide most of their employees with access to the intranet and related databases, further increasing the risk of data leakage or even destruction.
Unlike the "short time crash" caused by the surge in user traffic, the "MicroManager deletion" incident may be directly related to the enterprise's internal information security management. If the cooperative merchants on the platform incur direct economic losses, we cannot rule out the possibility that the platform operator may need to assume legal responsibility for network security.
Suggestions:
In order to effectively prevent employees from maliciously destroying or leaking company data, and to safeguard the data security of the enterprise, we suggest that the enterprise can take the following precautions:
Developing a management system for telecommuting or mobile office, and distinguishing between office-specific mobile devices and employees' own mobile devices, and carrying out categorization and management, including, but not limited to, strict management of read/write privileges of office-specific mobile devices, and strict management of employees' own mobile devices. Read and write privileges of mobile devices, system privileges of employees' own mobile devices, especially the management privileges of enterprise database;
Establish a hierarchical data management system, for example, according to the sensitivity of the data, appropriate access and rewriting privileges should be formulated, and employees should be prohibited from operating or processing the data of the core database through remote login;
According to the employees' work needs, based on the principle of necessity, assess, evaluate, rewrite, and manage the data of the core database. Based on employees' work requirements and the principle of necessity, assess, review and restrict employees' data access and processing privileges, for example, prohibiting employees from downloading data to any user-owned mobile terminal device;
Establishing an emergency management program for data leakage, including a mechanism for monitoring and reporting security incidents, and a response plan for security incidents;
Developing operational specifications for telecommuting, management specifications for the use of documents and materials, and application software installation specifications for telecommuting.
Setting up a team with remote security service capability, responsible for real-time monitoring of employees' operation behavior on core database or sensitive data and database security;
Strengthening the education of employees on remote office security awareness.
4. During the epidemic, for the sake of public **** interests, enterprises collect employees' epidemic-related information online through the system, do they need to obtain employees' authorization? How should the collected employee health information be handled after the epidemic is over?
Scenario example:
During the telecommuting period, in order to strengthen labor management, ensure the health and safety of the company's office, and formulate measures to prevent and control the epidemic, the company will continue to collect all kinds of information related to the epidemic from the employees, including the health status of the individuals and their family members, the area where they are located in the near future, the current address, and the number of flights or train schedules that they have traveled on, etc. The collection methods include emails, OA system, and the system's online system. The collection methods include emails, OA system reports, questionnaires and so on. Enterprises will keep statistics and monitor the information collected, and when necessary, report the overall situation of their employees to the regulatory authorities. If any suspected cases are found, the enterprise will also report to the relevant disease prevention and control organizations or medical institutions in a timely manner.
RISK ASSESSMENT:
On January 20, 2020, Novel Coronavirus Infection Pneumonia was included by the National Health Commission in Category B infectious diseases under the Prevention and Control of Infectious Diseases Law of the People's Republic of China*** and the State of China and the preventive and control measures for Category A infectious diseases were taken. Article 31 of the Law of the People's Republic of China on the Prevention and Control of Infectious Diseases stipulates that any unit or individual who discovers a patient with an infectious disease or a patient suspected of having an infectious disease shall promptly report the discovery of the disease to a nearby disease prevention and control organization or medical institution.
On February 9, the Central Internet Information Office issued a "notice on doing a good job of personal information protection using big data to support joint prevention and control work" (hereinafter referred to as the "Notice"), all local departments should attach great importance to the protection of personal information, in addition to the State Council's health department based on the "Chinese People's **** and the State Cybersecurity Act", "Chinese People's **** and the State Prevention and Control of Infectious Diseases Act", "Emergency Regulations for Public *** Health Emergency Response Regulations" authorized institutions, any other units and individuals shall not collect and use personal information without the consent of the person being collected on the grounds of epidemic prevention and control and disease control. Where laws and administrative regulations provide otherwise, they shall be enforced in accordance with their provisions.
All over the world has also introduced normative documents for the prevention and control of epidemics, in Beijing, for example, according to the "Standing Committee of the Beijing Municipal People's Congress on the prevention and control of new coronavirus infection pneumonia epidemic according to the law and resolutely win the epidemic prevention and control of the battle of the blocking decision," the municipal administrative area of the organs, enterprises, institutions, social groups and other organizations should be in accordance with the law to do a good job of prevention and control of epidemics of the unit, to establish a sound system of responsibility for prevention and control of work. Establish and improve the responsibility system and management system for prevention and control work, equipped with the necessary protective articles and facilities, strengthen the health monitoring of the personnel in the unit, urge the personnel returning to Beijing from the serious areas of the epidemic to undergo medical observation or home observation in accordance with the relevant provisions of the government, and report any abnormalities in a timely manner in accordance with the requirements and take the corresponding preventive and control measures. In accordance with the requirements of the people's government of the area, actively organize personnel to participate in the prevention and control of the epidemic.
Based on the Notice and the provisions of the above laws, regulations and normative documents, we understand that during the epidemic, if the enterprise has obtained authorization from the health department of the State Council based on the Law of the People's Republic of China on the Prevention and Control of Infectious Diseases and the Emergency Response Regulations for Public ****health Emergencies, the enterprise shall be able to collect health information related to the epidemic of the personnel of the organization within the scope of authorization, without the need to obtaining authorized consent from employees. If the above exceptions cannot be met, the enterprise should still obtain the user's authorized consent before collection in accordance with the provisions of the Network Security Law.
The Notice clearly stipulates that personal information collected for epidemic prevention and control, disease control and prevention shall not be used for other purposes. No organization or individual shall disclose personal information such as name, age, ID number, telephone number, home address, etc., without the consent of the person from whom it was collected, except for the needs of joint prevention and control work and after desensitization. Organizations that collect or hold personal information are responsible for the safety and protection of personal information, and take strict management and technical protection measures to prevent theft and leakage. Specifically, you can refer to our recent article "Interpretation of the Office of the Internet Information Office <On the protection of personal information to do a good job of using big data to support the prevention and joint control of the epidemic>"
Response suggestions:
During the remote period, if the enterprise wishes to collect personal information related to the epidemic of the employee through the telecommuting system, we suggest that enterprises should:
Develop a privacy statement or a user authorization notification
Follow the principle of minimum necessity to develop a strategy for information collection, including the type, frequency, and granularity of information to be collected;
Follow the principle of purpose limitation to differentiate and manage personal information collected in relation to epidemic prevention and control, and to avoid fusing it with information about employees that has been previously collected by the enterprise;
Desensitize employee information when displaying the overall health of the enterprise or disclosing suspected cases;
Develop an information deletion management mechanism to delete relevant employee information in a timely manner after meeting the purpose of prevention and control;
Develop a targeted information management and protection mechanism to protect personal information related to the outbreak of the epidemic collected from employees as personal sensitive information. Protect and strictly control the access rights of employees to prevent data leakage.
5. During telecommuting, in order to effectively supervise and manage employees, the company wants to conduct appropriate monitoring of employees, how can it do so legally?
Scenario example:
During the telecommuting period, in order to effectively supervise and manage the employees, the enterprise has formulated the measures such as regular reporting, signing in and punching out, and video monitoring of the work status according to its own situation, and required the employees to actively cooperate with the telecommuting to achieve the purpose of monitoring. When an employee completes a report or signs in and out through the system, he or she is likely to repeatedly submit his or her name, phone number, email address, city, and other basic personal information to verify the employee's identity.
At the same time, when using a remote OA system or app, the office system will also automatically record the employee's login logs, recording data such as IP address, login geographic location, basic user information, and daily communication information. In addition, if an employee uses an office terminal device or remote terminal virtual machine software assigned by the enterprise to carry out work, the terminal device and virtual machine software may be pre-installed with monitoring plug-ins or software, which will record the employee's operating behavior records on the terminal device, Internet access records, etc. when specific conditions are met.
Risk Assessment:
In the above scenario example, the enterprise will collect employees' personal information in two ways: (1) employees provide it on their own initiative and (2) office software collects it automatically or triggered, which constitutes the collection of personal information under the Cybersecurity Law. Enterprises should follow the principles of legality, legitimacy, and necessity in accordance with the requirements of the Cybersecurity Law and related laws and regulations, disclose the rules of collection and use, express the purpose, manner, and scope of collection and use of information, and obtain the consent of employees.
In the case of video surveillance and the use of system monitoring software or plug-ins, if they are not properly operated and do not have prior authorization from the employee, they are likely to infringe on the employee's privacy, and companies should pay particular attention to this.
Response:
While telecommuting is happening, it's legitimate for companies to take appropriate monitoring and management measures, especially when employees are still adjusting to the work mode. We suggest that companies can take the following measures to ensure that their management and monitoring practices are legally compliant:
Evaluate whether the company's original employee contracts or authorizations for the collection of employees' personal information are able to meet the monitoring requirements for telecommuting, and, if the authorizations are flawed, design ways to obtain supplemental authorizations based on the company's actual situation, including pop-ups in the authorization notification text, email notices, etc.
We recommend that companies take the following measures to ensure that their management and monitoring practices are legally compliant. /p>
Evaluate the necessity of collecting employees' personal information item by item based on the collection scenario. For example, whether there is duplication of information collection, whether it is necessary to monitor work status through video, and whether the frequency of monitoring is appropriate;
Design separate information collection strategies for system monitoring software and plug-ins, and strike a good balance between employee privacy protection and company data security;
Obey the principle of purpose limitation, and do not use collected employee data for work purposes other than monitoring without employee authorization. purposes other than monitoring.
Fourth, summary
The outbreak, digital technology represented by big data, artificial intelligence, cloud computing, mobile Internet played an important role in the prevention and control of the outbreak, but also further promoted the development of telecommuting, online operations and other business models. This is not only the result of the epidemic forced to accelerate the digital intelligent transformation, but also represents the new productivity and new development direction in the future [9]. After this "sudden national telecommuting boom", telecommuting and online operations will become more and more popular, and offline and online offices will form a better unity, which will really achieve the purpose of improving work efficiency.
Speeding up the digital intelligence upgrade is also an urgent need to promote the modernization of the national governance system and governance capacity. The Fourth Plenary Session of the 19th CPC Central Committee made a major deployment to promote the modernization of the national governance system and governance capacity, emphasizing the need to promote the construction of digital government, strengthen the data *** enjoyment, establish and improve the use of the Internet, big data, artificial intelligence and other technological means of administration and management of the system rules [10].
In order to smoothly accelerate the development of digital intelligence, in line with the concept of government modernization and governance, enterprises must need to comprehensively sort out and improve the existing network security and data compliance strategy, in order to meet the new era of intelligent management ready.