With the onset of the pandemic last March, many companies shifted rapidly to a remote working environment seemingly overnight. More than a year later, employees are beginning to return to the brick-and-mortar office, with some having already transitioned back. However, last year’s quick switch to remote working for such a large percentage of workers didn’t come without some difficult decisions, in some cases at the expense of best practices in data protection. However, survival amid the shutdown would surely justify the means, right?
In the daily course of doing business, companies intake and store consumer, client and employee data, as well as utilize different applications and vendors in connection with that data. As a result, most will have at least a few contracts involving some form of “aaS,” be it SaaS (software), HaaS (hardware), DaaS (data) or XaaS (“anything” as a service). Each contract likely specifies a security undertaking, either flowing to or from the company, even if security is only referenced as a generality, such as “the company agrees to use reasonable measures to provide physical and digital security for the client’s data.”
Most of these contracts were probably agreed upon under the previous brick-and-mortar model, with “everyone” working at the office, accessing computers at the office, storing files at the office, printing documents at the office, and shredding confidential materials at the office. And, all that was done from behind the comfort of the company firewall. Comparatively speaking, the current and evolving remote-working model at many companies is somewhat disordered and random — commonly referred to as an “expanded threat surface” by security experts. With data moving across multiple devices and applications in multiple locations, this increased exposure to potential vulnerabilities can lead the company to be accused of committing fraud.
Broadly speaking, “fraud” is committed when one party misrepresents the facts and the other party acts upon that false misrepresentation to their own detriment. In the area of remote-working environments, a problem can arise when representations that a company may have once made about its ability to secure information may no long hold. After all, an employee working from home, printing out confidential client information and leaving it on the kitchen table or the car seat is not “reasonable” security according to any definition.
Business as usual cannot hold when there is nothing usual about the security environment. Rather, companies must currently reassess the state of their system, software, policies and procedures and revise their statements regarding their security posture. And, importantly, a company must only make representations it knows are true regarding its current state of security.
This reassessment is further complicated by fast-evolving privacy legislation. California passed the California Consumer Privacy Act several years ago, and Florida nearly passed similar legislation this year (and is likely to pass next year). Virginia did enact such legislation, and several other states are on the verge of passing similar legislation. Companies operating in Europe are currently grappling with the General Data Protection Regulation. Calls for a federal unified law in the United States have thus far failed to gain any traction.
It’s important to note that reassessment is not only a concern for the IT department. While IT does need to make recommendations to the CEO/COO about how to secure technology, it is incumbent on operations leadership both to make thoughtful decisions about policies and procedures for operations that will permit businesses to continue to thrive while being secure, but also to actually enforce such policies in procedures going forward. IT and operations must then team with legal to make sure that everything is written, consistently followed and compliant with contract and legislation.
Poorly executed contractual terms do not equate to fraud. But if over time the representations don’t reflect reality, then the part of the fraud definition indicting statements made without knowledge of their truth or falsity comes into play. Simply stated, no company wants to be accused of committing fraud, and no client wants to unknowingly purchase “Fraud as a Service” from a company rather than the security for which it thought it contracted.