Technology and WFH scale up with Victoria’s Stage 4 restrictions

By John Gray

What are the technology risks and implications now that most employees need to work from home under Victoria’s Stage 4 restrictions? We look at some of the technology vulnerabilities the working from home model presents.

Working from home is scaling up

Information and communications technologies have been the great enablers of the new model of working from home (WFH) ushered in by the COVID-19 pandemic. Despite the challenges, employee productivity has been maintained due to internet connectivity and remote working solutions like desktop virtualisation, cloud computing and videoconferencing services like Zoom.  

But with Melbourne implementing further Stage 4 business restrictions as of 11.59 pm tonight, under which only a small number of workers in permitted industries will be allowed to leave home, the scale of the white collar migration from the office to the home will significantly increase.  This, in turn, is likely to expose any vulnerabilities that exist in organisations’ IT and communications infrastructure.

What organisations should do about technology risks

We have written extensively on the obligations employers owe to their staff who are working from home. If they have not already done so, employers should implement employee policies regarding the use of office systems from the home environment.

Apart from the compelling commercial reasons – if not an existential imperative – to identify and minimise cyber risk, larger organisations collecting personal information have statutory obligations to protect that information from unauthorised access, disclosure and loss.

Australian Privacy Principle 11 in the Privacy Act 1988 (Cth) (the Act) requires that an organisation take steps to protect personal information that are ‘reasonable… in the circumstances’.  Given the new ‘circumstances’ of the adoption of a large-scale WFH model with all the associated vulnerabilities, organisations need to review their data protection measures to ensure they are in fact still reasonable.

The Act also requires organisations to identify and assess data breaches affecting personal information with a view to notifying affected individuals and the Information Commissioner if the breach is likely to result in serious harm. Now is the time to put in place a notifiable data breach protocol if an organisation has not already done so.

Technology procurement

The pandemic has already created strong demand for new IT solutions to scale up remote working capabilities and to enhance cyber-resilience. The move to Stage 4 restrictions is likely to add urgency to such technology procurement projects.

Customer organisations may have to dispense with formal tendering processes, just as the NSW Government has permitted agencies in that state to do in certain emergency procurement cases. Pilot projects might be conducted without a fully-formed contract in place. Vendors will be in a positon to insist that their own standard contract be used, and there will be fewer opportunities to negotiate the terms.

Inevitably, a truncated procurement timeframe will swing the commercial and legal balance in favour of technology vendors and away from customers. In negotiating technology procurement contracts, customer organisations will have to take a strategic approach that prioritises the greatest issues of legal risk. We consider that a focus on the following areas is most advisable.

Privacy and data protection

First, customer organisations should ensure the terms of their technology procurement contracts properly protect personal information and customer data in the hands of the vendor. An international vendor is unlikely to offer privacy and data protection that matches the requirements of the Act.

In particular, a contractual commitment by a European vendor to comply with the General Data Protection Regulation (GDPR) is usually insufficient. To illustrate, GDPR contractual clauses rarely restrict the export of data from Australia or prohibit direct marketing, and tend to lack adequate commitments with respect to reporting potentially notifiable data breaches.

In addition, customer organisations should look outside the contract to protect their personal information and data. Conducting due diligence on the vendor’s practices and systems, and securing insurance, are both prudent steps to take.

Liability limitations

Secondly, customer organisations should be wary of liability limitations drafted in the style found in the standard contracts of the major United States IT vendors. These frequently exclude liability for ‘economic loss’ and ‘loss of bargain’.

In the Australian common law, ‘loss of bargain’ equates with expectation loss which is the usual basis for a court to award damages for contractual breach. If the vendor’s liability for ‘loss of bargain’ is excluded, a customer organisation may have no right to claim substantial damages to compensate for any loss flowing from the vendor’s breach.  Any exclusion of the vendor’s liability for ‘loss of bargain’ should be removed.

Exclusions of liability for ‘economic loss’ suffered by the customer should also be removed, or at least qualified to refer to ‘consequential economic loss’. Finally, the meaning of the term ‘consequential’ loss in Australian law is relatively fluid. It is therefore advisable to include a definition in the contract.

Choice of law and jurisdiction

Thirdly, an international vendor’s standard contract will typically specify that the contract is governed by foreign law and that the parties agree to submit disputes to a foreign jurisdiction. Where possible, customer organisations should amend the contract to specify local laws and the jurisdiction of local courts. Even specifying the ‘non-exclusive jurisdiction’ of the courts of an Australian state is sufficient.

The takeaways

If your organisation is moving greater numbers of staff to a WFH model, think about:

• implementing new WFH IT policies;
• implementing a notifiable data breaches protocol;
• checking the adequacy of your data protection measures; and
• taking a strategic approach to technology procurement that looks beyond the contract for protection and focuses in the key legal issues in the contractual negotiations.