Remote and hybrid work arrangements are becoming increasingly common across industries, and service providers are more frequently allowing personnel to perform services from remote locations. While these arrangements can, in certain cases, offer operational benefits, they also introduce security, compliance, and oversight risks that must be accounted for. Accordingly, organizations engaging service providers with remote workforces should consider contractual requirements to address these concerns. When drafting and implementing these requirements, customers should consider the following issues.
Confidentiality Considerations: Remote Work vs. Work from Home
When service provider personnel perform services outside a traditional service environment, careful planning and implementation of safeguards are required to protect customer information. Personnel should be required to work from an area that is private and secure, where conversations cannot be overheard and screens, documents, and other information cannot be seen by unauthorized individuals.
Accordingly, it is important to clearly define the expectations and controls of the remote work arrangement. Service providers must distinguish between “work from home” and “fully remote work.” “Work from home” typically permits personnel to work from a fixed, pre-approved residence, whereas “fully remote work” generally allows personnel to perform services from a broader range of locations. As part of the agreement, the parties should identify which arrangements are permitted and the conditions required for each. If fully remote work is allowed, the agreement should specify which locations are authorized or prohibited, such as home offices, coworking spaces, hotels, or public coffee shops. Generally, given the sensitivity of the services being provided, it is common for customers to prohibit work from certain public or shared environments.
In addition to defining acceptable remote work locations, the agreement should establish clear responsibilities for work arrangements and should address
- the implementation of appropriate administrative, physical, and technical safeguards to protect confidential customer information and reduce security and operational risks;
- ·ongoing monitoring, auditing, and oversight of the remote work environment to identify and remediate any compliance or security issues;
- responsibilities for supervising remote personnel and ensuring compliance with applicable contractual, security, and regulatory requirements; and
- procedures for reviewing and updating the remote work arrangements to satisfy customer requirements and security standards.
The Setup: Equipment, Connectivity, and Security
A secure remote work environment requires appropriate equipment, reliable connectivity, and strong security controls. An agreement that allows for remote work should establish clear requirements governing the technology and infrastructure required for personnel to perform services remotely while protecting customer systems and data.
Equipment
As part of the agreement, parties should determine the equipment that provider personnel are allowed or required to use when performing remote services, including whether the devices will be service provider-issued, customer-issued, or personally owned. Customer- or service provider-managed devices typically offer greater visibility and control over security configurations, software updates, and endpoint protection.
If personally owned devices are permitted, the parties must also have a comprehensive Bring Your Own Device (BYOD) policy incorporated into the agreement that establishes minimum security requirements, including the service provider’s or customer’s ability to monitor or remotely wipe customer data if necessary.
Connectivity
Reliable and secure internet connectivity is equally important to maintaining service quality and protecting customer information. The terms of the agreement should define remote work connectivity requirements by establishing clear guidelines for
- minimum internet speed and bandwidth requirements necessary to perform the services;
- responsibility for procuring and paying for internet service, backup connectivity, and related equipment;
- security requirements for home networks, including password protection and firmware updates; and
- restrictions on who may access the network or devices used to provide the services, including household members or other third parties.
Security Controls
Finally, service providers and customers should clearly define the security requirements needed to prevent unauthorized access to personnel’s devices while enabling authorized service provider personnel to access the customer environment. Terms of the agreement should establish
- the approved methods for accessing customer systems, including virtual private networks (VPN), virtual desktop infrastructure (VDI), or other technologies that allow personnel to securely access environments remotely;
- authentication requirements such as multifactor authentication (MFA) and identity verification;
- endpoint security measures, such as encryption, antivirus software, and device monitoring;
- restrictions on local storage, downloading, printing, and using customer data;
- policies regarding recording, screen capture, screen sharing, and the use of collaboration tools; and
- procedures for reporting lost or stolen devices, suspected security incidents, or unauthorized access.
Remote Access and Support
The appropriate policies, equipment, and security controls are essential for remote work arrangements; however, they are only effective if service providers and customers can operationalize remote access and support. The agreement between the parties should clearly define governance, support responsibilities, and explicit escalation procedures to support service continuity and minimize disruption.
The terms of the agreement between a service provider and customer should establish documented processes that address
- anticipated remote access issues, such as authentication failures, connectivity disruptions, and hardware or software malfunctions, along with procedures to remedy the issues in a timely manner;
- designated points of contact for technical, security and operational issues that clearly allocate responsibility between the service provider’s IT team, the customer’s IT team, or shared support functions;
- service desk staffing levels and support availability, and after-hours global support where needed to ensure timely assistance is given to remote personnel;
- incident escalation, communication, and notification procedures that inform the appropriate parties of service disruptions, security incidents, or outages that may impact service delivery;
- business continuity and disaster recovery procedures that are designed to ensure personnel can continue to provide services in the event of potential disruptions; and
- service level expectations and performance metrics to ensure remote work does not diminish service quality, availability, or responsiveness.
How We Can Help
As risks become more complex due to evolving technologies and increasingly distributed workforces, companies must continually evaluate how best to protect themselves against known and emerging risks. Our technology transactions, outsourcing, and commercial contracts team regularly advises clients on complex technology and outsourcing transactions, including arrangements involving remote and hybrid workforces.
Summer associate Stephney L. Tucker contributed to this blog post.