Operating a co-working premises: Information security in co-working spaces

Part I of this series details the issues addressed by a legal due diligence in respect of a co-working space.

Part II of this series details the issues addressed by a technical due diligence undertaken on a proposed co-working space to ensure continuous and safe operations.

Part III of this series details the safeguards that a co-working space operator can negotiate to mitigate the adverse effects of the sale of such property to a third party.

Part IV of this series details a few of the owner-rights typically contained in an O&M Agreement.

Part V of this series details the key conditions of the pre and post-take-over phases during setting up of a co-working space, and the corresponding obligations of the parties.

Co-working spaces are designed to foster collaboration among their occupants. While collaboration is a great attribute to have in a team, it does have a flipside in an open-access operating environment – unintended and undesirable leakage of sensitive and confidential information. A significant challenge for co-working space designers is to balance the need for collaboration while prevent undue leakage of sensitive information.

Co-working space designers know that start-ups rely heavily on ground-breaking, norm-twisting ideas upon which their products are built. Many occupants of co-working spaces may spend weeks if not months brainstorming ideas. Naturally, it is vital that they are able to safeguard the details of their deliberations, and product and business plans. Many co-working spaces may not be well-designed to cater to their user’s confidentiality needs. Even more so, many start-ups may not be in a position to anticipate the loss they might suffer if their sensitive information is leaked to other occupants, who might be in a position to build or add-in the leaked idea into their existing product or business plans, thereby unduly undermining the prospects of their competitors/ co-users.

Both co-working space operator and users can take measures to minimise leak of such sensitive information. Physical locations within a co-working space that are particularly susceptible to a breach are (i) conference rooms, (ii) open plan seating areas and (iii) documentation centers.

Glass-walled conference rooms are particularly susceptible. In a co-working space these conference rooms allow start-up founders to meet prospective investors and are a critical venue to pitch their ideas in – often by means of a presentation via a screen. That however means that these ideas are easily visible to any passerby, whether a competitor or not. Open plan seating areas, wherein others can glance at carelessly strewn documents, or overhear sensitive conversations, are also a culprit; as are documentation centers without adequate access controls. Carelessly strewn papers can be read by competitors sharing the same space. Discussions on product and business plans can be easily overhead, and the business plan so patiently drawn up can be up for grabs at the communal printers situated in the documentation center.

Sprucing up existing infrastructure to ensure that co-working space users do not suffer from sensitive information leakage may not be too difficult or cost intensive for the operator. Installing soundproof glass on conference and meeting rooms, and draw-down blinds will dissuade the curious from gaining access to sensitive information during a presentation. Making printers secure by effecting password protection for prints will make printing safer. Maintaining stringent access-controls to co-working areas will ensure that unintended persons do not gain unauthorised access to area beyond their designated work and common areas.

At the same time users also need to be overtly careful in regards to their operations from within a co-working space. User devices should be password protected and locked whenever a user is away from their seat. Documents containing sensitive information should not be left outside on the tables, and should instead be under lock-and-key at all times. Users must also be careful of being overheard while discussing sensitive business and product plans. Discussions such as these, while essential, should only be conducted at soundproof meeting rooms. Where applicable, appropriate measures should be undertaken to ensure that large displays of business/ product data and plans (as in a meeting/ conference room) are not visible to those outside the room. When printing a document, users should ensure that no one else is able to take copies of the prints for their use. Certain printers may come with user-linked passwords that give a print only when the password has been inputted by the user. These are meant to ensure that printouts cannot be accessed by unauthorised persons.

Network security is also paramount in case of a large number of users logging into a single network. Since many co-working spaces may rent out spaces on a daily basis, it is possible for a single individual (or a group of individuals) having a one-off access to exploit network vulnerabilities and compromise the safety of the system. Adequate safety protocols should be implemented to safeguard networks from external and internal interferences. This is best conducted by the co-working space operator. Ideally, the use of private network solutions by the users in a co-working space should be restricted as these may interfere with the existing network infrastructure. There may be cases wherein a liability may fall on the operator in the event a loss is suffered by a user because of a deficiency in maintaining adequate network security measures within the co-working space.

Operators should also ensure that the co-working space has adequate access control measures to prevent unauthorised access by persons. This should be particularly enforced in both access to the co-working space from an external area (outside-to-inside), as well as intra-space access (inside-to-inside). Common areas and facilities should be laid-out in a manner that it doesn’t require a user to access an unrelated area (or to pass through one) to reach the common areas and facilities. Operators must also be careful of areas wherein they have provided manual overrides to automated access control systems (Typically given to the operating staff). Overrides are used to give access to those without adequate clearances, but who nevertheless need to access certain areas of the co-working space (e.g. guests of users). Use of indiscriminate manual overrides may allow access to undesirable persons thereby diluting the access control.

Safeguarding of sensitive information is paramount for start-ups. Efforts must be made both by the co-working space operators as well as users to ensure that data leaks be reduced. While the benefits of the same for users is apparent, operators that have implemented effective control mechanisms could see higher occupancy rates as concerns of protecting sensitive information become mainstream for start-ups operating from co-working spaces.

This post has been authored by Sayanhya Roy, Principal Associate, Ikigai Law.

For more on the topic, please feel free to reach out to sayanhya@ikigailaw.com or anirudh@ikigailaw.com, Managing Partner.

Disclaimer: This article is meant for general informational purpose only and is not a substitute for professional legal advice. This article is based on the laws applicable in India as on the date of publication.

Challenge
the status quo

Bringing what's next...