The COVID-19 outbreak has necessitated the creation of a mobile workforce practically overnight. Yet this sudden change raises cybersecurity and privacy issues that companies must now reckon with. The webinar “COVID-19 Emerging Issues: Managing Cyber Risks of a Remote Workforce and Global Privacy Concerns,” presented by NetDiligence and Arete Incident Response on March 24th, addressed this rapidly evolving reality.
“This is uncharted territory and a new time for everybody,” said Marc Bleicher, managing director at Arete Incident Response. “We need to stay aware to protect ourselves.”
Bleicher discussed cybersecurity threats and how companies can better arm against them. The number of workers at home creates what Bleicher calls a “wider than ever attack surface.”
Bad actors see these potential security lapses as opportunity for gain, and unfortunately, a new wave of ransomware and phishing events suggests that many have already found ways to exploit the crisis.
To that end, Bleicher suggests that organizations take a closer look at security hygiene both from the office networks they can control and by urging remote employees to adopt simple measures to shore up their defenses at home, such as using WPA2 settings on the wi-fi router; changing all passwords, including those on the router; and updating and patching all devices used for work. If there are no existing remote worker policies in place, developing and communicating them is a critical first step.
“We have to create more awareness for employees and make sure they stay informed about risks,” Bleicher says. “We need to be extra suspicious about attachments and links and not sharing personal information right now. When in doubt, always call the IT support and information security team.”
The second speaker, Shannon Yavorsky, partner at Orrick, Herrington and Sutcliffe and a leading authority on U.S. and European data privacy and security issues, examined the regulatory landscape in the United States and Europe with regard to COVID-19. Emphasizing that the collection and use of personal health data during the pandemic is a “balancing act” between preventing the spread of disease and keeping employees and visitors safe while also safeguarding individual privacy and the company’s regulatory compliance.
“We’re now having to make fast decisions about collecting and using sensitive health data while maintaining best practices for protecting privacy,” she says.
Yavorksy reviewed new, COVID-19 related guidance issued in the United States as well as the two major state laws in California—the Confidentiality of Medical Information Act and the California Consumer Privacy Act—that come into play with personal health data. A bulletin released on March 24th by the Office of Civil Rights in the Department of Health and Human Services reminds employers that the basic requirements of Health Insurance Portability and Accountability Act (HIPAA) apply during a public health emergency—including the “minimum necessary” standard for data collection, use and disclosure—but covered entities can disclose personal health information without consent in some specific circumstances, such as to public health authorities or parties involved in treating the patient.
Similarly, in Europe, the basic tenets of the General Data Protection Regulation (GDPR) remain intact amid the COVID-19 outbreak, with authorities emphasizing in new guidance that the core protection requirements such as data minimization and anonymization wherever possible still apply. However, individual member states can derogate from the law in matters of “public interest.” Local supervisory authorities have released their own individual guidance statements in the wake of the outbreak, and companies must stay on top of these updates in order to remain compliant.
“Understand the data protection laws and the notice and consent obligations you have to comply with,” she says. “There is some flexibility because this is a global health crisis, but in most cases, the basic requirements will still apply.”
Employers should ensure that protected information remains secure, given the enhanced risks of remote work, she said. Like Bleicher, Yavorksy suggested that employers review their handbooks to ensure that their work-from-home policies reflect the current situation, updating them as necessary.
“Remind remote workers—many of whom have never worked remotely before and who don’t work in data security—about the policies and procedures that they need to follow when they’re no longer in the office,” she says. “It’s also a good time to update your cyber breach incident response plans to make sure you can respond remotely if something goes wrong and this is particularly true if sensitive health data is being exchanged remotely.”
For a deeper dive into the security and privacy concerns we covered during our COVID-19 Webinar, please see our recaps below: