In many ways, privacy has taken a back seat during the COVID-19 pandemic because of the extraordinary challenges facing the world as we work to combat and contain the virus’s spread.
Many argue it’s a necessary evil right now. Others feel privacy should never be compromised, fearing temporary measures can have function creep and be used outside of—and after—COVID. Additionally, such new normals as telemedicine and working from home have opened up cybersecurity challenges.
Jennifer Beckage of Beckage Law Firm shares insights with Micah Howser, NetDiligence’s eRiskHub® Manager, about our current, complicated privacy reality.
What’s Happening to Data Privacy in the Age of COVID?
One of the first things we saw during the COVID-19 pandemic was data protection officials worldwide relaxing data usage rules. What was the ripple effect of those decisions?
There’s no doubt the world of privacy and data protection hasn’t been immune from the effects of COVID-19.
In some spaces, we did see relaxed rules prompted out of necessity because of the pandemic, such as with HIPAA and OSHA. IT security around telemedicine became more relaxed because more doctors and physicians needed to have that one-on-one connection with their patients. Telemedicine was something they might not have used often before, so we did see some relaxed provisions there.
On the flip side, we saw some agencies and data protection authorities (DPAs) state they would not loosen standards. DPAs across the world made it clear fundamental rights and freedoms must continue to be protected during the pandemic, applying data protection laws like the EU’s GDPR (General Data Privacy Regulation). And despite companies asking for a delay, the New York Shield Act and the CCPA (California’s Consumer Privacy Protection Act) went full steam ahead with their enforcement dates.
It’s been a real balancing act, loosening restrictions for progress and innovation to allow companies to pivot as they’ve had to while trying to maintain personal privacy.
Are there specific laws to protect COVID data use in play right now?
Yes. An organization should look at the state they’re in, even their county, to really understand what sort of regulatory pressures they’re facing in all the jurisdictions in which they operate. But general public health laws like OSHA regs and HIPAA still apply.
Depending on the environment in which the COVID-19 information is being transmitted, some laws are being amended to require contact tracing information be kept confidential by any contact tracer or contact tracing entity. Those laws haven’t changed to the extent elements of COVID data are considered personally identifiable information (PII).
But overall, the world has changed. Maybe we all got that necessary kick in the rear to try to move things, to be more remote, and to be more flexible in and adopt new technologies. But as we know, we’re collecting more information, so we did see some laws start to contemplate this reality, and we’re expecting more changes.
With everything changing so rapidly, with a lot of confusion and uncertainty around pandemic data privacy, everyone’s had to pivot business models. Are there some best practices?
Understanding privacy requirements associated with pandemic data collection is paramount. For example, employers are now asking questions about symptoms, exposure, and personal travel, and taking temperatures. Companies are also collecting this information about onsite visitors.
These were things employers never asked about or did before. You went on vacation, you went on a trip, and there were no questions about whether you were crossing state lines or if you were traveling to other countries. Now we have these new privacy concerns regarding the confidentiality of this information. Sometimes employers may even need to share it with government agencies to help with tracking. So what is the best practice?
First, you need to ask whether you can collect this data under the law. If yes, make sure you have the right controls in place.
Then evaluate and document the business reasons for collecting the data. Make sure you have a standard operating procedure on it and understand:
- What are you going to do with this data.
- If you are going to encrypt it.
- If third parties are going to have access to it and whether they need to.
- If you will use apps developed in-house to monitor all this data.
Especially if you’re using an in-house developed app, you may need to document it under the Department of Financial Services (DFS) regulations or GDPR.
After determining what you’re doing with the information, you should have clear record retention and destruction policies that help minimize the amount collected and make sure it’s destroyed when you don’t need it anymore.
How about working from home? Has remote access impacted privacy concerns?
Working from home has definitely impacted privacy concerns. The increased exposure to company assets has made it necessary to implement a variety of technical safeguards that probably weren’t in place before. We definitely saw that shift and, by adding new technical safeguards, we started that privacy versus security debate.
Now we’re employing more security measures. Are we trampling on any privacy rights when we help make things secure in people’s homes, places that weren’t traditionally thought of as work environments?
We also saw companies that found themselves having to switch vendors or adopt new vendors at rapid speed. That is definitely a new area for privacy concerns. When we’re working with new vendors, we might be expediting their privacy and security review and their third party vendor management program just to rush into these contracts to keep businesses running.
Also, from a privacy point of view, employee expectations of privacy have continued to be blurred during this pandemic work-from-home model. Employers and employees both need to understand the expectations of working from home and monitoring of work and surveillance of activity. Do the company’s policies address the employee’s expectation of privacy? Do acceptable use policies need to be updated? And employee handbooks?
Those are interesting points. Do you think an organization can be successful with
privacy initiatives in the pandemic?
Yes, they can be successful. They need to recognize there will be challenges when they try to pivot their business, but they are not alone. You can be still successful with these privacy initiatives during the pandemic. Look what the NFL did. I think everyone can take some lessons from what the NFL did as far as transparency, contact tracing, and testing.
What’s really important is to remain calm. You and I see many crises working together on incident response. It’s all about crisis management. It’s about staying calm, seeing the light at the end of the tunnel, and not making decisions driven by emotions but with a clear head so you can make those rational decisions.
If you have that clear head as an organization, you can continue to move forward with your privacy initiatives without letting the pandemic get you too derailed. Stay calm, work with sophisticated and experienced data security and privacy professionals and legal counsel, and you can get through it.
With everything going on, I think staying calm is wise advice for anything right now. On another note, have fraudsters or threat actors impacted the privacy of COVID data?
Do you see any trends out there?
The last year has been absolutely incredible as far as the uptick in threats. It’s broken down into two different groups.
One, we have COVID-related attacks such as phishing emails really targeted around COVID data or COVID information. Think contact tracing emails or even phone calls, fake websites, misinformation—things like that. We definitely see those types of attacks. However, it’s also important to mention that when we’re talking about cyber breaches, it doesn’t matter if the phishing email contained COVID-related information or not. It was still a phishing email, and someone clicked.
And then I think we’re seeing more attacks generally because we have this distributed workforce. Attackers became more sophisticated in their strategies, unleashing several unrelenting attacks targeting these remote workforce environments where there might not be secure RDP ports and employees are accessing things online without two-factor authentication.
Employees may also be using new, quickly established vendors and tools they didn’t use before at the office. When people have to pivot very quickly and they’re not properly trained, what do they do? They come up with workarounds.
It’s a good idea to interview your employees and find out what doesn’t work when they’re working from home and what workarounds they developed so you can get your hands around potential threats.
We’ve covered a lot of quick points on pandemic data privacy and security during the crisis. Is there anything else you’d like to add?
I think it’s important not to have a whack-a-mole approach to new laws and new situations during these uncertain times. At Beckage, we’re working with our clients to develop overarching programs that can stand the test of time and be ready for what comes next.
In general, it’ll be important to have plan buy-in from the top all the way down to the first responders who handle data requests or interface with individuals collecting information. If you have that in place, you’ll be in a good spot for whatever the future brings.
Watch the full video for Jennifer’s predictions for the future, what could be the new normal, and more.
We thank Jennifer Beckage for sharing her insights about privacy during COVID-19. Beckage is a boutique law firm focused only on data security, privacy, and technology. Beckage is one of our NetDiligence Breach Coach law firms. With coast-to-coast offices, their attorneys are also technologists and certified privacy professionals. They help clients with regulatory compliance, incident response, and litigation and class action defense all related to data security privacy and tech.