Data Privacy and Cybersecurity Considerations During the COVID-19 Pandemic
By Procopio Senior Counsel Elaine F. Harwell, CIPP/US, CIPM
As millions of people hunker down amid the COVID-19 pandemic, businesses have necessarily adapted approaches and begun to evaluate the various impacts and risks to operations. While their focus may rightly be on the health and safety of employees, privacy and cybersecurity risks should not be ignored. Below are tips, considerations, and updates for businesses during these unprecedented times:
Be Aware of Heightened Cybersecurity Risks and Warn Your Employees of the Dangers
One unavoidable effect of the current situation is the tremendous increase in employees working from home. The impact of this cannot be understated, and businesses should work to minimize cybersecurity risks while at the same time consider reasonable steps to help employees get work done without compromising security:
- Remind employees working remotely of relevant company data policies, including remote work and Bring Your Own Device (BYOD) agreements, and other similar policies and procedures. If no relevant policies are in place, consider enacting some to govern how company assets and information can be accessed, where information can be stored, and how information can be transmitted. Employees should also be reminded of the types of information considered to be confidential, trade secret, or otherwise protected.
- As always, the cyber landscape contains evolving threats. Warn employees of persistent, but ever-evolving threats, such as phishing attacks and other social engineering that may take advantage of the current crisis. For example, the FBI recently warned of a rise in fraud schemes relating to COVID-19, including fake CDC emails with malicious attachments and phishing emails asking targets to verify personal information or credentials. Train your employees on how to detect and handle such scams and keep them informed about the latest threats.
- Restrict access to sensitive data to those who “need to know” to perform their essential job duties. Further, ensure remote employees are utilizing company-issued equipment and not saving company data to personal laptops, thumb drives, or personal cloud storage services such as Google Drive.
- Ensure sensitive information stored on remote devices--such as health information, financial records, personnel records, and the like-- is encrypted in transit and when at rest on the device.
- Review incident response plans to ensure the organization is prepared to respond to a breach or other data incident. Take the time now to update contact information for members of the response team and confirm each member of team has access to the plan and understands their role in the response.
Global Privacy Laws Have Not Been Suspended
As the coronavirus spreads globally, it is important to remember that some privacy laws across the globe may be relaxed in times of crisis, but they have not been suspended. Various regulators and data protection authorities have issued guidance in recent weeks in light of the pandemic. Businesses’ outside counsel can provide guidance on how various governing bodies are reacting to the crisis.
For businesses subject to Europe’s General Data Protection Regulation (GDPR), many data protection authorities have issued guidance covering various topics related to the processing and handling of data in the context of the COVID-19 pandemic. The guidance has varied from more permissive approaches taken by the United Kingdom and Ireland, to more restrictive guidance issued by France and the Netherlands. Check the website of your functional data protection authority for specifics and updates.
The European Data Protection Board (EDPB) also issued its own statement on the processing of personal data in the context of the COVID-19 outbreak. In short, the EDPB recognized that data protection rules such as the GDPR do not hinder measures taken to fight the global pandemic. Nevertheless, “even in these exceptional times” the EDPB wrote, care must be taken to ensure the protection of personal data. Indeed, the EDPB stated that personal data should still be processed in a lawful manner.
For businesses subject to California’s landmark comprehensive privacy law, the California Consumer Privacy Act (CCPA), like the GDPR, it remains in effect. If a business subject to the CCPA receives a consumer request to delete or opt-out of the sale of personal information, it should still adhere to the deadlines to acknowledge and respond to the requests as provided under the law. Further, should a business decide to collect additional personal information during the span of the pandemic, particularly if it is sensitive health data, the business should consider providing notice to individuals at or before the time the information is collected. Indeed, the business should consider consulting with counsel to weigh the data privacy implications of collection and use of such data.
Further, arguably one of the more serious liability risks to businesses subject to the CCPA is the threat of a private action if a business suffers a data breach due to its “violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” (California Civil Code § 1798.150). Now, more than ever, businesses need to have in place reasonable security protocols, for example, encryption, limiting data access, and minimizing collection. Hackers will not rest during these unusual times and businesses shouldn’t either when it comes to data security.
For a discussion of the implications of the Health Insurance Portability and Accountability Act (HIPAA) on covered entities in the context of COVID-19, please see our article here.
Impact on Anticipated Enforcement of the CCPA?
Of further note with respect to the CCPA is that enforcement by the attorney general is set to begin July 1, 2020. Given the global pandemic, however, a coalition of dozens of business community members, including the Chamber of Commerce, recently pressed the attorney general to push back enforcement of the new law to January 1, 2021. The businesses cite, among other reasons, concerns about the ability to timely comply with the law in light of the unique challenges raised by the global spread of the coronavirus, and the fact that the attorney general has yet to provide finalized regulations. At this point, it does not appear the attorney general is inclined to delay enforcement, however, stay tuned for ongoing developments in this space.
As we all continue to adjust our practices in light of the global pandemic, we will work to keep you updated on the latest developments impacting privacy and data security within your organization. Additionally, please check Procopio’s COVID-19 Communications and Resources page for key updates and analyses impacting business during these unprecedented times.
Elaine F. Harwell is a Senior Counsel with Procopio and a member of its Privacy and Cybersecurity Practice Group. She is an experienced business litigation attorney and a trained privacy professional. Her practice focuses on representing clients in privacy and data security matters, including litigating claims involving privacy issues, helping clients manage emerging risks and conduct privacy risk assessments, and advising on regulatory and compliance issues. Elaine has been involved in numerous trials as well as arbitration proceedings related to contract and general business disputes, trade secret matters, complex unfair competition and business practice claims, and professional liability. She has earned the ANSI-accredited Certified Information Privacy Professional/United States (CIPP/US) and the Certified Information Privacy Manager (CIPM) credentials through the International Association of Privacy Professionals (IAPP).