COVID-19 is first and foremost a threat to our health, but as many organizations are quickly discovering, it also raises novel questions about privacy and security. We recognize that privacy and security are two of many, many pressing business concerns, so in this post we outline the key considerations.
Remote login technology is enabling many of us to work away from the office in our cozy sweatpants, but having employees working elsewhere – and under the stress of a crisis – also creates new ways for data to get lost.
Specific remote work-security challenges include:
- Backups: Employees who lack access to a document management system and training may default to saving information on local hard drives, creating a risk of loss unless there is a robust backup system. If employees use their own computers, they may be using third party backup solutions that are creating copies of business documents on third parties’ systems.
- Plain Old Theft: Homes and other remote work locations may not have robust physical security, creating a greater chance of loss or theft.
- Poor Network Hygiene: Home Wi-Fi routers may not have passwords enabled, have default passwords enabled, or use poor security, creating a weak link in the network connection between employees and the office network if Virtual Private Networks (VPNs) are not enabled.
- Employee Preparedness: Employees who do not have ready access to remote work tools or training may attempt to work around issues using personal devices causing information leakage out of the office network.
- Social Engineering: Bad actors always will take advantage of times of crisis by leveraging panic and misinformation. Security researchers have observed phishing attacks that purport to provide information about COVID-19 in an attempt to get employees to click on links in emails. Remember that phishing attacks also can take advantage of voicemail, text, and telephone calls. For example, attackers could impersonate suppliers or IT helpdesk personnel.
Recommendations to reduce risk:
Reducing risk requires a combination of technical controls, policies, and training. In the short term, organizations should consider creating and publicizing one-pagers to ensure that employees follow existing protocols to protect company data when working from home. As time permits, organizations should provide employees a combination of policy and technical controls to enforce data management best practices, including VPN access, mobile management solutions, and prohibitions on accessing or sharing company information from outside the company network.
Social distancing and concern about preventing spread of disease is likely to lead organizations to thinking differently about how their employees and customers interact, communicate, and move throughout a physical space. Any changes in operating processes, however, are also likely to involve changes in personal information collection and use.
- Telephone Consumer Protection Act (TCPA): If your business wants to use voice or text messaging to communicate with employees or customers during the period of physical separation, then you need to consider the TCPA, which among other things regulates automated voice and text messages to cell phones, even if they contain informational communications and not marketing.
The TCPA contains an exception for emergency communications, and the FCC has issued guidance stating that communications from hospitals and healthcare providers qualify as emergency communications exempt from the TCPA. However, be sure to carefully evaluate whether your proposed voice or text communication fits within those exceptions.
- Health Information: In general, HIPAA will not apply to an employer’s activities relating to protecting its workforce. However, businesses still must be judicious in determining what information should be disclosed to their employees. The EEOC has issued guidance in response to COVID-19 stating that employers must maintain all information about employee illness as a confidential medical record in compliance with the Americans with Disabilities Act.
It may not be necessary to reveal the affected individual’s identity to implement effective protective measures. Additionally, the CDC cautions about the harm that can be caused by the stigma that may attach to an individual with, or suspected to have, a positive COVID-19 diagnosis.
- Biometrics: COVID-19 might incentivize businesses to invest in touch-free systems for security and time-entry. Such uses are regulated by state biometrics laws in Illinois, Texas, and Washington.
- Geolocation: The spike in remote working makes precise location tracking a valuable tool, and employers may be tempted to use available tools to keep tabs on their workforces. Any tracking of location, including through employee mobile phones or otherwise through internet browsers, could also provide clues to how COVID-19 is spread. But geolocation can be privacy-intrusive.
Organizations thinking about using geolocation for the first time, or disclosing geolocation to authorities, should carefully evaluate whether using location is really necessary to achieve their goals, whether it is permissible to share under applicable laws, and whether they have the right policies and procedures in place to notify individuals about tracking.
- Privacy Compliance: For businesses that have moved to virtual offerings, use of third parties in order to offer video feeds may result in data being collected from the businesses’ customers automatically while they are using the third party platform. This raises questions about who has rights to use the data and in what ways, and whether any “sales” are occurring as defined by the California Consumer Privacy Act.
Recommendations to reduce risk:
Before collecting any new data points in connection with a new business use case, ask yourself the fundamental questions that are at the heart of every privacy evaluation:
- What personal information am I collecting, from whom? Do I have the right to collect it?
- To whom do I intend to disclose the information? Does the law allow disclosure? Do they have a legal relationship with me that will require data protection terms in a contract, e.g., “service providers” under the CCPA?
A Reminder About Attorney-Client Privilege
Discussing privileged subject matter in the presence of third parties or leaving privileged documents in areas where they might be accessible to others, even family, can break the privilege. If you need to discuss privileged information, consider how you can do so confidentially even if you are working remotely or from home. Smart home devices that are purposefully or accidentally activated may also record confidential conversations or information.