As the government is about to ease the lockdown restrictions and is trying to bring different types of businesses back to normal, employers are being more obliged to ensure the health and safety of employees while preparing to get back to work.
Because millions of people are hunkering during the COVID-19 pandemic, businesses have necessarily adapted approaches and started assessing the different impacts and risks to operations. While their priority should rightly be on employee health and safety, the threats to privacy and cybersecurity should not be ignored.
Following the outbreak of COVID-19 and its growth into a global pandemic, organizations have taken extraordinary steps to protect workers, consumers, and others from the safety threats posed. Organizations are still seeking to get back to business as usual to the extent allowed by their particular circumstances.
Knowing the threats
Following are some tips, considerations, and updates for businesses during these unprecedented times:
One inevitable consequence of the current situation is the significant rise in the number of employees working from home. The effect of this cannot be overlooked, and organizations will seek to reduce cybersecurity threats, while at the same time, taking practical measures to help employees get work done without compromising security:
- Make a note to remind employees, who work remotely, of the applicable company data policies such as remote work and arrangements with Bring Your Own Device (BYOD), among other related policies and procedures. If no such relevant policies are in place, consider enacting some to govern how to access company assets and information, where to store information, and how to transmit data. Employees should also be aware of the types of information that is considered a trade secret, confidential, or is protected.
- The cyber-world consists of ‘n’ number of evolving threats. Warning employees regarding ongoing yet ever-evolving risks, such as phishing attacks and other social manipulation, which may take advantage of the current crisis, is also necessary.
- Restrict access to confidential data for those “needing to learn” to fulfill their important duties. Furthermore, ensure remote workers use company-issued equipment and do not transfer business data to personal computers, thumb drives, and personal cloud storage services, such as Google Drive.
- Ensure that the confidential information stored on remote computers—such as health information, financial data, personal documents, and similar type of information—is secured in transit and on the device while it is at rest.
- Review incident response plans to ensure the organization is ready to respond to an incident of the breach or other data. Schedule some time to update contact information of the response team and make sure each team member has access to the plan that would help them to understand their role in return.
Privacy laws relaxed, not suspended
Spread of coronavirus is happening globally; it is important to remember that in times of crisis, some privacy laws around the globe may be relaxed, but they have not been suspended. In recent weeks, a variety of regulators and data security agencies have provided recommendations due to the pandemic. Businesses’ outside counsel will give feedback on how various regulatory bodies are responding to the crisis.
Many data protection authorities have issued guidelines for companies, subject to Europe’s General Data Protection Regulation (GDPR), covering various topics related to data processing and handling in the context of the COVID-19 pandemic.
In the aftermath of the COVID-19 outbreak, the European Data Protection Board (EDPB) has released its recommendation on the protection of personal data. In short, the EDPB has recognized that data security regulations, such as the GDPR, do not obstruct measures taken to tackle the global pandemic.
The California Consumer Privacy Act (CCPA) remains in effect for corporations subject to California’s landmark robust privacy legislation, including the GDPR. If an organization under the CCPA receives a consumer request to delete or refuse the sale of personal information, it should still comply by the deadlines for acknowledging and responding to requests as provided by law.
Therefore, an enterprise collecting additional personal information during the pandemic, and mainly if it is sensitive health data, it should consider notifying individuals at or before the time the information is collected. Also, the business should consider consulting counsel to assess the data privacy consequences of collecting and using this data.
Furthermore, one of the more severe liability risks for undertakings subject to the CCPA is arguably the threat of a private action if a business undergoes a data breach because of its “violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”
Today, more than ever, companies need to have sound security mechanisms in place, such as encryption, data access control, and collection minimization. During these unusual times, hackers won’t stop, and businesses shouldn’t relax when it comes to data security either.
For protecting your organization against external threats, please read some of our latest whitepapers on security and be well prepared.