Best Privacy and Security Practices, COVID-19 Edition (Hint: Fewer Differences than You Might Think)

Businesses scrambling to move their workforces into remote environments are rightly concerned about the smooth and productive flow of information, including question about whether there will be any government support for building out a remote infrastructure, and what limitations are there on the kinds of information employers may obtain or share to minimize the health impacts on their employees (both questions, among many others, that Foley Hoag’s COVID-19 Task Force was built to help answer).  And the now-ubiquitous use of videoconferening platforms has itself created new threats, and potentially new liabilities, that businesses must take care to manage.

In a complex business environment that has transitioned so quickly into remote workspaces, what should you be doing differently?

The answer is, probably not much.

New Best Practices, Same as the Old Best Practices.

In ordinary times, best practices to maintain strong data governance includes regularly auditing your privacy practices, making sure your documentation aligns with those practices, thinking carefully about a response plan to handle inevitable data incidents, keeping abreast of changes in law, and training your workforce to minimize threats from malicious actors.  Those practices from yesterday still matter today and will continue to matter tomorrow.

Auditing your privacy practices, for example, is especially important right now because your company’s data flows might have changed in important ways as your workforce has moved to remote environments.  Are people sharing sensitive documents now as a matter of course through a videoconferencing platform?  Are there different vendors you have switched to or engaged with in order to handle information flows?  Has the method in which employees or consumers can contact you changed?  Thinking through what you are now doing differently, especially in the face of uncertainty regarding the duration of the present crisis, is important.

Such an audit, if it captures (as it likely will) changes in data governance practices, will likely lead to a need to alter your documentation — a privacy policy, a written information security program (WISP), notifications to counterparties or customers.  Making sure your documentation matches your actual practices is always vital, since your documentation reflects your representations to customers and counterparties, and a mismatch can lead to liability stemming from a misrepresentation.  But it also could lead to important changes you might need to make in your vendor relationships, even temporary ones, if the change to a remote workforce alters your contractual representations regarding confidentiality or data security.

Importantly, your biggest risks come from your workforce itself — this was true before the pandemic, and it’s true today.  Cyberattacks, especially social engineering attacks such as spearphishing, are as common now as they have ever been, and bad actors are exploiting this crisis to gain access to information systems and sensitive information within them.  Training a remote workforce on how to properly use videoconferencing technology, VPNs, and encryption is crucial to managing those risks.

Questions of liability are legal ones and depend on the state of the law.  Some legal entities, such as the Department of Health and Human Services (HHS), have offered important guidance informing the public that its enforcement body, the Office of Civil Rights (OCR), “will exercise its enforcement discretion and will not impose potential penalties for violations of certain provisions of the HIPAA Privacy Rule” during the COVID-19 crisis.  The California Attorney General’s Office, by contrast, does not appear inclined to relax the California Consumer Privacy Act (CCPA’s) compliance demands, regardless of the crisis.  The EU’s General Data Protection Regulation (GDPR) offers more complexity because each EU member state acts as a separate enforcement authority, and different countries have provided different guidance.  Moreover, state legislation in other domains, such as biometrics, has continued despite the crisis.  In other words, “ordinary” compliance does not seem to be changing a great deal during the crisis; keeping tabs on the law still matters greatly.

New Opportunities

I’ll dispense with quoting the old cliche, but it is important to point out one important opportunity during the COVID-19 crisis:  the real-world stress-testing of business continuity and resiliency plans.  Advice that clients constantly hear from Foley Hoag’s privacy lawyers is, prepare for the worst.  Think about and plan for how you are going to handle a crisis.  Usually, we’re referring to a data incident, not the complete migration of business operations to a remote workforce.  But either now, or at some point in the future when the crisis passes, is the time to reflect on what you planned for, what worked, what didn’t, and what you need to do to plan for next time.  Bringing stakeholders together in an organization and finding those outside the organization who can assist — be it with legal or forensic support or public relations management — is crucial to making sure that your organization can weather a crisis.  Perhaps if your organization has been lagging on these efforts, now is the time to invest in them.

Risk Management, Today and Tomorrow

In the end, the common thread to all of these actions is risk management.  Data governance was yesterday, is now, and will be tomorrow, an exercise in managing the risks that come with processing data — employee personal data, consumer data, sensitive commercial information, intellectual property, trade secrets, and so on.  Whether the context is a pandemic or business as usual, the key to managing risk is understanding risk.  There is no substitute to taking comprehensive stock of what your data and security structure actually looks like in order to determine what, if anything, needs to change.

Leave a Reply

Your email address will not be published. Required fields are marked *