COVID-19 and Its Impact on Data Privacy and SecurityPrint PDF
Organizations across the United States are preparing to respond to increasingly dire warnings from public health authorities and the need to take action to mitigate the spread of the coronavirus and the disease it causes, COVID-19. Both the rapid spread and the prolonged incubation period of the virus present unique societal challenges. Perhaps the one bright spot in this pandemic is that it is happening at a time when remote communication and collaboration tools are ubiquitous. Modern technology allows many of us to continue working and staying in touch with colleagues, friends, and family despite the social distancing measures necessary to fend off the pandemic’s spread. But even this silver lining is not without issues of its own. Organizations, now more than ever, will need to address the heightened security demands caused by the increased risk of cyberattacks that result from a remote workforce and must also remain cognizant of the problems posed by balancing the call to share critical health information against the interest of protecting the privacy of those who may have been infected.
Below are five Frequently Asked Questions concerning coronavirus and its impact on security and privacy concerns:
How should remote networking be configured?
Even when employees are working remotely, they should be using the organization’s computer system rather than their personal devices, which often lack the tools necessary to detect and protect against attackers. This can be accomplished either by providing company-issued laptops or by ensuring that work is done on a company virtual machine using a remote connection through a secure VPN. If employees must use their own devices, be aware that doing so will create additional risk of data loss, and may make it extremely difficult to prevent, track, or mitigate a data breach.
Are there extra security protocols we should have in place because of the increased number of remote employees?
Now is a good time to ensure that multifactor authentication is rolled out throughout your network to make it harder for an attacker who gains access to someone’s credentials to use them. This added layer of protection, which requires a user to enter at least two credentials or other forms of proof that they are who they say they are before granting them access to the system, pays dividends in preventing cybercrime. Similarly, it is worth making sure that endpoint protection, logging, and monitoring are all in place. If these systems are not currently online, consider engaging with a vendor that provides these services as an easily implemented, cloud-based solution.
Are there any additional security concerns caused specifically by the pandemic?
Internet scammers are surprisingly agile and very quick to take advantage of a crisis. Almost as soon as the news turned its focus to the pandemic, scammers were exploiting it. Phishing campaigns have already started with emails purporting to come from the World Health Organization or other entities that provide crucial COVID-19 updates or information, and the U.S. Health and Human Services Department has already been besieged by attacks. These are particularly insidious because the unprecedented epidemic and its rapid evolution has caused users to lower their cybersecurity guard and made them more vulnerable to these kinds of scams. Organizations should remind their employees to be wary of unexpected or suspicious communications.
What extra training should be provided to employees about security issues?
First, remote employees should be reminded that security and privacy issues are still paramount concerns for the organization and that they should familiarize themselves with the organization’s policies on that front. Employees should also be reminded not to save sensitive or personal data on their personal devices and should be careful about using insecure wifi networks. Additionally, employees should be especially vigilant about phishing attacks seeking their credentials, especially ones disguised as coronavirus information (which have become incredibly common almost overnight).
If someone who interacts with my organization becomes infected, how do I balance the need to inform people of their heightened risk against the need to protect the privacy of the individual who is infected?
In order to protect your employees, customers, and other contacts, it is crucial that organizations create a notification plan in case someone involved with the organization becomes sick and is at risk of infecting or having infected others. At the same time, it is important to realize that the privacy implications of naming a coronavirus patient can be severe not only to them but also to their families and even other members of their community. Indeed, the news is filled with stories of an infected individual’s life being recreated almost step-by-step as panicked acquaintances try to determine their risk of infection, or of children who are shunned or worse because they share a last name or ethnicity with a known COVID-19 patient. From a legal perspective, the amount of information you can release about a person likely depends on your legal relationship to them. Thus, an organization has different responsibility towards its employees than its customers or suppliers, and a health care organization has different responsibilities to its patients than a hardware store has to its customers. In addition to considering these legal issues, it is also wise to keep in mind that as a general principle it is best to release only that information that is actually helpful to people in protecting their health. Not only should this result in shying away from mentioning the name of a person infected with the coronavirus, in many instances it may suggest refraining from providing enough information that that person’s identity can be deduced.
This advisory was prepared by Seth Berman, the leader of Nutter’s Privacy and Data Security practice group, and James Gately. For more information, please contact Seth or your Nutter attorney at 617.439.2000.
This update is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.