As the COVID-19 pandemic continues, significant issues related to data privacy and cybersecurity are on the rise, largely triggered by two key factors: 1) more workforce members working remotely; and 2) organizations processing more employee health information. Below, we discuss some of the issues organizations are facing as a result of these and other factors and offer tips for mitigating the risks.
Increases in Cyber Threats
It has been widely reported that cybersecurity incidents have increased since the start of the pandemic, with scammers taking advantage of the confusion and departure from routine. For example, the FBI recently warned of a rise in fraud schemes relating to COVID-19, including fake CDC emails with malicious attachments and phishing emails asking individuals to verify personal information to receive stimulus checks.
Organizations can help thwart fraudsters by keeping employees informed of the latest threats, training (or re-training) employees on detecting and handling such scams, and instructing employees to report any suspected fraudulent emails or phishing attempts. In addition, organizations should review their incident response plans to ensure the plan is up to date and that it adequately addresses the fact that the incident response team may be working remotely. It is also important to make sure that all members of the incident response team have access to the plan. For more information about how to spot scams and phishing, and what to do if you believe you are a victim of a cyberattack, click here to view our recent article on the topic.
Challenges with Working Remotely
As more workforce members transition to working remotely, organizations may find themselves playing catch-up on implementing and communicating policies and procedures related to information security, data processing, and BYOD (bring your own device). Even if no such policies are currently in place, organizations should clearly communicate expected behaviors and protocols; for example, requiring remote workers to utilize company-issued equipment and reminding workers not to save company data to personal computers or cloud storage services.
Organizations should take the time to review their current internal policies to confirm they adequately address security requirements for remotely accessing company systems and data, including ensuring that sensitive information is encrypted in transit and at rest. The National Institute of Standards and Technology 2016 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security provides helpful guidelines organizations may want to consider.
Employee Privacy Concerns
Some workforce members working remotely are likely to develop a habit of mixing personal and work-related information on company equipment and systems. Thus, organizations should remind those working remotely of the policies and privacy expectations (or lack thereof) related to data stored and transmitted on and through company property. Organizations without a formal policy in place should clearly communicate to workforce members what information is subject to monitoring.
For essential workforce members still coming into work, organizations need to balance employee safety with employee privacy. The Equal Employment Opportunity Commission (EEOC) issued guidance clarifying that during the COVID-19 pandemic, employers may take certain measures that impact employee privacy as long as such measures are job-related and consistent with business necessity. For example, an employer may take employees’ temperatures and require employees to disclose if they have been in contact with someone who tested positive for COVID-19. However, precautionary measures do not mean an end to employee privacy entirely. If an employer learns that an employee has tested positive for COVID-19, while the employer should disclose to other employees (and visitors) that an employee they may have come into contact with has tested positive for COVID-19, the employer should not disclose the employee’s identity or specifics about their medical conditions or symptoms. Moreover, all information gathered from an employee about a health condition must be maintained separately from the employee’s personnel file – just as the employer would do with ADA and FMLA medical information.
Employers may also need to consider whether there are any implications under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Although HIPAA generally does not apply to employers that collect employee health information in their capacity as employers, employer-sponsored group-health plans are considered covered entities under HIPAA and must comply with the privacy, security, and breach notification rules. At times the distinction can be difficult to make, but the following general rules are helpful (though not always determinative):
- If health information is obtained by an employer through its capacity as a health plan (e.g., where the employer is the payer of the employee’s health care services), then the information is “protected health information” and HIPAA applies; and
- If an employer receives information in its capacity as an employer (e.g., where an employee discloses health information during the Family Medical Leave Act process), then HIPAA does not apply.
As noted above, both the CDC and EEOC have urged employers to question their employees regarding travel, exposure, or symptoms related to COVID-19. HIPAA may not be in play when it comes to certain employee health information, but employers must still treat any health information received in this manner as confidential.
Privacy Regulations Have Not Been Suspended
While some privacy laws may be relaxed during the pandemic, it is important to remember that they have not been suspended. For example, businesses subject to the California Consumer Privacy Act (CCPA) must still adhere to deadlines regarding acknowledging and responding to individual requests, and the private right of action of a data breach resulting from a business’s failure to implement and maintain reasonable security controls remains in effect. Currently, enforcement of the CCPA by the California attorney general is set to begin July 1, 2020. However, some have recently pressed the attorney general to push back enforcement to January 1, 2021, citing concerns about the ability to timely comply with the law given the current crisis and the fact that the attorney general has yet to provide finalized regulations. At this point, it does not appear that the attorney general is inclined to delay enforcement, so businesses should continue to work diligently toward CCPA compliance, assuming enforcement on July 1, 2020.
In addition, for organizations subject to Europe’s General Data Protection Regulation (GDPR), many data protection authorities and the European Data Protection Board have issued guidance regarding the processing of personal data in light of COVID-19. While these authorities recognize that data protection rules such as the GDPR should not hinder measures taken to fight the crisis, they caution that care still must be taken to ensure the appropriate protection of personal data.
The cybersecurity and privacy concerns organizations ordinarily face have only been heightened by the COVID-19 pandemic. Organizations are reminded to update and follow their current data privacy and security policies and procedures, communicate threats and the importance of sound security practices to employees, and be mindful that even in these unprecedented times, privacy laws remain in effect. For assistance with your organizations’ data privacy and security needs, please contact Kelly Hollingsworth, Jeffrey Segal or any other member of the cybersecurity and privacy practice group at Warner Norcross and Judd.
Jeff S. Segal is a health care and tax attorney in the Southfield office of Warner Norcross and Judd LLP, where he counsels organizations and physicians through a myriad of regulatory and liability matters. Jeff can be reached at Jsegal@WNJ.com.
Kelly R. Hollingsworth, an attorney at Warner Norcross and Judd LLP, is dually focused in the general business and information technology industries. Her wide-spread knowledge spans from entity formation and mergers and acquisitions to commercial contracting and technology procurement and licensing. Kelly can be reached at firstname.lastname@example.org.