Data Security and Privacy Enforcement Continues During Covid-19

By Antonia Dumas, Associate at XPAN Law Group 

As we enter the second month of the predominantly virtual world during the Covid-19 pandemic, many companies have taken initial steps to obtain resources and implement minimum security for their remote workforces. While some companies have addressed security and privacy compliance during this transition, many other business decisions took priority. Now that there has been a forced shift to moving daily business activities to fully remote workforce and utilizing third party services and cloud-based platforms,  security and privacy needs to be a priority. 

Although enforcement agencies appear to have provided some flexibility and understanding during this crisis, they are not issuing any get out of jail free cards for security and privacy compliance. Most enforcement bodies have stated that compliance with security and privacy laws will continue throughout the duration of this emergency situation. 

Enforcement Bodies Continue During Covid-19   

Generally, the trend in regulatory enforcement of privacy and security is that there is  an intention to continue enforcement measures, even in the midst of the pandemic. So far, the only leniency these agencies are providing is in minor deviations, but generally they are upholding requirements and continuing enforcement. 

General US Privacy and Security Enforcement

Here in the United States, the Federal Trade Commission (FTC) leads the initiative of data security and protection of data privacy. In addition to continued enforcement measures against companies of all sizes, the FTC has strengthened its orders in data security cases to provide stricter and clearer requirements. During Covid-19, FTC’s Chairman announced that their enforcement measures will continue but “will remain flexible and reasonable in enforcing compliance requirements that may hinder the provision of important goods and services to consumers.” However, the Chairman clearly notes that they will not tolerate companies deceiving consumers or violating well-established consumer protections. Additionally, the announcement companies should be aware of increased scams and security concerns during covid and encourage consumers to file complaints. 

Regulation-Specific Enforcement & Potential Liability 

Regulatory authorities that enforce industry-specific data privacy laws also demonstrated their commitment to continued enforcement of data privacy and security obligations. 

In Europe, the chair of the European Data Protection Board (i.e., the governmental authority who provides guidance and binding decisions for the EU’s General Data Protection Regulation (GDPR)) adopted a statement regarding the processing of data during Covid-19. The EDPB stated that  obligations under the GDPR to protect personal data continue, “even in these exceptional times.” In particular, the responsibility to ensure lawful processing of personal data continues to apply. The EDPB also provided guidance for lawful processing of data by public health authorities, data relating to health and safety in an employment context, and mobile location data. 

In the EDPB’s 20th plenary session on April 7th, the EDPB assigned mandates to develop specific guidance on certain aspects of data processing during Covid-19, including the use of geolocation and other training tools and the processing of health data for research purposes. So, while the guidance in Europe continues to evolve, one constant remains: the GDPR does and will continue to apply throughout this crisis. 

Domestically, companies have raced to come into compliance with the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. Cases have already begun to cite and sue under CCPA in California. Most recently, General Electric Company was sued for failure to safeguard employee data.  

Further, under the terms of the CCPA, the California Attorney General will start to enforce the regulation starting July 1, 2020. Some companies have shown a desire for an extension for enforcement but consumers appear to want to uphold the CCPA even during the Covid-19 crisis. So far, the Attorney General has not communicated any extension in its CCPA enforcement actions, and has only indicated that such enforcement will continue as scheduled on July 1st

Special Attention & Enforcement for Protecting Sensitive Data 

A shift of non-Covid-19 or emergency healthcare services to telehealth and online healthcare services has increased accessibility to healthcare data and in some cases allowed for more leniency under the regulations. During Covid-19, the Office for Civil Rights has periodically provided bulletins to provide guidance on with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule for protected healthcare data. In the OCR’s February Bulletin, it provided a reminder that the protections of the Privacy Rule were not set aside for the emergency situation. However, the OCR’s late-March Bulletin provided some flexibility in enforcement including the clarification that limited situations where they would not impose penalties for HIPAA violations in connection with good faith provision of telehealth during Covid-19.

Remote learning from home has now greatly increased the use of education technology services (ed tech) as well as other third party services and applications in order to provide education and learning remotely in the home. This resulted in a dramatic increase in the collection, use and transfer of personal information of students of all ages. There are regulatory requirements (at the state and national level) that must be followed in order to protect children’s privacy and safety online (such as Children’s Online Privacy Protection (COPPA) Rule, Family Educational Rights Act (FERPA) and state laws protecting privacy of K-12 students). 

For example, the COPPA Rule imposes obligations on operators of commercial websites and online services, including ed tech services. However, now that schools are using online services to provide remote learning, they should follow the FTC’s guidance on COPPA as well. In general, COPPA requires companies that collect personal information online from children under the age of 13 to (1) provide notice of data collection and use, and (2) obtain verifiable consent from the child’s parent. (See FTC’s guidance on best practices for online notices). In the educational context (whether in the classroom or at home), schools may provide consent on behalf of parents only if the student’s personal information is used for school-authorized educational purposes. 

How to Limit Your Risk of Becoming A Target For Enforcement 

XPAN’s team recently provided helpful tips to reduce potential vulnerabilities and liability during a pandemic as well as specific tips and guidelines for transitioning to remote work. These tips and guidelines can help you start to take steps towards developing a security and privacy program that meets the current remote work needs. 

Here are top three areas to consider to limit your risk of becoming a target for regulatory enforcement in privacy and security compliance: 

#1 – Establish A Written Privacy and Security Program 

One of the most important ways to demonstrate compliance is establishing and maintaining a written privacy and security program. This means ensuring that you document policies and procedures. It is not enough to just take security and privacy measures but you need to prove it. Most of the FTC orders have required comprehensive data security programs including yearly employee training, access controls, monitoring systems for data security incidents, patch management systems, and encryption. 

#2 – Conduct Vendor Security Management 

Third-party vendors and platforms are one of the weakest points within an organization and an easy target for enforcement or for lawsuits to be brought by consumers. Especially when businesses, healthcare providers and schools around the country (and world) have had to move almost every aspect of their operations to remote platforms, relying on third-party applications and services. 

Vendor security is always important – but now with the increased use of these third-party applications and services, there is an increase of scams and targeting of use of services. So, it is key that you establish minimum security and privacy requirements and conduct vendor due diligence and on-going management. (See FTC’s guide for vendor security).  

#3 – Ensure On-Going Security Awareness and Training

Employees need to be aware of the existing security and privacy policies. Further, employees should be made aware of the increased security and privacy concerns during Covid-19. This includes the increase of scams and attacks (see FTC’s list of current Covid-19 scams) as well as security concerns around using third-party services (such as zoom or other services for virtual meetings).

Be Prepared

Security and privacy compliance can be challenging. However, XPAN provides services and guidance for regulatory-specific compliance as well as general compliance programs to meet various regulatory requirements and general best practices. For example, take a look at XPAN’s step-by-step guide to the CCPA and a list of the GDPR compliance services we provide. So – get prepared and stay safe! 

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.