Security and Privacy During A Global Pandemic

Clearly, we are living in a different world. And for once, I am not talking just about cybersecurity or data privacy (well not at this point anyway). We are living in a time where in-person businesses are basically shut down and we are all working remotely. I say “we”, but really here at XPAN, this is how we have always operated; but, I digress. So while we, as a society, adjust to remote work, remote learning, and a complete lack of toilet tissue at the store, there are some things businesses need to consider during these unusual times. 

From a Cybersecurity Perspective:

Your workforce is now completely, or at least substantially, remote. This creates new, and in some cases, to date, non-contemplated challenges. One of those challenges is the heightened cybersecurity threat created by remote work.While we are protecting our friends and family from one virus (i.e. the Coronavirus), we are potentially subjecting ourselves and our businesses to other online viruses. 

The Attorney General of the United States, William Barr, recently instructed all federal prosecutors to prioritize investigations of fraud and hacking. AG Barr stated, “The pandemic is dangerous enough without wrongdoers seeking to profit from public panic and this sort of conduct cannot be tolerated.” Further, “[i]t is essential that the Department of Justice remain vigilant in detecting, investigating, and prosecuting wrongdoing related to the crisis.” The Federal Trade Commission (FTC) further warned of increased cyber related scams taking advantage of a general fear and anxiety around coronavirus.  

Hackers love a good distraction, and are very opportunistic. Distractions make us — in our work and our personal lives — less vigilant and more likely to get tricked by a well crafted phishing email. And we have several distractions to deal with now. First, we have to work from our homes so things like laundry, dog walking and emptying dishwashers become a prime distraction. In addition, we are not able to readily talk to our co-workers. That makes scams easier to pull off. Emails from our boss asking us to transfer money or pay certain bills that are harder to confirm because she/he is not in the next office or down the hall. 

In addition, our families are all home with us. Our children are home doing remote learning.  They have questions about school work, they are hungry and want a snack, or they are fighting with each other. This creates another layer of distraction. We are not laser-focused on the work, but also what is going on with our kids in the home. We are basically home schooling and working from home simultaneously, two full time jobs that demand much of our attention at the same time. A hackers dream. 

And all of this is done on a home WiFi network that is (hopefully) password protected, but far easier to compromise. Kids and other family members are on the WiFi, searching the web and possibly downloading news stories or videos. While people feel like their home is safe, that is not always the case when it comes to home WiFi. There are a number of ways to hack into home WiFi networks. A lot of people fail to change the original factory-set WiFi. Plus, many home routers use an old WEP encryption which is easy to hack.  

From a Privacy Perspective:

All of this is happening against the backdrop of regulations designed to safeguard privacy. It is important to remember that the laws do not cease to exist simply because we are operating differently. The  European Data Protection Board (“EDPB”) issued a statement on March 19th in response to the COVID-19 pandemic. (The EDPB is the EU body in charge of the application of the General Data Protection Regulation (GDPR)).  In its statement, the EDPB did not suspend compliance obligations with the GDPR simply because of the pandemic. Instead, it stated, “[d]ata protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic.” Clearly, the EDPB does not believe the GDPR needs to be suspended during this pandemic, quite the opposite. It quite literally talks about the importance of data privacy protections during a crisis like COVID-19. 

Domestically, various industries are urging the California Attorney General to delay enforcement of the California Consumer Privacy Act (“CCPA“) an additional six months because of COVID-19. The CCPA took effect on January 1, 2020, but the AG’s enforcement is delayed until July 1, 2020. The California Attorney General warned back in December (albeit before the entire world shut down), not to see the six (6) months as a grace period. He urged companies to have their compliance programs in place, “If they [the companies] are not (operating properly) … I will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you.” While the Attorney General has not issued a statement since the outbreak has occurred regarding the enforcement of the CCPA, companies should consider that, unless they are specifically told otherwise, they should continue to work toward compliance. 

The Office of Civil Rights (“OCR“) which is the agency with the exclusive jurisdiction to enforce the Health Insurance Portability and Accountability Act (“HIPAA“), recently issued a limited waiver of HIPAA sanctions due to coronavirus. The limited waiver is intended to improve data sharing and patient care during the pandemic. This means sharing protected health information (“PHI”) with other healthcare agencies, providers, and the patients family. This waiver relaxes the patient consent requirements. However, the OCR was quick to note that this waiver without a patient’s consent, does not extend to disclosures to the media and others not involved with the patient’s care. Healthcare providers were also reminded that they are still responsible for limiting impermissible uses and disclosures, while protecting patient data.

Helpful Tips

Changing to a completely remote environment may increase potential vulnerabilities, liabilities, and regulatory requirements. Last week, our team discussed key areas to be aware of in a remote workforce, and provided helpful guidelines to use in transitioning to remote work. Additionally, Here are a few tips to address this crisis (from a privacy and security perspective): 

  • Remind your workers (CONSTANTLY) to be hyper-vigilant. Pay close attention to links in emails. Phishing emails, particularly those from your child’s school or with recent updates on the latest in the crisis, are the most enticing of all and will be highly efficient at getting you to click and download malware onto your device and the company’s systems. 
  • Run tabletop exercises during the crisis. Remember that hackers strike when we are least expecting it or when our defenses are down. THAT MEANS NOW. Conducting a tabletop exercise on a sunny day in May is useless; conducting one now will show any gaps in your plan and make your organization better prepared to deal with any situation.
  • Make sure your online presence (i.e., websites, applications, social media, etc.) are updated and remain relevant. Now is the time to make sure your privacy notice, terms of use, and any other language on these platforms are updated and compliant with any privacy and security laws. 
  • Remind your employees that data collection practices are still in force and need to be complied with regardless of where the work is being performed. Just because employees are working from a home office does not mean that they can ignore or forget cyber and privacy practices. 
  • Consider updating internal compliance documentation (i.e., policies, procedures, etc.) in light of this change in circumstances. And don’t think that these policies will go by the wayside when things return to “normal”. These new or revised policies can be a starting point for developing a new disaster response or recovery plan to address these evolving cyber and privacy threats.  

Working from home will present a lot of challenges, but if we all do what we can- we will get through this crisis. XPAN Law Group has been a remote working law firm from its inception.  If your organization is struggling or confused, reach out. Don’t be afraid to ask for assistance as we all grapple with the changes in our lives. We need to stay safe both in person and online. Keep calm, wash your hands, and DON’T CLICK! 

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.