Privacy in the time of COVID – 19; Nothing’s Changed, Everything’s Changed

There’s no question that the novel Coronavirus, COVID-19, has created massive disruptions in our lives.  Those of us who can work are working remotely, social distancing has become the rule of the day, and while this will end, there is no sure end date in sight.

Even some things that we thought might be unalterable have changed – tax returns have been delayed, and multiple laws are modified to fit the times, whether they be a holiday from parking tickets (at least in Los Angeles), to extensions of unemployment insurance and sick leave.  But some things have not changed, and privacy laws are one of them.

Data Privacy and Security Laws Haven’t Changed

Privacy and security obligations under the European Union’s General Data Protection Regulation, protection of health data under the Health Insurance Portability and Accountability Act, financial privacy under Gramm-Leach-Bliley – all of these are still in place and being enforced.  Contractual obligations, for the most part, remain unaffected (although force majeure clauses and governmental action might provide some relief).

And enforcement of the California Consumer Privacy Act of 2018 by the California Attorney General remains scheduled for July 1, 2020, even if the recently amended regulations interpreting the act don’t become effective until after that.  Businesses throughout California have petitioned the Attorney General for a delay in enforcement while they contend with the disruptions of the current pandemic, without response from the AG.

Data Breaches Continue

One group that hasn’t been impacted by the COVID-19 pandemic has been data thieves.  Yesterday, a non-scientific sampling of headlines included:

• Fake Email from WHO Installs Malware
• Town of Jupiter hit by malware ‘incident,’ knocking out several online systems
• Fake Corona Antivirus Software Used to Install Backdoor Malware
• Expert Comment: Five Billion Records Exposed In Open Data Breach Database

If anything, the pandemic has given hackers new venues to seek out victims under compelling phishing campaigns.

What Has Changed?

While much remains the same, one of the biggest changes has been the move to a remote workforce, which makes privacy and a security a greater challenge.  As my partner, Michael Gold , Co-Chair of our Cybersecurity and Privacy Group puts it, we have expanded the edge, and now have to consider how the security and privacy shields established in a business can be expanded to at home workers.

This is particularly challenging, since home workplaces are not typically configured for security.  Among other factors:

• Wi-Fi and routers are often not configured or maintained to the same level of security as office equipment – home equipment doesn’t always have firewalls, and if they do, are not always updated.
• Individuals often ignore updates and patches to existing programs – yet these are typically geared toward addressing security risks.
• Homes are increasingly automated, giving access to multiple devices in the Internet of Things that can access home networks. Workers with Alexa or Google’s voice assistant rarely consider that it may be “listening in” to confidential conversations – do remote workers mute their devices?
• As workers spend more time at home, they also are more likely to spend more time on social media, often sharing pictures of their home office. Those pictures might be worth a thousand words, especially if they display a screen shot, or a sticky note with passwords.

In short, the challenge of achieving privacy and security compliance has grown as workers become dispersed.  At a time like this, businesses must expand their efforts to inventory and manage their data and design an information environment that can protect their data – and, of course, comply with existing laws.

 

The JMBM Cybersecurity and Privacy Group assists clients in achieving both real security and privacy compliance.  For more information, contact Robert Braun (RBraun@jmbm.com) or Michael Gold (MGold@jmbm.com).

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.