There's no question that the novel Coronavirus, COVID-19, has created massive disruptions in our lives. Those of us who can work are working remotely, social distancing has become the rule of the day, and while this will end, there is no sure end date in sight.
Even some things that we thought might be unalterable have changed - tax returns have been delayed, and multiple laws are modified to fit the times, whether they be a holiday from parking tickets (at least in Los Angeles), to extensions of unemployment insurance and sick leave. But some things have not changed, and privacy laws are one of them.
Data Privacy and Security Laws Haven't Changed
Privacy and security obligations under the European Union's General Data Protection Regulation, protection of health data under the Health Insurance Portability and Accountability Act, financial privacy under Gramm-Leach-Bliley - all of these are still in place and being enforced. Contractual obligations, for the most part, remain unaffected (although force majeure clauses and governmental action might provide some relief).
And enforcement of the California Consumer Privacy Act of 2018 by the California Attorney General remains scheduled for July 1, 2020, even if the recently amended regulations interpreting the act don't become effective until after that. Businesses throughout California have petitioned the Attorney General for a delay in enforcement while they contend with the disruptions of the current pandemic, without response from the AG.
Data Breaches Continue
One group that hasn't been impacted by the COVID-19 pandemic has been data thieves. Yesterday, a non-scientific sampling of headlines included:
- Fake Email from WHO Installs Malware
- Town of Jupiter hit by malware 'incident,' knocking out several online systems
- Fake Corona Antivirus Software Used to Install Backdoor Malware
- Expert Comment: Five Billion Records Exposed In Open Data Breach Database
If anything, the pandemic has given hackers new venues to seek out victims under compelling phishing campaigns.
What Has Changed?
While much remains the same, one of the biggest changes has been the move to a remote workforce, which makes privacy and a security a greater challenge. As my partner, Michael Gold , Co-Chair of our Cybersecurity and Privacy Group puts it, we have expanded the edge, and now have to consider how the security and privacy shields established in a business can be expanded to at home workers.
This is particularly challenging, since home workplaces are not typically configured for security. Among other factors:
- Wi-Fi and routers are often not configured or maintained to the same level of security as office equipment - home equipment doesn't always have firewalls, and if they do, are not always updated.
- Individuals often ignore updates and patches to existing programs - yet these are typically geared toward addressing security risks.
- Homes are increasingly automated, giving access to multiple devices in the Internet of Things that can access home networks. Workers with Alexa or Google's voice assistant rarely consider that it may be "listening in" to confidential conversations - do remote workers mute their devices?
- As workers spend more time at home, they also are more likely to spend more time on social media, often sharing pictures of their home office. Those pictures might be worth a thousand words, especially if they display a screen shot, or a sticky note with passwords.
In short, the challenge of achieving privacy and security compliance has grown as workers become dispersed. At a time like this, businesses must expand their efforts to inventory and manage their data and design an information environment that can protect their data - and, of course, comply with existing laws.
Originally published 24 March, 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.