The disastrous health effects of the novel coronavirus, and the extraordinary economic problems it is creating, are becoming all too familiar for companies around the world. Unfortunately, the problems spawned by COVID-19 do not end there. The virus also raises substantial data privacy and data security issues. There are two major categories of issues.
The first area of concern relates to the sudden and dramatic increase in company employees working remotely — either predominantly or exclusively. With so many people required to work outside of their normal workplace, organizations face a heightened risk of cyberattacks. Companies that are temporarily working remotely often rely on tools such as DocuSign, Zoom, and WebEx to perform tasks that, under normal circumstances, would take place in person.
The challenge is that cybercriminals are aware of this massive shift to remote working and are going to great lengths to exploit the vulnerabilities of these systems — and employees’ individual arrangements. Most notably, hackers are seeking to exploit outdated virtual private networks (VPN), insecure at-home networks, and the simple carelessness of employees working remotely. For example, cybersecurity firms have reported an increase in malware attacks in which cybercriminals are taking advantage on the uncertainty and fear caused by the COVID-19 outbreak to deceive people into running malware, through “phishing” schemes and other tactics. The results can be calamitous, ranging from attacks on company-wide computer systems and the breach of confidential data, to monetary theft.
The good news is that businesses and their employees can defend against these incursions by staying especially vigilant in response to the increased threat. Here are some defensive measures companies can put into place to protect themselves, their employees and their customers:
▪ Require remote users to connect to the internet through trusted, password-protected Wi-Fi networks or hotspots — and charge an IT company to verify that level of protection
▪ Educate employees on how to identify emailed phishing scams that are disguised as security or software updates
▪ Keep confidential communications and documents within your trusted business network, avoiding the temptation to share these materials through third-party platforms
▪ Activate a ‘two-factor authentication’ log-in process for any software or remote portal that provides access to sensitive information
▪ Refer any requests for passwords or other types of personal, confidential information to a designated contact person, such as an IT consultant
The second area of privacy-related concerns enhanced by the pandemic relates to health information. Companies must balance the potential need to share important health-related developments against the requirement that they protect the privacy of individuals who may have been infected with COVID-19.
FLASH SALE! Unlimited digital access for $3.99 per month
Don't miss this great deal. Offer ends on March 31st!SAVE NOW
Some businesses are reconciling this conflict by proactively preparing company-wide communications for use if an employee tests positive for the virus. Whether the company learns the news directly from the infected employee or from someone else, the CDC has advised that businesses notify employees of their possible exposure to COVID-19, but recommends doing so without revealing the infected person’s identity.
Companies may also see a need to inform potentially affected customers, vendors and visitors of their possible exposure – again, without disclosing the identity of the individual who tested positive. In this scenario, it is prudent to disclose only the information that is materially helpful in protecting people’s health, as opposed to information from which one might deduce who tested positive.
These two areas of privacy concerns intersect in an important way. The legal significance under applicable health regulations of protecting employees’ personal health information is another reason to monitor carefully the security of computer networks. Having a work-from-home workforce means that the security of private home networks and employees’ personal Wi-Fi networks will be of enhanced significance to employers.
Philip R. Stein is a partner at the law firm Bilzin Sumberg , where he is head of the firm’s litigation practice.