COVID-19: Effective Measures to Combat Data Privacy Risks Now
By Ekaterina Lyapustina and Casey Berman
“Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it’s digital cameras or satellites or just what you click on, we need to have more explicit rules — not just for governments but for private companies.”
-Bill Gates, Microsoft Founder
Bill Gates brings us a wholly new way to perceive digital privacy controls. There is now a once in a generation opportunity for organizations to harness the power of newly passed regulatory requirements that will drive explicit, enterprise-wide customer-centric change.
These regulations include the Europe’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the proposed Massachusetts Data Privacy Law, New York Privacy Act, Maryland Consumer Protection Law and many others springing up at the national and state levels.
While well-meaning, it’s not often that government-mandated rules can help increase a company’s connection with its customers and possibly impact its bottom line for the better. But these aren’t ordinary times.
A post-COVID “new normal” will drive more remote work, higher internet bandwidth usage, an abundance of digital content creation, and increasing data transmissions. All of these impact privacy in one form or another.
And while this current crisis calls for all hands on deck, it can also be a time when organizations’ data is at its most vulnerable. In this article, we encourage you to keep privacy management on your to-do list. We shine a light on the most pressing privacy risks during this crisis and detail actionable data protection steps you can begin right now.
What Are The Privacy Risks Amid The Crisis?
Every new enactment of a data privacy law brings with it new best practices and risks. We’ve curated the leading risks for you to immediately consider during the COVID-19 crisis.
1. Trouble aligning consent with data usage
With COVID-19 requiring organizations to quickly adapt to new ways of doing business, it is easy to overlook the business justification for the data they collect. This could lead to poor consent management practices and issues with regulators down the road.
2. Immediate Privacy Consumer Infringements
The acceleration of public and private surveillance to fight the novel virus includes the use of data mining techniques. These techniques use data collected from social media and consumers’ smart devices to track people’s movements. From this, the spread of the virus can be modeled. If left unchecked, there is potential for practices to violate consumer rights, and transgressions of privacy and consumer ethics.
3. Data Privacy Breaches from Remote Work
When an employee works remotely, the employer bears the responsibility of ensuring data protection best practices are being applied. Remote work means employees have access to crucial information and assets in their homes which expands the risk of data breaches and privacy violations.
Immediate Actions: Build the Foundation Now — Starting With People
“You can’t hold firewalls and intrusion detection systems accountable. You can only hold people accountable.”
- Daryl White, CIO, Department of the Interior of the United States
Recent research suggests that 55% of U.S. consumers say companies should have the primary responsibility for the security of their customers’ online and mobile accounts. Here are the immediate steps you can take now to achieve short-term accountability goals.
“Accountable” in a well-structured privacy environment does not mean culpable finger-wagging or ensuring heads will roll if a breach occurs. Rather, it should mean “invested.” No policy, process, technology adoption, or culture change can take shape and take hold without the buy-in of a company’s main stakeholders, its broader employee base, and its customers. These three audiences must consistently and collectively feel devoted to their organization’s privacy culture.
“Technology is nothing. What’s important is that you have faith in people, that they’re good and smart, and if you give them tools, they’ll do wonderful things with them.”
-Steve Jobs, Co-founder, Chairman & CEO, Apple Inc.
A Data Privacy Continuity Plan is key to ensuring an organization’s data privacy and corporate risk management during calm, volatile, or pandemic times. By having a plan in place and preserving access to crucial information and assets, you can reduce the risk of a data breach or privacy violation. You will be well positioned to sustain critical functions, and reduce the potential for first- and third- party losses, all while remaining in compliance with the various regulations.
Instead of waiting for a disaster to slow or disrupt your business operations, your Privacy Team must begin to protect your organization’s data now. We suggest three initial steps for you to take:
1. Empower stakeholders: Align and prepare your immediate circle of corporate stakeholders. Conduct workshops to proactively identify critical assets and functions that require dedicated continuity measures, and gain buy-in from company leadership.
2. Communicate with your employees: Effective crisis management requires active communication across business functions. Leaders need to take action now to mitigate risks, tackle immediate priorities, and ensure business continuity and financial stability.
a. Kick-off with an introductory email campaign: Begin with a series of short, informative emails that should be formally acknowledged by all employees. The following is an example of a progressive series of emails to achieve transparency and understanding:
i. Goal for Email 1: Employee understands the company’s internal privacy policy and external-facing Privacy Notice, including data retention and data minimization practices.
ii. Goal for Email 2: Employee understands their responsibility for protecting personal data, quickly recognizes and forwards data subject access requests from consumers exercising their rights.
iii. Goal for Email 3: If there is a data breach that involves remote workers, these workers must know exactly how to respond: who to contact, when, and how should be widely known.
iv. Goal for Email 4: Keep privacy issues clear and readily available, including detail specific to video conferencing or virtual participation in discussions (guidelines on personal information, recording, shared desktop, data transmission, open doors).
b. Begin to test real-life scenarios by implementing phishing detection or social engineering identification training: For example, you could send employees a phishing test email appearing to come from a CEO or another C-level executive with a subject line like “Update on COVID-19” with a faux-malicious link that can lead to a landing page to harvest user credentials.
3. Protect your customers: Ensure privacy protocols are met and even exceeded.
a. You should encrypt sensitive data both in transit and at rest to reduce the potential harm from an unauthorized data transmission or disclosure. This ensures that even if records are stolen from your organization, they are of little use to bad agents.
b. When sending new laptops and mobile devices to remote workers, make sure personal data is encrypted, password-protected, and capable of being disabled in the event of a loss. Secure portable storage devices on which data may be held, as well as security for physical records storage, such as paper copies or physical data backups.
c. Exercise the Principle of Least Privilege, when assigning access to applications for new users.
Longer-Term Actions: Upgrade Your Tools
“My message for companies that think they haven’t been attacked is: You’re not looking hard enough.”
- James Snook, Deputy Director of Business, Crime, and Skills in the Office for Cyber Security, UK
According to an annual report by the Identity Theft Resource Center, 500 million personal records were stolen in 2018. More than ever, companies today must invest in developing, implementing, and maintaining a viable continuity program that addresses key data privacy processes and protections. Here are long-term actions you and your leadership teams should consider taking to cement a sustainable and successfully privacy sensibility company-wide.
A comprehensive data privacy business continuity plan should be developed focusing on the following aspects:
- Identify potential data privacy/leakage risks due to loss of business-critical functions. Of particular importance is the communication of how and when you collect, manage, use, and protect information.
- Update technical and organizational measures to ensure that personal data related to notification requirements (especially sensitive health data regarding employees or customers) is also covered and protected.
- Do not collect more data than is necessary for a clear business purposes.
- Review company policies regarding remote working and other work arrangements.
- Evaluate the use, transfer and storage of new data gathered from individuals (e.g., customers, suppliers and employees) regarding enhanced risks.
- Stress test the robustness of IT systems, network infrastructure, and cybersecurity controls in anticipation of allowing/requiring employees to work from home.
Now is the Time
Just as COVID-19 is now part of each of our lives, privacy breaches are now commonplace for all organizations — everyone is at risk of a privacy breach. According to research from the data protection company, Corodata, 46% of U.S. firms suffered a data breach in 2018 — a nearly twofold increase over 2017.
Your organization can continue with half efforts and pay lip service to privacy protection, all the while exposing itself to greater and greater damage and possible non-compliance fines.
To prevent and mitigate these attacks, you should make privacy strategy changes now to protect your employees and customers. This nurtures sustainable and affordable relationships. It creates enduring business models through the good times and the bad. As Warren Buffett said, “In a chronically leaking boat, energy devoted to changing vessels is more productive than energy devoted to patching leaks.”
To discuss how you and your organization can apply this guidance, or to discuss specific supply chain challenges, please reach out to Ekaterina Lyapustina or Casey Berman at Slalom.
