As businesses struggle to navigate the new reality created by Covid-19, there are a few things to keep in mind both in the short and long term, when it comes to privacy and security.

Security & WFH.

With employees working remotely, now more than ever organizations are at risk of cybersecurity incidents. Malicious players will seek to exploit increased vulnerabilities in this age of WFH, and with IT teams scrambling to ensure that all of their employees can connect remotely and remain productive, some of the most obvious risks should not be overlooked:

  • A large number of organizations had not anticipated the need for laptops or other devices for ALL of their employees. As such, many workers across the country are now using their personal devices to perform their jobs, which may include handling proprietary and/or personal information. However, a number of these personal devices will not only lack some of the basic security tools and software (e.g., firewalls or antivirus software) and controls on what can be downloaded, but may also already contain some unsavory software or applications that increase the risk or malware distribution. In fact, some personnel may shortcut and use personal email accounts to transfer documents, which adds yet another level of risk, as further noted below. Add to this mix the exchange, transfer, and processing of proprietary and personal information, and this could lead to some very problematic unintended or unauthorized disclosures.
  • To connect and get work done, workers need a WiFi network, and unfortunately, some employees may be using unsecured WiFi networks. This could potentially be a very big problem if employees are accessing information via an unsecured or vulnerable WiFi network – such as a neighbor’s unsecure network. Some of the many risks of using unsecured WiFi networks include eavesdropping – which enables malicious players to access and capture everything remote workers are doing online including login credentials, emails, and other or proprietary information – as well as exposure to malicious attacks. No doubt, it is important to ensure that employees are using secure WiFi networks coupled with company VPN’s to prevent any malicious scanning activity.
  • Many organizations lack specific policies that specifically warn employees NOT to use personal email or messaging applications lacking encryption when they exchange the organization’s confidential information. Some of these policies, also commonly referred to as “BYOD” policies, are intended to inform workers of what they can and cannot do with their devices. Consider Bob sending a personal email to a friend and colleague that Mike in marketing tested positive for COVID-19 (i.e., sensitive health information) or an employee transferring customer lists with personal data via unencrypted messages. WFH devices aside, employees should also be reminded not to toss confidential documents in household garbage bins, to turn off smart devices that are voice-activated, and to take calls that involve confidential information in a “private area” of the home. Failing to clarify policies with personnel is very risky. Now would be a good time to remind employees of how they should minimize these risks.

Ensuring that your organization’s  IT and legal teams are working closely together to develop policies and procedures will help identify and minimize these increasing cybersecurity risks.

Health Information.

When to collect and how to handle health Information – which by definition is considered sensitive in most jurisdictions – is of course front and center with Covid-19. Finding a balance between respecting employees’ privacy and ensuring the safety of other employees (as well as the public) is no easy feat. While the current situation was unexpected and presents new challenges on the privacy front, the rules still apply, and it is important to process any information relating to an employee’s health in compliance with those rules. Organizations should make sure that they understand what laws may apply to them, review their internal policies and procedures and act based on the particular circumstances. While employers have a duty to safeguard health and safety, this does not mean collecting any and all information whenever they please, or forcing employees to hand  over information no matter the circumstance. Organizations should also ensure, as a rule of thumb that sensitive information, such as health data, is stored with added security. This includes limiting access to a “need-to-know” basis, and once the data is no longer needed, deleting it.

Increasing Marketing.

The financial fallout from Covid-19 will no doubt be tremendous. Organizations are scrambling to stay afloat – and we are just a couple weeks in, here in the United States. As organizations push their marketing and advertising teams to generate leads, whether in the B2B or B2C space, it may be tempting to skirt some of the rules. But again, privacy laws still apply. Some, such as the GDPR and CCPA, have specific rules that affect marketing and advertising – namely, with respect to how personal data is collected and whether individuals receive proper notice or consent where required. Companies must consider CAN-SPAM rules and the TCPA in determining whether or not they can email or text individuals who had previously opted-out of marketing messages (or who did not previously opt-in to text messages) about steps they are taking to address Covid-19 – taking care to determine if anything in the email or text language could be construed as marketing or would be deemed a transactional, relationship message or “emergency” message.

Plans to build databases with personal information, implement lead generation tools, increase ad partners, or send direct marketing communications are just some of the things that should be evaluated in conjunction with applicable privacy laws. For instance, in the EEA, you cannot just send random individuals direct marketing (with some exceptions depending on the Member States) without first obtaining their specific consent. Likewise, if you want to start using an ad intermediary to promote advertising in California, there may be some restrictions if your organization is subject to CCPA, and similarly if your organization purchases information from lead generation databases, Article 14 notice requirements of the GDPR may kick in. And while courts are closed in many places right now, regulators are still enforcing. Case in point: here in California, a group in the advertising space had recently sent a letter to the Attorney General (tasked with enforcing the CCPA beginning July 1) requesting a delay in CCPA enforcement given the current circumstances. Their attempt to delay enforcement was rebuffed by the office of the Attorney General, which responded that it remained committed to enforcing the law as planned. Ensure that your organization doesn’t ignore existing privacy rules just because of the current chaos, as this will not be a valid excuse for non-compliance if a regulator comes knocking.

Bankruptcy Considerations.

Unfortunately, some companies will have no choice but to file for bankruptcy once the dust settles, and this may have some privacy implications. In this day and age, one of a business’ most valuable assets is the personal information that it has collected from its customers or end-users – often more so than any of its tangible assets. But when a business becomes a debtor, the sale of personal information can be problematic. Section 363(b) of the US Bankruptcy Code provides that a debtor that has a privacy policy prohibiting the transfer of personally identifiable information (or that fails to disclose that the debtor may sell or transfer such information to third parties) may not sell or lease such information unless (1) the sale or lease is consistent with the terms of the privacy policy or (2) after the appointment of a consumer privacy ombudsman (CPO) the court finds, after giving due consideration to the facts, circumstances, and conditions, that the sale or lease would not violate applicable non-bankruptcy law. These restrictions only apply if the debtor disclosed the privacy policy to persons not affiliated with the debtor and the policy was in effect on the date of the bankruptcy filing. There are some existing decisions discussing these consumer privacy protections, but because privacy has been pushed to the forefront since the last big round of corporate bankruptcies, it is very likely to be a much bigger issue in this next round. Organizations contemplating bankruptcy proceedings should therefore be aware of these restrictions in connection with a Section 363 sale motion. While many privacy notices do already address sales of information, including in bankruptcy, how the sale language is specifically worded, the nature of the purchaser, and, importantly, the number of prior versions of the privacy policy could become impediments to effortlessly transferring users’ personal information. Moreover, specific privacy laws such as the GDPR may further impact the conditions under which personal information may be transferred to a purchaser. As such, it’s important to review existing policies and assess applicable laws prior to filing, particularly if customer personal information is the organization’s most prized asset.

These are just some of the many issues that must be considered in these difficult and uncertain times. Organizations may understandably be tempted to put privacy and security on the back-burner for now, but this could have some far-reaching consequences in the long run as our new normal settles in.

Above all, stay safe.