While businesses grapple with the COVID-19 crisis, data privacy and data security regulation remains a pressing concern.  Some significant state laws regarding data privacy and security have gone into effect in 2020, such as the California Consumer Privacy Act (“CCPA”) (effective January 1, 2020) and the New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) (effective March 21, 2020).  Regulator expectations for compliance with these new legal requirements seem immune from the virus that has placed strains on business operations and employees responsible for understanding and operationalizing new business processes to comply with these new legal requirements.

As resources are strained and employee focus is diverted to the evolving and unforeseen business demands in addressing COVID-19, the need for focus on data privacy and security appears even greater.  Read on for three data security and privacy recommendations when handling COVID-19 related disruptions to business.

  1. Revisit Your Company’s Incident Response Plan.

Does your Incident Response Plan address the types of security incidents that are happening to other companies related to COVID-19 (such as the scams described in Item #3 below)?   It has been widely reported that hackers are taking advantage of the workforce shift to remote working to exploit new vulnerabilities and capitalize on people’s fears through COVID-19 related phishing schemes.  With the rise in possible (and new types of) security incidents, when was the last time your business reviewed its Incident Response Plan?  Effective Incident Response Plans must be routinely updated to address evolving threats.  Laws and regulations also require regular testing and monitoring of key procedures.  For example, New York’s SHIELD Act requires companies to adjust their security programs “in light of business changes or new circumstances.”  COVID-19’s impact on working conditions certainly qualifies as a new circumstance, requiring a fresh look at existing policies.  Security incidents often involve a rapid pace of events, and the resulting response requires a company to make quick decisions.  Doing your homework ahead of time so that your company’s Incident Response Plan is useful and based on your company’s current operating environment can prevent a scramble, panic and resulting mistakes in the wake of a security incident. It is important to establish ahead of time what procedures will be followed, what resources will be needed and who will need to be involved in responding to a security incident.

What changes or adjustments to the Incident Response Plan are needed to accommodate for execution of the plan in the era of remote working?  Your company’s current Incident Response Plan likely contemplates bringing together a small team of key people in senior leadership roles representing a cross-functional team of IT, human resources, legal, compliance, operations, communications, and investor relations.  With remote working and social distancing, those in-person conference room meetings will not be possible.  Does your plan contemplate online conferencing?  Does your core team have access to each other’s current cell phone numbers?  Does your team have access to all of the contact information for critical vendors and outside counsel who may need to be called in for assistance while the company’s internal resources are diverted to COVID-19 demands?  Your company may need to adapt your Incident Response Plan to account for deviations from normal processes while teams are working remotely. Finally, your Incident Response Plan may need to be tested again to ensure it is ready for use.

  1. Keep Your Company’s Privacy Policy in Mind.

Is your company collecting new types of personal information as a result of the shift to online business operations (such as geolocation data)? Is your company collecting personal information from different tools (such as a new mobile app) or from new sources (such as a new marketing platform)?  Such shifts may require updates to your company’s privacy policy so that consumers are given accurate notice.  With the increased shift (and dependence) on online communications, marketing and sales, keep a pulse on whether there have been any changes in the way that your company is collecting, using or sharing information from consumers or employees.  Your company’s privacy policy must be a living document, routinely updated to reflect changing business practices. If subject to the CCPA, your company is required to update its privacy policy “at least once every 12 months” Cal. Civ. Code § 1798.130(a)(5) (emphasis added), meaning the privacy policy must be a living document that is updated when there are significant changes in data collection or usage practices.

  1. Communicate with Employees Regarding Evolving Privacy and Security Risks.

Are you regularly communicating with employees on the latest threats related to COVID-19?  When was the last time your employees received training on detecting phishing attempts?   Capitalizing on the COVID-19 crisis, fraudsters are sending messages that take advantage of high emotions and the public’s general sense of urgency in learning more about COVID-19.  Now is the time to communicate and refresh employee awareness of cyber criminals’ tactics.  The Federal Trade Commission issued advice to businesses on Friday, March 25th, outlining 7 COVID-19 related scams that have been reported to the FTC.  For example, the FTC reports that there has been an uptick in fraudulent calls or phishing emails purporting to be sent by a member of the company’s IT staff, asking the recipient to provide his or her password or download software (This is a variation from the typical CEO scam asking for W-2 forms).   The FTC notes that employees could be more vulnerable to being tripped up by these fraudulent messages because everyone is adjusting to changes in normal routines and the company’s IT staff may be overloaded supporting the company’s remote work operations.  It is best to get ahead of scams like this by educating your employees of these risks and keeping up with routine training on phishing and other growing threats.

In summary, a comprehensive cyber security and privacy program requires ongoing monitoring of and adjustments for evolving security threats.  With COVID-19’s impact on businesses, now is the time to dust off your company’s existing policies and procedures to see what changes need to be made to account for the new threats.

Please contact the author for additional guidance on how these issuances and other COVID-19 considerations will affect the delivery of patient care and the related rules. McGuireWoods has published additional thought leadership related to how companies across various industries can address crucial coronavirus-related business and legal issues.