COVID-19 impact on data privacy
Last Edited: 4/1/2020
We remain focused on providing an industry-leading, customer-centric Digital Experience Platform (DXP). We've been prepared and have tested against major disruptive incidents, including pandemics. With the benefit of having customers and partners in a wide range of industries and verticals, we want to share some of the considerations that our global family of customers, partners and associations face in the reality of the COVID-19 pandemic.
With that in mind, we want to be proactive and share some frequently asked questions on the topics of privacy, data protection, security and compliance, including those related to:
- Privacy and personal information considerations, including what to do for organizations that collect information that could be useful in reducing the spread of COVID-19
- Data protection and cybersecurity considerations
Please note: this is Optimizely commentary from the opinion of an individual contributor, and nothing within this article constitutes legal counsel or advice of any kind.
Privacy and personal information considerations
While some privacy policies may already address the types of PII government agencies are interested in collecting in extreme circumstances (like wanting to stop the spread of COVID-19), many do not. Those that do, may serve as examples to those that do not currently have such language. We at Optimizely find prime examples of this language being included from our customers in the travel, airline, hotel, car service, insurance providers and other companies that offer loyalty programs. These privacy policies (sometimes shared through notices of interest-based advertising products used on the site) typically include language describing tracking the timing and location of purchases, tracking movement/traverses of individuals through geolocation data from cookies, pixels or apps. As a method of quid pro quo, the consent for this information typically has been collected from or provided in exchange for getting discounts or perks on future products and services. However, even with this language, they typically still do not contemplate possible use of PII for public health purposes.
We suggest companies and organizations review existing privacy policies (and definitely externally facing policies) to ensure the policies cover the disclosure of PII to governmental agencies for requested emergency purposes, including public health.
We believe one final point to consider is that customers and partners should take consultation as to whether an exceptional disclosure/use of PII triggers a product, service, or the organization’s role change under applicable data protection law (for example, as a “service provider” the California Consumer Privacy Act (CCPA)).
What if an organization wants to collect PII for broader interests, including public media, government agencies or associations, in response to COVID-19 (e.g. employee, guest or customer travel or geolocation), and consider before collecting, using or sharing this type of info?
First steps are to make sure 1) such use is lawful under applicable data protection laws, and 2) review your privacy policies and consent notices to determine sufficiency as it relates to the PII the organization intends to collect, and how it intends to share and use that PII. GDPR best practices already denote use of internal and external privacy policies at a minimum, so bear in mind it may require multiple policies to review, and that can change by jurisdiction.
What information can an organization disclose if employees or customers have tested COVID-19 positive?
Upon discovery that an employee or customer has tested positive for COVID-19, information lawfully disclosed depends on who the intended recipient is. For example, if it’s at the request of a federal, state or local government and/or its agencies, local laws or recently enacted legislation may mandate that an organization provide information in response to a government request.
Say it is not a government entity, but people in the nexus of the organizations, such as informing your own employees or customers about another employee or customer who has tested positive, Optimizely believes that sharing minimal necessary PII enabling others within the nexus to be educated and assess their own personal health risk and exposure. On this only-as-needed basis, minimal PII necessary will vary in different context and will likely need modification based on circumstances. Scale of the organization and the nexus will play a role in the evaluation (meaning how many people in total, and how many have tested positive), as well as whether it is an employee or customer, likelihood of exposure to others, and what geo-location they are based in.
If at all possible, do not share PII, in particular the individual’s name. However, these are unprecedented times which means it may be unavoidable given the unique and novel scenarios that may present themselves. Optimizely, as should other companies, has prepared escalation paths and clear lines of approval for answering disclosure questions, the detail to be released (if any) and disclosure processes defined to minimize impacts on individual privacy rights.
What needs to be considered from a data privacy perspective in complying with a government or agency requests information about employees or customers, on the basis of responding to COVID-19 with such a request?
Data privacy of an individual, especially when it’s an employee or customer should at a minimum include these considerations:
Where is the request coming from, and whom is it about?
Organizations should, if not already, be well versed in data privacy and protection laws that are applicable to them under federal, state and international data protection laws. If an organization exists in multiple regions, they need to understand which laws and regulations are applicable and which individuals are covered under those laws, which vary greatly between regions and states. Data and information that can be shared in one venue/jurisdiction may not be allowed in another (or may be subject to a stricter regulation). Understanding legal requirements and basis is key, whereby organizations should be careful (with a preference of denying) a request to give PII to governments and its agencies where it’s done informally and/or where the scope is overly broad. If an organization opts to submit to a request for PII (which should only be done where a legal obligation exists), a thoughtful response, which minimizes risk and data exposed, should always be used. While information that is being requested may be relevant to fighting the spread of COVID-19 (e.g. geolocation and travel data, person-to-person contacts, etc.), such data, if not shared appropriately, could be used by governments and agencies for other purposes.
Legal Considerations / Valid Process / Legal Obligation
If the government request comes from a legal basis instantiated in law or regulation, how and what data and/or information to be disclosure should be easier to discern. Keep in mind that, even in complying with the law, that the scope of PII disclosure is appropriate, organizations should always reduce disclosures (in order to reduce risk and harm to employees or customers) to only what is needed. Always ask for the legal basis and process by which the government request is based on, including the order, warrant, or subpoena, before providing PII.
Reputation / Brand / Public Relations Considerations
Finally, whether an organization chooses to comply or not, there are reputation and public relations aspects to bear in mind. If the organization is seen as difficult to work with where the government is taking steps specifically to stop the spread of COVID-19, a backlash from the public may result based on a perception of being uncooperative and callus toward the attempt to stop COVID-19. On the other hand, especially where organizations’ brands and reputations have included protecting privacy, open-ended cooperation may be seen as counter to that messaging, without demanding a legal basis and process before complying, and ultimately result in the loss of brand value and trust.
Does notice need to be given to individuals if PII is disclosed to a government and/or agency in relation to COVID-19?
In the US, an organization that discloses PII to a government agency only has a legal obligation to inform the affected individuals that their information was shared with the government agency in a limited number of circumstances, for example, if the person is subject to the CCPA. In a circumstance where the person was subject to the CCPA, and there were no exceptions (like be a HIPAA related and/or business associate), the organization would have to provide the California resident with details about the categories of PII that were disclosed, and the categories of third parties the information was shared with (including government(s) and agencies).
In the EU, an organization must weigh out many possible legal basis and considerations, including local freedom of information actions (FOIA) and of course the general data protection regulation (GDPR). Organizations must consider the legitimate public interest in disclosure and balance this against employee and/or customer rights. Under FOIA, there is a general social need for transparency about the policies, decisions and actions of public bodies.
Even if an organization may only have a legal obligation to inform individuals that it shared PII in a limited scope and under a closely-guarded disclosure mechanism with the government and/or agencies, consideration must be made, and policies should clearly articulate what an organization would do under these circumstances. While COVID-19 is unique in its global threat and response, weighing public relations considerations, business reputation and the types of PII disclosed should be articulated clearly in policy, so determination to inform is unambiguous.
Data protection and cybersecurity considerations
With most employees working from home, where the organization can support it, are there increased cybersecurity issues or risks?
The short answer is “yes”. The long answer is “yes, there are a lot.” However, with careful planning, processes, testing, auditing and adherence to industry-best information technology (IT) policies, many organizations should be able to mitigate the major, known risks and issues. With our ISO-27001 certification process, annual testing against our business continuity plan (BCP), disaster recovery, and incident management processes (to name a few), we are well versed on planning for employee’s working remotely, employee’s work ability being disrupted, and contingency planning for many force majeure events.
The news and media has brought to light many of the standard challenges now appearing with COVID-19 with employees that work remotely, including experience with internet bandwidth issues, increased migration of organization data to personal devices, hackers taking advantage of the COVID-19 situation and greater security exposure due to including new or inexperienced remote-working employees. Here are a couple of high-level considerations, which Optimizely continuously monitors and tests against.
Organizations must test (including load testing) remote connectivity capacity, whether VPN, virtual desktop infrastructure (VDI) interfaces, or other remote infrastructure, to ensure that they can support the expected increase of remote access, especially if locations are partially or completely closed (including cases where network/power/physical access is shut off). Make sure employees have the access they need to get their job done without having to increase exposure or risk to data and infrastructure. Other technical security measures, such as multi-factor authentication, security certificates installed on work and personal devices used for work (as well as remote wiping capabilities) may also be appropriate.
Further, ensuring that organizations implement, prompt, continuous and up-to-date security patches on remote access components and devices is critical.
Requirements & Policies
Organizational remote access policies must be clear about the requirements and expectations, which includes summaries of threats employees should commonly be aware of, what types of devices and how they should be configured and the organization’s acceptable use policy. Disciplinary actions to be taken if policy is violated should be clear and enforceable. Organization data allowable on personal devices, and which devices, is one of the most critical policies that should be articulated in this plan. Policies should be tested continuously, and reminders to the employees are key, especially when announcing a “work from home” edict or facility closure. Policies should also articulate a security hygiene practice that employees follow when working remotely, including avoiding co-mingling organizational and personal data, and consistent use of VPN, especially when accessing an insecure network (such as public Wi-Fi).
Companies should pay special attention to new employees, or those that traditionally would have no or limited experience with remote work. A default assumption should be that employees that have not gotten specific training do not adequately understand the security necessary to safely work remotely, thus why training on these topics are critical. Security awareness communications, repeatedly emphasizing current remote work security policies should also be done on a regular interval.
While the common assumption is that employees will be aware of the public concern of working from home, organizations should educate employees about risks of connecting to unsecure networks in public locations (public Wi-Fi at cafes, airports, even city/state sponsored “free Wi-Fi”).
Those organizations that have certifications, like our ISO-27001 certification, will be well versed in auditing policies and procedures, including those of BCP and remote access. For those organizations that do not have such a formal certification, they should consider adopting similar practices, and ensure that on a regular cadence, audits are done against policies, and health checks are done at regular intervals to expose potential risks. Logging what is available is one thing but checking those logs and understanding what they say is another.
COVID-19 has opened a gate to hackers using the current circumstance for nefariously purposes – what can be done to prepare employees and others to identify and avoid these unique cybersecurity threats?
If the organization has not already done so, it should immediately send a security reminder to all employees and other relevant personal to be vigilant against potential cyber-scams, phishing and attacks by:
- Only using trusted sources, such as government or health organization websites, to obtain up-to-date, fact-based COVID-19 information
- Not providing security, personal or financial information when responding to online communication
- Not clicking on links or opening attachments contained in unsolicited, suspicious, or non-regular emails
Employees are human, and the news and media are full of stories of those susceptible to targeted phishing, fraud and other cybercriminal activities solely based on trying to get information on COVID-19, or interests and concerns relating to the pandemic. While the topic of COVID-19 may be new, the techniques and messages used to entice individuals to click malicious links often remain similar to other scams that are constant and persistent on the internet. Use the interest and fervour around COVID-19 as another driver for security awareness by alerting employees or others to these risks.
As stated previously, training and education is key. Having training, as Optimizely does, in how to spot these malicious acts, conducting simulations with a fake phishing email related to topical items, will keep employees and others armed with the right mindset, and keep security top of mind. Use training results -- and potentially the results of simulations -- to provide motivation to employees who failed the training or fell victim to the simulated phish.
One other way organizations can ensure employees and others get accurate information on COVID-19 and don’t subject themselves to security risks in the broader internet is to provide consistent COVID-19 updates. Optimizely communicates regularly to employees and others through email, teleconferences, and an internal resource center on an Optimizely-based intranet site which collates current and accurate information both internally and externally generated.
Finally, it’s important to note that this is not just the news and media picking up on this – the US Department of Homeland Security’s Cyber and Infrastructure Security Agency (CISA) clearly identifies this specific threat whereby malicious actors are using the COVID-19 pretext to send emails. They’re using social media with attachments or links to malicious websites to trick victims into downloading malware/spyware, and baiting them to give sensitive organizational or personal information. Often these situations result in financial fraud through donations and contributions to non-existent charities.
Any other additional cybersecurity concerns or risks that COVID-19 presents?
COVID-19 has brought to the public conscience that a workforce shift from office based to more remote work arrangements are likely more permanent than temporary. One repeated issue that’s come up is the increase in false positives in intrusion/risk alerts and complexity in filtering the false positives from actual positives. Understanding different scenarios that exist with remote working arrangements (for example, a higher number of false positives due to work systems and infrastructure access shifting from the office to home, hackers using the disruption in normal work patterns to hide intrusion activities, etc.) will help prepare in defining the right processes and picking the right systems.
COVID-19 may present a present data security crisis, but the truth is, these threats existed before the pandemic. Current circumstances only underline the importance of an organization’s BCP, incident response plan, disaster recovery plan and other security monitoring plans – and of course picking the right critical software platforms and providers that are adept at responding to a data security incident while minimizing business interruption, including those that effect personnel.
If not already conducted, updating policies for pandemic preparedness only goes part of the way – testing and auditing is the only way to know it works. Simulating a potential event where either a data security incident, employees or offices are out of commission or working remotely, or a combination thereof, will give some certainty that existing policies are effective. Annual training emphasizing current policies and plans for response should be done with all employees. Also, third party support, whether it’s data protection legal support, cyber insurance coverage, or even employee health plan coverage for pandemics should be taken into consideration. An industry has been built around security monitoring solutions (SIEM), consultancies and other risk mitigation solutions – picking through them will be difficult without first understanding the policies, processes and practices an organization is willing to embrace.
The cybersecurity rules that were applicable prior to the COVID-19 are still in effect now. Cybersecurity laws, regulations and procedures have not been lessened as a result of this, and there is no indication that enforcement will be curtailed or suspended at this time. The appropriate response to the COVID-19 from a cybersecurity perspective is to continue to enforce basic good cyber policies, procedures and auditing.
In our relentless focus on customer-centricity, will continue to openly offer thought leadership pieces on best practices and implement industry-leading policies in support of the Digital Experience Platform – which is no different with the rise of the COVID-19 pandemic. There is no doubt that COVID-19 is a pivot point for organizations, industry and society at large. While this is the case, an organization’s readiness for force majeure events such as pandemics should be addressable through preparedness, policies, procedures and consistent testing and commitment. Being a cloud-first, industry-leading software company, Optimizely has prepared and tested for these circumstances. Ensuring our customers, partners, employees, ecosystem, systems and software are secure, effective and robust at all times, especially during such crises, is a core tenant of Optimizely. Should you have any questions, please contact sales@Optimizely.com, or if specific to this article, dpo@Optimizely.com.