Covington experts on issues as varied as supply chain and other commercial contracts, employment, and insurance are supporting companies on the commercial implications of Coronavirus COVID-19. But this blog post provides a brief overview of some of the key issues that privacy and cybersecurity professionals should have top of mind in dealing with response efforts. We describe below both privacy implications of disclosing data to government authorities and commercial partners and strategies to manage COVID-19 risk by collecting additional information about employees and visitors, as well as the cybersecurity implications of these outbreak prevention and management efforts.
- Our professionals around the globe have been advising clients on the privacy risks of disclosing health and other personal data to public health authorities and other government agencies. As we blogged about here, regulators at many different levels of the Chinese government have been actively collecting personal data to monitor and mitigate the spread of the virus, and that’s now happening across the globe. Other public health agencies worldwide are requesting information from private companies to assist with containing or mitigating the spread of the virus. For example, they may seek information about a person’s contacts in order to conduct contract tracing of an infected person. Although public health agencies generally have broad information-gathering authorities, these laws typically do not overcome privacy laws that restrict disclosures of personal or other sensitive information. Companies may need to consider how to mitigate these legal risks before responding, particularly where more detailed information is requested.
- Many companies are considering various kinds of measures to mitigate the spread of the virus to employees and visitors that involve the collection of travel history or health information. The relevant privacy and employment law considerations vary by jurisdiction, but a key question is whether the information gathering is a proportionate and reasonable response. For example, in the United States, the Americans with Disabilities Act imposes relevant restrictions, including limiting when employers may conduct “medical examinations” of employees and protecting confidential medical information. Our recent posts on guidance issued by the French, Italian, and Danish regulators highlights the privacy risks that exist for companies in Europe, where a key question is whether there is an appropriate lawful basis to capture the additional information. Where sensitive health information is at issue, companies will need to consider whether the data collection is permissible under Article 9 of GDPR.
- We also are seeing circumstances in which commercial partners request that personal data is shared or exchanged in connection with virus prevention and management efforts. This type of commercial sharing of personal information amplifies the privacy risks described above. Companies will need to consider how to mitigate the legal risks of sharing sensitive information, such as through data minimization and contractual controls.
- In addition, the collection of additional personal data and its sharing with government authorities and commercial partners may raise new cyber risks for organizations. Cyber criminals are opportunistic and may seek to capitalize on coronavirus-related fears. The experience in China has been illustrative. There have been widespread reports of cybercriminals disseminating Remote Access Trojans disguised as files or documents that seemingly provide new notifications or updates regarding COVID-19. These Trojans are typically EXE installers intended to steal information from users’ computers or mobile devices or perpetuate ransomware. We also have seen other types of fraud and cybercrime, including fraudulent text messages that flights have been cancelled due to the COVID-19 outbreak. The text messages contain a phone number provided by the cybercriminals to handle “administrative matters” in relation to the cancellation. The goal of the attacks is to obtain payment card and other sensitive information. Companies should remind their work-forces about the need to verify the source of emails or text messages before clicking on links or opening attachments or taking some other action that could lead to financial loss.
The increased reliance on telework and remote working also invariably entails cybersecurity risks. For example, network vulnerability is an issue where employees access work systems via unsecured home or public networks, which are vulnerable to unauthorized third-party eavesdropping or access. The use of personal devices, in particular, may be problematic, due to the fact that consumer-grade antivirus protection may not be sufficient against sophisticated cyberattacks. In addition, data loss may result where employees, for ease of accessibility during remote work, forward sensitive business or client information to personal accounts. Data loss may also occur with the theft of devices containing such information. Companies should review their cybersecurity plans and practices, test remote access and continuity of operation capabilities, and remind employees of their responsibilities to safeguard company networks and information.