You may be wondering if data privacy still holds the same importance and relevance now as before the COVID-19 pandemic: does it create new concerns, or is data privacy being tabled until after this crisis is resolved?
With “non-essential” employees around the globe being mandated to work from home, technology and information security may not be as strong as in office settings, and the risk of exposure of sensitive information may be greater. In this environment, firms need to remain vigilant - data privacy neglect is not an option.
Are Regulators Easing Up Because of the Crisis?
Regulatory organizations have indicated a certain amount of understanding regarding the fulfillment of privacy compliance obligations during the pandemic. For example, the UK’s Information Commissioner’s Office (ICO) has stated, “We understand that resources…might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.” Similarly, the U.S. Department of Health and Human Services (HHS) has indicated a limited waiving of certain Health Insurance Portability and Accountability Act (HIPAA) requirements to facilitate better data sharing and patient care during the crisis.
Regulatory agencies and bodies (e.g., SEC, FTC, California Attorney General) still recommend vigilance and adherence to data privacy and security best practices as relaxed enforcement of fulfillment of data privacy regulations and data subject rights is a temporary situation. The rules will be enforced in the future; not attending to them with seriousness and purpose will likely have consequences down the line. What’s more, while enforcement may lag, the requests for data from individuals probably will not slow down. After all, people have more time at home to pursue these matters.
Furthermore, it would be wise for companies who have been developing their privacy and data subject rights capabilities in anticipation of new privacy regulation to continue this work as much as possible. Stopping in the middle of this effort may serve as an open door for intruders and criminals intent on taking advantage of the situation.
The Bigger Concern: Data Breaches
Although privacy compliance in general and data subject rights in particular have been a key focus of many companies, the ever-present threat of a data breach and the inappropriate loss or disclosure of personal information remains a much greater concern than enforcement over data subject right fulfillment process enforcement.
Penalties and the huge fines associated with exfiltration of data remain in effect during the pandemic. As a reminder, under the California Consumer Privacy Act (CCPA), consumers can demand statutory damages within a range of $100-$750 per consumer, per incident. Under the General Data Protection Regulation (GDPR), data breach penalties can total €10 million, or up to 2% of the annual global turnover of the preceding financial year, whichever is greater. And these numbers do not even include the private right of action available to impacted individuals.
Beyond the regulatory fines, research indicates that data breaches cause tremendous damage in other ways. The recent average cost for a U.S. data breach reached $7.91 million. The reputation damage in lost confidence, negative press, identity theft and customer support can be staggering. 65% of victims of data breach report losing trust in the affected companies, and 85% tell others about it.
Cybercrime Related to COVID-19 is on the Rise
Unfortunately, statistics indicate that cybercrime is up as a result of the pandemic. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning of the huge increase in pandemic-related cybercrime. Similarly, the Check Point security firm announced that over 4,000 coronavirus-related domains have been registered worldwide since January, of which 3% were found to be malicious, and 5% suspicious. The World Health Organization (WHO) has put out an alert warning the public of imposters who have been impersonating WHO members in phishing attempts, with new reports arriving daily.
Data Privacy Security Tips
The need for safety regarding data security is stronger than ever. Here are some things individuals and companies can do to heighten data security during the pandemic:
- Secure home Wi-Fi networks
- Make sure that passwords are secure
- If possible, segment the home Wi-Fi between home and work users
- Connect using a virtual private network, not just Wi-Fi
- Always use secure mechanisms (e.g., encryption, secure portal transfer) for the online transfer of data
- As much as possible, secure communications with coworkers, vendors, third parties and investors
- Conduct conversations in private spaces
- Close doors
- Use headphones
- Shred printouts
- If possible, lock door to office
- Keep devices and documentation in a secure space
- Follow online conferencing best practices
- Maintain a company-wide patching program that extends to work from home devices
- Refresh company training regarding protection against phishing and other social engineering schemes
- Refresh, review, and maintain strict cyber security policies for all team members working from home.
Data Privacy During COVID-19
While regulators have indicated that they may be understanding with any difficulties complying with data privacy compliance obligations, it is important to recognize that this leniency in enforcement is only temporary. On the other hand, data breaches will not be treated with leniency.
With a concurrent rise in cybercrime, and with greater risks to data security due to the mass disruptions in the conducting of business, there is no room for companies to relax their data privacy standards. Protecting how personal and sensitive information is used and secured continues to be essential.
ACA is actively monitoring the developments related to COVID-19 and producing resources to help your firm address operational challenges created by this pandemic. Visit our COVID-19 Resources page to access all of the resources we've developed that may help your firm navigate through the restrictions in place to curb the pandemic.
To learn more about working from home safely, you may also be interested in attending our Working from Home: Emerging Threats & Mitigation Strategies Webcast on Friday, April 17, 2020 at 11:00 AM EST.
How We Help
ACA offers the following solutions that can help firms enhance their cybersecurity in light of COVID-19 related cybercrime and maintain data privacy
- CCPA Resources
- GDPR Resources
- Free Online Cybersecurity Training
- Phishing testing and cyber awareness
- Penetration testing and vulnerability assessments
- Threat intelligence
- Cyber incident response planning
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org.