Written By: Bryce Hoyt
In the wake of all the massive changes due to COVID-19, the IAPP (International Association of Privacy Professionals) partnered with EY (Ernst & Young) to launch a research initiative to gain more insight into the unique ways privacy and data protection practices have been affected by the pandemic. They conducted a survey on a total of 933 privacy professionals between April 8th and 20th.[1] Although working remotely was not entirely unfamiliar for many people, according to their findings, 45% of organizations have adopted a new technology or contracted with a new vendor to enable remote work due to the pandemic.[2]
Due to the severity and urgency of combating such a pandemic resulting in “stay at home orders,” around 60% of organizations rolling out new “working from home” (WFH) technology either skipped or expedited a privacy or security review.[3] On top of existing obligations, the pandemic demanded privacy professionals to add an array of new concerns to their agenda. When asked how organizations’ priorities have changed, about half (48%) said that safeguarding against attacks and threats has become more of a priority for them.[4] Understandably, many otherwise cautious citizens are now required to navigate most of their life through a technological space that is somewhat unfamiliar, not to mention, likely on a less secure at-home network.
Unsurprisingly, a recent study by the Information Systems Audit and Control Association found that many companies are seeing an increase in the number of cyberattacks since the pandemic began.[5] Additionally, since January 1st the FTC has received over 61,000 reports amounting to over $45 million in total fraud losses.[6] The top four categories of complaints include, (1) travel and vacation related reports about cancellations and refunds, (2) reports about online shopping issues, (3) mobile texting scams, and (4) government and business imposter scams.[7] Many of the phishing scams have targeted college students and international supply chain companies.[8] The scam often takes the form of an email, claiming to provide important information and resources relating to things such as the coronavirus relief fund (CARES Act) or providing fake health advice or vaccine information from the Center for Disease Control (CDC).[9] These emails often have you “login” through an unprotected link where they obtain your personal information or have you download a document which installs a form of malware to your desktop and can further obtain personal information and track your activity.[10]
Hacking has also been on the rise—now targeting organizations in the healthcare sector. Among those who have been attacked, the University of California San Francisco (UCSF), who has been instrumental in sampling and antibody testing for COVID-19, has confirmed that it was the target of a ransomware attack.[11] Ransomware attacks generally gain access to secured information and threaten to publish or delete the data unless a monetary payment is made.[12] Additionally, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a Public Service Announcement warning organizations researching COVID-19 that they may have been compromised by Chinese cyber threat actors.[13] It appears the race to find a cure has resulted in international intelligence gathering and potential intellectual property theft, however, most of these incidents are still under investigation.
Along with the embarrassing unintended consequences that result from working behind a webcam at home—additional privacy concerns arise when having otherwise protected and privileged conversations at work, are now done at home using a virtual program. For example, therapy sessions, confidential business meetings, college courses/exams, and court hearings are all being held online and the reliability of protection of that data is being questioned.[14] There’s a saying in Silicon Valley, “[i]f the product is free, you are the product.”[15] Many of the videoconferencing companies have been quickly trying to adjust and adapt to the rapid demand and concern for their product, battling complaints and even lawsuits for alleged faulty data protection.[16]
The standout brand Zoom, who we’ve all become familiar with, experienced a surge of 200 million users in March compared to just 10 million the previous year.[17] Despite many companies seeking to extend the enforcement date of The California Consumer Privacy Act (CCPA) out of fear that they are not prepared to deal with the potential data requests due to coronavirus—California’s Attorney General Xavier Becerra’s office has made it clear that enforcement is still set to begin on July 1.[18] Furthermore, the European Data Protection Board (EDPB) released a statement regarding the processing of personal data in the context of the pandemic, clarifying the role of the General Data Protection Regulation (GDPR) during this emergency.[19] The statement emphasized the lawfulness of processing personal data in the context of such an emergency, reiterating provisions such as Article 23—which allows competent public health authorities and employers to process otherwise protected health data for reasons of substantial public interest as it relates to public health.[20] This means that companies are permitted to collect and share information relevant to their employees status of COVID-19 to ensure public safety, so long as such collection is properly limited and not communicated beyond what’s necessary; urging companies to aggregate and anonymize the data when possible.[21] According to those surveyed by the IAPP, about 19% of organizations have shared the names of staff diagnosed with COVID-19 with a third party.[22]
Moving forward, organizations and privacy professionals are working around the clock to ensure compliance with privacy legislation like the GDPR and CCPA and are attempting to resolve the issues above as quickly as possible. For example, Google is working with the World Health Organization (WHO) to implement safeguards against the new phishing and malware threats.[23] The FTC is also increasing its efforts to raise awareness of these scams, creating new guides and resources for the general public to better navigate the “new normal.”[24] The FTC is also sending warning letters to any company falsely promoting a cure or treatment for COVID-19, creating a list of all companies making false claims.[25] The Senate also announced they intend to introduce federal privacy legislation that will preempt state privacy laws, coined the “COVID-19 Consumer Data Protection Act.”[26] This act is intended to help regulate the data collection and processing of personal information in connection with the pandemic.[27]
The balancing act between privacy and pandemic interests carries on and only time will tell the reasonableness of the response. In the meantime, governments and privacy professionals are keeping an eye on the new technologies being implemented such as thermal imaging, contact tracing, and video surveillance. Many of us remain hopeful that regardless of the efficacy of this emergency privacy legislation, there appears to be a growing societal and governmental concern and acknowledgment for protecting privacy interests.
[1] Müge Fazlioglu, Privacy in the Wake of COVID-19: Remote Work, Employee Health Monitoring and Data Sharing, International Association of Privacy Professionals (May 2020), https://iapp.org/media/pdf/resource_center/iapp_ey_privacy_in_wake_of_covid_19_report.pdf.
[2] Id. at 5.
[3] Id.
[4] Id.
[5] ISACA, ISACA Survey: Cybersecurity Attacks Are Rising During COVID-19, But Only Half of Organizations Say Their Security Teams Are Prepared for Them, ISACA (April 2020), https://www.isaca.org/why-isaca/about-us/newsroom/press-releases/2020/isaca-survey-cybersecurity-attacks-are-rising-during-covid-19.
[6] Fed. Trade Comm’n, Coronavirus (COVID-19) Consumer Complaint Data (2020), https://www.ftc.gov/system/files/attachments/coronavirus-covid-19-consumer-complaint-data/covid-19-daily-public-complaints-060220.pdf.
[7] Id.
[8] See Sherrod Degrippo, Coronavirus-themed Attacks Target Global Shipping Concerns, proofpoint (Feb. 10 2020), https://www.proofpoint.com/us/threat-insight/post/coronavirus-themed-attacks-target-global-shipping-concerns. See also Ari Lazarus, COVID-19 scams targeting college students, Fed. Trade Comm’n (May 27, 2020), https://www.consumer.ftc.gov/blog/2020/05/covid-19-scams-targeting-college-students.
[9] See Lazarus, supra note 8. See also Steve Symanovich, Coronavirus phishing emails: How to protect against COVID-19 scams, NortonLifeLock (2020), https://us.norton.com/internetsecurity-online-scams-coronavirus-phishing-scams.html.
[10] Id.
[11] Kartikay Mehrotra, Hackers Target California University Leading Covid-19 Research, Bloomberg (June 3, 2020), https://www.bloomberg.com/news/articles/2020-06-04/hackers-target-california-university-leading-covid-19-research.
[12] Id.
[13] Chinese Malicious Cyber Activity, Cybersecurity & Infrastructure Security Agency (2020), https://www.us-cert.gov/china.
[14] The Editorial Board, Privacy Cannot Be a Casualty of the Coronavirus, The New York Times (Apr. 7, 2020), https://www.nytimes.com/2020/04/07/opinion/digital-privacy-coronavirus.html.
[15] Id.
[16] Hurvitz v. Zoom Video Communications, Inc., No. 2:20-cv-03400, (C.D. Cal. Apr. 12, 2020), https://loevy-content-uploads.s3.amazonaws.com/uploads/2020/04/Todd-Hurvitz-et-al-v.-Zoom-et-al.pdf.
[17] The Editorial Board, supra note 11.
[18] Dustin Gardiner, Coronavirus sparks new fight over California’s internet privacy law, San Francisco Chronicle (May 5, 2020), https://www.sfchronicle.com/politics/article/Coronavirus-sparks-new-fight-over-California-s-15246541.php.
[19] Andrea Jelinek, Statement on the processing of personal data in the context of the COVID-19 outbreak, European Data Protection Board (Mar. 19, 2020), https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf.
[20] Id.
[21] Id.
[22] Fazlioglu, supra note 1.
[23] Kim Lyons, Google saw more than 18 million daily malware and phishing emails related to COVID-19 last week, The Verge (Apr. 16, 2020), https://www.theverge.com/2020/4/16/21223800/google-malware-phishing-covid-19-coronavirus-scams.
[24] Fed. Trade Comm’n, Coronavirus Advice for Consumers, Fed. Trade Comm’n (2020), https://www.ftc.gov/coronavirus/scams-consumer-advice.
[25] Lesley Fair, 45 more companies get coronavirus warning letters, Fed. Trade Comm’n (May 7, 2020), https://www.ftc.gov/news-events/blogs/business-blog/2020/05/45-more-companies-get-coronavirus-warning-letters.
[26] Glenn Brown, Senate to Introduce “COVID-19 Consumer Data Protection Act”, The National Law Review (May 6, 2020), https://www.natlawreview.com/article/senate-to-introduce-covid-19-consumer-data-protection-act.
[27] Id.