This article was co-authored by partners Megan L. Brown and Matthew J. Gardner and associate Kathleen E. Scott, all members of Wiley Rein LLP’s Privacy, Cyber & Data Governance Practice.
As businesses adjust to the “new normal” in the ongoing COVID-19 pandemic, it is important to quickly take stock of where your organization stands on privacy and security risk. Even in these unusual circumstances, organizations of all sizes and sophistication continue to be expected to act with reasonable care and comply with their public commitments and regulatory obligations.
Enterprises may be finding different or better ways to operate, collaborate, and service customers. But state regulators, privacy advocates, class action lawyers, and the #twitterverse are ready to call organizations out, so it is prudent to think about your practices from the lens of a state or federal regulator or a customer. As a California official reportedly said, “We encourage businesses to be particularly mindful of data security in this time of emergency.”
Here are ten things to think about:
- Is your organization collecting information now that you were not before, or using existing data sets in new ways? Is the organization deploying biometrics to ease customer or employee experiences? Are you seeing new types of users, like children that previously you were not targeting? It is important to communicate with your product and sales teams to be sure the company isn’t changing business practices without updating relevant policies, and if required, obtaining the proper consents.
- Review your online representations about privacy and security to ensure continued accuracy. The FTC does not hesitate to investigate companies for misrepresenting their practices, and the Attorneys General of California and New York have not given any indication that they are deferring enforcement during the pandemic, so be careful to ensure your Privacy Policy and other representations are up to date and accurate. This is particularly important if you are doing creative new things with data or your services.
- Ensure any new internal practices (communications tools, shared drives, folders for remote access, devices to help employees stay connected) are covered by your enterprise risk management, privacy risk management, and cybersecurity risk management planning. You may need to update your DLP, BYOD, IT security, or employee conduct policies to address teleworking, use of personal devices, and remote access to resources.
- Review contracts. Contracts were a risk area even before the pandemic. The rush to secure business or meet customer needs could cause a company to inadvertently assume additional risks or agree to imprudent provisions. Onboarding new vendors in a hurry could result in increased or different third-party access, or result in unexpected sharing or transfers of data.
- Ensure your IT and security teams are empowered to be proactive and identify issues as they arise. “Patch fast” is something that is easy to say and hard to do. Remind your IT team to stay as up to date as they can on patching and updates and see that they have the resources to prioritize.
- Make sure your executive team, management, and Board of Directors continue to get meaningful security updates. This may be easy to overlook as you manage your way through the pandemic, but it is important, as the Securities and Exchange Commission makes clear.
- Take a look at your incident response plan and consider how you would use it if your team is remotely deployed. Are the steps in it workable or do you need to adjust it? You may not need to rewrite it, but you may need to create workarounds, re-assign responsibilities, or lean more heavily on third parties like forensics teams in an incident or breach. Even if you don’t change a thing, considering your plan’s adequacy under this current set of circumstances is a reasonable and prudent step.
- Consider joining information-sharing groups and working with government stakeholders, like DHS’s Cybersecurity & Infrastructure Security Agency (CISA), to receive updates. This has been a mainstay of government advice for a while and resources exist for organizations at all levels of cyber maturity: https://www.us-cert.gov/ncas , https://www.nationalisacs.org/ , https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity/basics and https://www.uschamber.com/cyber-resources.
- Remind employees to be vigilant. This may seem obvious, but it is important. Verizon’s Data Breach Incident Report reminds us that phishing remains the major threat action. Business email compromise has been a major headache and the current environment makes that more of a concern as companies scramble to get paid, sign up customers, and work remotely. Examples of bad actors exploiting technology range from COVID email scams to zoom-bombing. Don’t overlook the basics. Employees should pick up the phone when transacting business, avoid posting sensitive information or meeting details publicly, and be extra cautious.
- Consider how the organization will deal with third party reports of vulnerabilities or issues. You may have a bug bounty program or vulnerability disclosure plan, but many do not. Companies can find themselves on the receiving end of critical press or government probes when they don’t quickly respond to reports of security issues. This may be difficult with your team far flung.
Companies are trying to maintain operations in challenging circumstances, but privacy and security cannot take a back seat. State AGs have made clear that they will continue to police the private sector’s privacy and security practices: California AG Becerra refused a request to forbear from enforcing the California Consumer Privacy Act for actions taken during the pandemic, and the New York AG has raised questions about a popular video communications platform. And privacy and security class actions are still being filed. Taking these steps now to ensure that your organization’s privacy and security programs are keeping up with the fast-evolving landscape of the pandemic can improve your posture and reduce regulatory exposure.