A Checklist for Key Current Privacy & Data Security Issues: Questions to Ask Now
By Justine Young Gottshall and Mark Paulding
While most businesses are busy adjusting to the fallout from the COVID-19 pandemic, it is critically important that they do not disregard data privacy and security issues. Regulators are continuing to enforce data protection laws aggressively. For example, California Attorney General Xavier Becerra has rejected industry appeals to delay the enforcement date for the California Consumer Privacy Act (CCPA), which occurs on July 1, 2020. In addition, Attorney General Becerra published a reminder to California residents about their rights (such as the right to request access to and deletion of personal information held by businesses) under CCPA on April 10, 2020. We have also seen several recent class action lawsuits filed over privacy and data security issues, such as claims against Zoom and Epic Games, the publishers of the House Party application. Remember that issues that are not addressed in the near-term may become significant liability issues down the road. We should anticipate that regulators and class action lawyers will look even more closely at how privacy and data security issues were handled during the pandemic crises once the immediate risks have passed and life begins to return to normal.
Here are some key questions to ask now:
ASK: Are we using new technologies that may be tracking employees or consumers?
Efforts to maintain businesses, such as expanded use of automated calls and text messages, web-conferencing services, and employees working from home, may expand existing legal risks and/or create new legal risks. Organizations should be aware of their responsibilities and liabilities related to the processing of personal information about consumers, confidential business information, and trade secrets. And, they should be cautious about the ways that these COVID-19 mitigation measures may affect their responsibilities and liabilities as an employer. Questions to consider include:
• What information is being collected by third party technology partners? Do we have proper security representations in our contracts? Are we clear how that information may be shared?
• Are there material disclosures we should be making upfront to consumers or employees? Do we need consent?
• Are we tracking our employees or how much they are working? Is there any biometrics data collected?
• Do we need updates to our employee privacy policy?
• Are we requiring use of third party platforms with their own terms and, if so, are there onerous or concerning provisions? Are there compliance risks associated with compelling workforce members to use certain tools (or features of certain tools) as a condition of their employment?
2. ASK: Are we using video or web-conferencing tools?
Many organizations have quickly adopted web conferencing tools, such as Zoom, Skype, Google Hangouts, and Microsoft Teams to facilitate communication between people in lieu of direct meetings. However, organizations should be cautious when using these types of services, particularly where more sensitive conversations may be involved. The sudden increase in use may expose security vulnerabilities in these tools. It will be important to monitor the occurrence of and response to security vulnerabilities, to make sure that they are addressed in a timely fashion. It will also be important to implement all reasonable privacy and security settings offered by the web conferencing tools to mitigate risks to personal information and sensitive business information. Lastly, organizations should be conscious of any new personal (or otherwise sensitive) information that will be collected while using web conferencing tools. For example, recorded web sessions may introduce new stores of information about your workforce. Therefore, organizations should make sure they have proper consent for the collection of such information and procedures for the secure storage and/or sharing of such data. This is particularly crucial if a company requires its employees to use these tools as a part of their job.
3. ASK: Are there data security legal requirements to address related to our employees working from home?
Expanded adoption of work from home may also introduce a number of legal risks that should be addressed in a timely manner. Many employee-owned devices may not be hardened in the same manner as company-owned devices. Therefore, these poorly hardened devices may expose business networks to increased risks of infiltration by cybercriminals. In addition, employee personal devices may lack the full disk encryption that would be integrated into company devices. In order to address these risks, companies should take measures to further prepare their workforce and their information systems. This is not solely an IT issues. There are key legal requirements that must be met.
i. Activity Monitoring and Incident Response
Businesses should aggressively monitor activity on their networks, including employee devices newly introduced by expanded work from home. Moreover, organizations should be very diligent about investigating suspicious behavior detected by such activity monitoring and remediate potential breaches as quickly and efficiently as possible. Businesses should consider retaining third party security operations services to supplement their ability to detect and investigate suspicious activity. They should consider retaining a computer forensics service as well, so that a forensic investigation and remediation can implemented as quickly as possible when a potential breach is identified. In our experience, a major contributing factor to the legal and financial liability associated with a breach is how quickly a breach is detected, contained, and remediated.
ii. Multifactor Authentication
Moreover, businesses should adopt multifactor authentication for all workforce members who connect to company computer assets remotely. If the business has not already implemented multifactor authentication, there are a number of free third party authenticator applications (such as Microsoft Authenticator and Google Authenticator) that can be readily installed on any mobile phone and used by workforce members working from home.
iii. Trusted Platforms
Employees should be encouraged to conduct their work through secure platforms, such as logging into the company network through a secure VPN or via a trusted third party cloud service provider. It is particularly important that employees store any sensitive personal information or critical business information in secure company servers or cloud services. These steps will mitigate the risk that sensitive information is compromised in the event that an employee’s personal device is lost or stolen. Use of trusted VPNs or cloud services will also make it easier to implement the activity monitoring and incident investigation steps mentioned above.
b. Policies and Procedures
Finally, organizations should review their data privacy and security policies and procedures to make sure that they are appropriate for the current circumstances. For example, assess whether the breach response, acceptable use, remote access, and/or employee personal device policies are appropriately calibrated. This includes making sure that the policies and procedures will mitigate reasonably foreseeable risks and can be implemented for all relevant company and employee-owned devices. Privacy and security training programs should be reviewed and updated to make sure that they reflect the new ways that employees are performing their work. For example, employees should be trained on recognizing and responding to phishing emails and watering hole attacks designed to target people working from home.
4. ASK: Have we addressed the CCPA associated issues?
New ways of working mean that there may be new third parties to assess and bring into CCPA compliance programs, whether service providers, other business partners, or entities with whom a company may engage in a “sale” of data. Consider if there are contract provisions needed to address CCPA compliance and whether you may need to expand how you are conducting searches for access and deletion requests, to take into account new third parties or how your employees are working remotely.
5. ASK: Are our policies and contracts up to date?
Corporate policies and procedures, and third party contracts, will be scrutinized in the event of an incident leading to a regulatory investigation or lawsuit. It is key to make sure that the essential policies and key contracts are up to date, accurate, and reflect all legal requirements.
6. Ask: Are we targeting minors or children, including students?
As more consumer engagement moves online, be aware that there are regulations triggered when targeting or knowingly collecting information from users who are younger than 13, younger than 16 and, in some cases, younger than 18. Businesses that serve youth audiences (or plan to reach out to youth audiences) should make sure that all appropriate compliance measures are in place. In particular, note that COPPA, which regulates the collection of personal information from children younger than age 13, has been aggressively enforced by Federal Trade Commission and we do not expect any cessation of enforcement during the pandemic. In addition to COPPA and other laws that apply to minors, there are also federal (FERPA) and state regulations that govern the collection and use of information collected from students. As more and more students are doing e-learning, consider those statutes carefully if you have an e-learning product or service or you are working directly with schools.
7. ASK: Are we diving into other regulated industries?
Businesses in regulated fields should maintain all appropriate compliance procedures. For example, as companies pivot to new business models, consider if specific statutes may apply, particularly related to regulated industries like alcohol, financial services and health related data, as well as e-commerce related regulation and statutes and, as discussed above, any activity targeted to minors.
8. ASK: Am I using new technologies to communicate with consumers?
Have I expanded my direct marketing programs? Remember that emails and, to an even greater extent, phone calls/text messages/faxes are subject to specific regulation. If you are using these communication methods for the first time or expanding how you use them to communicate with your customers, it is essential to make sure you are doing so legally, taking into account consumer consent, opt-outs and regulations in certain jurisdictions that take effect during declared states of emergency. Consider carefully whether your messaging is truly transactional or subject to an emergency exception. Some businesses may choose to use automated calls, text messaging, and/or faxes to communicate with consumers about changes to their business resulting from the pandemic (such as changes in service times and dates). These communications are subject to the TCPA, which includes a private right of action. Businesses should make sure that any communications are made within the scope of the consent that they have on hand or combined with appropriate new consents.
9. ASK: Have we had significant growth in our online presence?
If so, it is likely time to make sure that all key compliance steps are being taken in order to avoid a potential regulatory action or class litigation. Often significant growth, updated websites, apps and online services, and new features or ways of interacting with consumers can lead to inadvertent non-compliance. And, as Zoom recently discovered, with tremendous growth comes much greater scrutiny. It is important to make sure that key privacy and data security issues are addressed even during – or perhaps more importantly during --difficult times.