As the coronavirus pandemic takes its terrible toll, in both human life and livelihoods, governments, public-health authorities, companies, and individuals have responded with extraordinary measures. To protect the health of individuals , governments and institutions put in situ restrictions on movement and mechanisms for health tracking and reporting. These mechanisms, including contact-tracing and self-reporting apps, some recording and transmitting personal health information, underscore the deepening importance of data protection and privacy in this crisis.
With the advent of the European General Data Protection Regulation (GDPR) in 2018 and the possible “ePrivacy Regulation,” companies and institutions have increased their data awareness. These new regulations enforce stricter rules on privacy and data protection, setting new standards, within the words of the GDPR, for the “rights and freedoms of knowledge subjects” round the globe. During the pandemic, government authorities and corporations have had to balance two priorities—protecting public health and protecting personal privacy. Some measures designed to limit the spread of the virus and potentially save lives could also have serious human-rights implications.
While many public-health measures do not require data collection, others could encroach upon the protections that protect individuals’ personal data. Government officials and corporations can find themselves on the horns of a dilemma, so to talk, contemplating measures to scale back the spread of the virus that would meanwhile drastically curtail the rights and freedoms of the people whose lives they seek to guard . The following discussion draws on the recent European experience of this public health–personal privacy dilemma. Events still move quickly, and our analysis reflects experience at a specific point in time (May 2020) within the history of the pandemic.
In the pandemic, IT departments have faced completely new challenges, as entire workforces were sent home to figure remotely. Companies must now maintain the safety of their systems, software, and data outside the centralized, well-controlled corporate network, while also meeting GDPR requirements on appropriate technical and organizational cyber protections. Employees are using individual links to connect to networks, while IT departments struggle with rapid and unplanned scaling-up of infrastructure. New and untested features, along side suboptimal controls, are getting used to make sure business operations.
An understanding of the cyberrisks inherent within the new network arrangements remains emerging. Suspicious cyber domains purportedly concerning COVID-19, selling fake cures or circulating malware, have proliferated at an alarming rate.1 Government entities and corporations are now developing protective measures against these threats, involving new tools, awareness, and training.
Companies are providing employees with laptops, mobile phones, and other necessary equipment to secure virtual-private-network (VPN) connections in order that they’ll work remotely. Employers must also provide employees with an array of other technical features to secure their networks. This includes patch and configuration management for relevant systems, multifactor identification and secure-access management, on-premise application security for remote access, device virtualization, capacity and security monitoring, and contingency resources (to limit the effects of failures and breakdowns).
Employees got to be told of the special technical features enabling secure remote operations and trained as required in their use. The importance of security in working remotely must be stressed, and therefore the VPN made mandatory. Employers also must provide guidelines on a number of related topics, restricting the utilization of personal devices, recommending particular software applications, supplying adequate password protection, also as formulating instructions for shielding hardware and hard copies of documents.
Employees should even be educated about the rising level of coronavirus-related cyberthreats, including potential responses and incident handling. Employers should be working to make sure that risk-averse behavior becomes the norm in these extra-normal times. Experience has shown that messages on data protection and compliance are best transmitted in ongoing communication efforts instead of in time-limited campaigns.
Companies are making a number of adjustments to ensure a balanced approach to data privacy and health protection in the COVID-19 context. In our view, three actions will be most productive of deliberate decision making on data privacy and cybersecurity during the COVID-19 dislocations.
- Include a data-privacy leader in the organization’s COVID-19 response team to ensure early evaluation and discussion of possible measures affecting data privacy. This leader (likely the data-privacy officer, for those organizations that have one) should also be charged with making any necessary trade-offs between privacy and public-health needs, designing regional variations as required.
- Provide IT departments with the resources needed to support employees working securely from home. Likely companies will have to expand their network and videoconferencing capacity with vendor-supplied services. These should match internal security standards without exceeding bandwidth limitations.
- Establish dedicated support and training in risks and mitigating measures for remote working, including clear ongoing communications. This work should include focused efforts with appropriate vendors to find possible security gaps and to develop solutions for closing them.
Taking these actions will help enable clear direction and guidance on health and privacy measures, and go a long way to stabilizing operations for the duration.