Covington experts on issues as varied as supply chain and other commercial contracts, employment, and insurance are supporting companies on the commercial implications of Coronavirus COVID-19.  But this blog post provides a brief overview of some of the key issues that privacy and cybersecurity professionals should have top of mind in dealing with response efforts.  We describe below both privacy implications of disclosing data to government authorities and commercial partners and strategies to manage COVID-19 risk by collecting additional information about employees and visitors, as well as the cybersecurity implications of these outbreak prevention and management efforts.

  • Our professionals around the globe have been advising clients on the privacy risks of disclosing health and other personal data to public health authorities and other government agencies.  As we blogged about here, regulators at many different levels of the Chinese government have been actively collecting personal data to monitor and mitigate the spread of the virus, and that’s now happening across the globe.  Other public health agencies worldwide are requesting information from private companies to assist with containing or mitigating the spread of the virus.  For example, they may seek information about a person’s contacts in order to conduct contract tracing of an infected person.  Although public health agencies generally have broad information-gathering authorities, these laws typically do not overcome privacy laws that restrict disclosures of personal or other sensitive information.  Companies may need to consider how to mitigate these legal risks before responding, particularly where more detailed information is requested.
  • Many companies are considering various kinds of measures to mitigate the spread of the virus to employees and visitors that involve the collection of travel history or health information.  The relevant privacy and employment law considerations vary by jurisdiction, but a key question is whether the information gathering is a proportionate and reasonable response.  For example, in the United States, the Americans with Disabilities Act imposes relevant restrictions, including limiting when employers may conduct “medical examinations” of employees and protecting confidential medical information.  Our recent posts on guidance issued by the French, Italian, and Danish regulators highlights the privacy risks that exist for companies in Europe, where a key question is whether there is an appropriate lawful basis to capture the additional information.  Where sensitive health information is at issue, companies will need to consider whether the data collection is permissible under Article 9 of GDPR.
  • We also are seeing circumstances in which commercial partners request that personal data is shared or exchanged in connection with virus prevention and management efforts.  This type of commercial sharing of personal information amplifies the privacy risks described above.  Companies will need to consider how to mitigate the legal risks of sharing sensitive information, such as through data minimization and contractual controls.
  • In addition, the collection of additional personal data and its sharing with government authorities and commercial partners may raise new cyber risks for organizations.  Cyber criminals are opportunistic and may seek to capitalize on coronavirus-related fears.  The experience in China has been illustrative.  There have been widespread reports of cybercriminals disseminating Remote Access Trojans disguised as files or documents that seemingly provide new notifications or updates regarding COVID-19.  These Trojans are typically EXE installers intended to steal information from users’ computers or mobile devices or perpetuate ransomware.  We also have seen other types of fraud and cybercrime, including fraudulent text messages that flights have been cancelled due to the COVID-19 outbreak.  The text messages contain a phone number provided by the cybercriminals to handle “administrative matters” in relation to the cancellation.  The goal of the attacks is to obtain payment card and other sensitive information.  Companies should remind their work-forces about the need to verify the source of emails or text messages before clicking on links or opening attachments or taking some other action that could lead to financial loss.

The increased reliance on telework and remote working also invariably entails cybersecurity risks.   For example, network vulnerability is an issue where employees access work systems via unsecured home or public networks, which are vulnerable to unauthorized third-party eavesdropping or access.  The use of personal devices, in particular, may be problematic, due to the fact that consumer-grade antivirus protection may not be sufficient against sophisticated cyberattacks.  In addition, data loss may result where employees, for ease of accessibility during remote work, forward sensitive business or client information to personal accounts.  Data loss may also occur with the theft of devices containing such information.  Companies should review their cybersecurity plans and practices, test remote access and continuity of operation capabilities, and remind employees of their responsibilities to safeguard company networks and information.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Yan Luo Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the…

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China’s National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.