Covington experts on issues as varied as supply chain and other commercial contracts, employment, and insurance are supporting companies on the commercial implications of Coronavirus COVID-19.  But this blog post provides a brief overview of some of the key issues that privacy and cybersecurity professionals should have top of mind in dealing with response efforts.  We describe below both privacy implications of disclosing data to government authorities and commercial partners and strategies to manage COVID-19 risk by collecting additional information about employees and visitors, as well as the cybersecurity implications of these outbreak prevention and management efforts.

  • Our professionals around the globe have been advising clients on the privacy risks of disclosing health and other personal data to public health authorities and other government agencies.  As we blogged about here, regulators at many different levels of the Chinese government have been actively collecting personal data to monitor and mitigate the spread of the virus, and that’s now happening across the globe.  Other public health agencies worldwide are requesting information from private companies to assist with containing or mitigating the spread of the virus.  For example, they may seek information about a person’s contacts in order to conduct contract tracing of an infected person.  Although public health agencies generally have broad information-gathering authorities, these laws typically do not overcome privacy laws that restrict disclosures of personal or other sensitive information.  Companies may need to consider how to mitigate these legal risks before responding, particularly where more detailed information is requested.
  • Many companies are considering various kinds of measures to mitigate the spread of the virus to employees and visitors that involve the collection of travel history or health information.  The relevant privacy and employment law considerations vary by jurisdiction, but a key question is whether the information gathering is a proportionate and reasonable response.  For example, in the United States, the Americans with Disabilities Act imposes relevant restrictions, including limiting when employers may conduct “medical examinations” of employees and protecting confidential medical information.  Our recent posts on guidance issued by the French, Italian, and Danish regulators highlights the privacy risks that exist for companies in Europe, where a key question is whether there is an appropriate lawful basis to capture the additional information.  Where sensitive health information is at issue, companies will need to consider whether the data collection is permissible under Article 9 of GDPR.
  • We also are seeing circumstances in which commercial partners request that personal data is shared or exchanged in connection with virus prevention and management efforts.  This type of commercial sharing of personal information amplifies the privacy risks described above.  Companies will need to consider how to mitigate the legal risks of sharing sensitive information, such as through data minimization and contractual controls.
  • In addition, the collection of additional personal data and its sharing with government authorities and commercial partners may raise new cyber risks for organizations.  Cyber criminals are opportunistic and may seek to capitalize on coronavirus-related fears.  The experience in China has been illustrative.  There have been widespread reports of cybercriminals disseminating Remote Access Trojans disguised as files or documents that seemingly provide new notifications or updates regarding COVID-19.  These Trojans are typically EXE installers intended to steal information from users’ computers or mobile devices or perpetuate ransomware.  We also have seen other types of fraud and cybercrime, including fraudulent text messages that flights have been cancelled due to the COVID-19 outbreak.  The text messages contain a phone number provided by the cybercriminals to handle “administrative matters” in relation to the cancellation.  The goal of the attacks is to obtain payment card and other sensitive information.  Companies should remind their work-forces about the need to verify the source of emails or text messages before clicking on links or opening attachments or taking some other action that could lead to financial loss.

The increased reliance on telework and remote working also invariably entails cybersecurity risks.   For example, network vulnerability is an issue where employees access work systems via unsecured home or public networks, which are vulnerable to unauthorized third-party eavesdropping or access.  The use of personal devices, in particular, may be problematic, due to the fact that consumer-grade antivirus protection may not be sufficient against sophisticated cyberattacks.  In addition, data loss may result where employees, for ease of accessibility during remote work, forward sensitive business or client information to personal accounts.  Data loss may also occur with the theft of devices containing such information.  Companies should review their cybersecurity plans and practices, test remote access and continuity of operation capabilities, and remind employees of their responsibilities to safeguard company networks and information.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.