The Balancing Act: Health & Safety vs. Data Privacy

Protecting Health & Safety and Data Privacy During the COVID-19 Pandemic

Protecting Health & Safety vs. Data Privacy During the COVID-19 Pandemic

WHY THIS MATTERS

Ensuring that your business complies with data privacy laws during the COVID-19 outbreak may not be easy – but compliance is still required.

Data privacy regulations have not been waived – they are still in play during the crisis.

In fact, regulators are focused on the need for privacy law enforcement actions, and new laws are being proposed at both the federal and state level in the US.

All businesses, those with “work from home policies” in place, healthcare facilities, home delivery services, and third-party service providers, need to comply with data privacy laws and regulations.

If your business experiences a security failure or privacy breach, you could face a regulatory proceeding, or a lawsuit filed by third parties. A robust stand-alone cyber insurance policy can help you allay some of those costs and provide you with the support of an incident response team.

During COVID-19, we are in a battle to protect the health and safety of people in our communities.

We are also in a battle to protect and secure our data privacy.

The Rise of Cyberattacks During COVID-19

As we have reported, during the COVID-19 Pandemic, hackers have stepped up their cyberattacks to capitalize on reduced cybersecurity protection and increased human error while working from home.

This month, Cyber Alliance Program released the Mimecast report indicating that COVID-19 boosted cyberattacks by 30% in 100 days.

During COVID-19, we are in a battle to protect the health and safety of people in our communities.

We are also in a battle to protect and secure our data privacy.

Cyberattacks create potential liability under privacy laws and regulations that intend to protect consumers’ data privacy.

Emerging Risks of Emerging Technology

Despite the coronavirus, most of us want our data privacy or information privacy to remain secure. The proper handling of our data involves consent, notice, and meeting regulatory obligations. Data privacy concerns stem from how our data will be collected, used, shared, sold, stored, and deleted.

Innovators are developing tools for us to cope with and contain the spread of the virus. New technologies that can track our health and who we have been in contact with – all intended to stop the spread of the virus. Many health and safety officials praise the technology while others raise the alarm bells about data privacy.

Contact Tracing vs. Location Tracking

The Center for Disease Control (CDC) suggested that we use contact tracing during the COVID-19 Pandemic. Key concepts include:

  • Tracing and monitoring contacts of infected people. Notify contacts of their exposure.
  • Support the quarantine of contacts. Help ensure the safe, sustainable, and effective quarantine of contacts to prevent further transmission.
  • Expand staffing resources. Contact tracing in the US will require that states, tribes, localities, and territories establish large cadres of contact tracers.
  • Use digital tools. Adoption and evaluation of digital tools may expand the reach and efficacy of contact tracers.

Contact tracing is a specialized skill. To be done effectively, it requires people with the training, supervision, and access to social and medical support for patients and contacts.

The CDC website provides a training program and advice on contract tracing devices. Regarding privacy, the CDC states that:

  • All use of personally identifiable information (PII) requires patient or contact consent
  • All other data must be anonymized before sharing
  • All data must be encrypted in transit and at rest
  • Preferably, the device must allow individuals access to their data, and the ability to delete or revoke consent at any time
  • Authorized data access to personal health applications (PHAs) must be limited to a need-to-know basis
The COVID-19 App

The new COVID-19 app developed by Apple, Inc. and Alphabet Inc.’s Google, is aimed at helping public health authorities slow the spread of the novel coronavirus. The mobile app will use contact tracing based on your proximity to or contact with someone who has tested positive for the coronavirus. The companies plan to allow only public health authorities to use the technology.

The COVID-19 app is an opt-in only mobile app for contact tracing of COVID-19 – which means that it is voluntary, not mandatory.

Apple and Google, whose operating systems power 99% of smartphones, announced they would ban the use of location tracking in apps that use their new contact tracing system they are building to help slow the spread of the novel coronavirus.

According to TechCrunch, the first version of the application programming interface (API), renamed Exposure Notification API from Contact Tracing API (to more accurately reflect its actual use and purpose), has been released to developers.

Both companies said privacy and preventing governments from using the system to compile data on citizens was a primary goal. The system uses Bluetooth signals from phones to detect encounters and does not use or store GPS location data.

The Apple-Google decision to not allow GPS data collection with their contact tracing system will require public health authorities that want to access GPS location to rely on what Apple and Google have described as unstable, battery-draining workarounds.

Drones Detect Health Concerns

Drones can single out people in a crowd if they cough, sneeze, or have a high temperature or heart rate.

The Police Department in the town of Westport, Connecticut, has opted out of the use of “pandemic drones” to monitor people for fever or cough from afar.

Community residents and the state’s chapter of the American Civil Liberties Unions (ACLU) expressed privacy concerns over the “Flatten the Curve Pilot Program.” The ACLU added that technology is “no magic pill” to the coronavirus pandemic.

The Role of Regulators

Legislators in the US are seeking to expand privacy protections under federal and state laws. They are not relaxing the enforcement of privacy protections during the crisis.

One exception is the HIPAA Telehealth waiver discussed in our recent article on Reducing Healthcare Third-Party Risk.

NEW LEGISLATION DURING THE COVID-19 PANDEMIC

The COVID-19 Data Protection Act (proposed bill)

On April 30, 2020, the US Senate introduced the COVID-19 Consumer Data Protection Act of 2020. The Press Release reported that the legislation would give all Americans more transparency, choice, and control over the collection and use of their personal health information, geolocation, and proximity data.

Intentions of the legislation:

  • Hold businesses accountable to consumers if they use personal data to fight the COVID-19 Pandemic and to keep personal information safe from misuse.
  • Strike the right balance between innovation and maintaining privacy protections for US citizens. This innovation would allow technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread.
  • Provide American consumers with clear and measurable protections when it comes to the collection, processing, and transferring of their personally identifiable information.

While many businesses have taken well-intentioned steps to develop technological solutions to track, contain, and end the COVID-19 Pandemic, Congress must address potentially harmful practices that could stem from these innovations – if not held accountable.

CALIFORNIA LAW

Californians for Consumer Privacy sponsored the California Consumer Privacy Act (CCPA) Ballot referendum signed by 629,000 Californians to qualify for the November 2018 ballot.

After the initiative qualified, the California State Legislature passed the groundbreaking consumer privacy legislation effective January 2020. The CCPA gave nearly 40 million people in California the strongest data privacy rights in the country.

New Initiative - California Privacy Rights Act (CPRA) – On the November 2020 Ballot

Again, Californians for Consumer Privacy has filed an initiative to appear on the November 2020 ballot, the California Privacy Rights Act (CPRA).

The ballot initiative would expand the provisions of the CCPA and create the California Privacy Protection Agency, and remove the ability of a business to fix violations before being penalized for violations (aka the 30-day cure)

The CPRA proposes additional protection of consumer’s rights:

  • Prevent the sharing of personal information without consent (e.g., consumer’s physical location, health information, and financial information).
  • Correct a consumer’s inaccurate personal information.
  • Provide consumers with an opt-out of having sensitive information used or disclosed for advertising or marketing.
  • Provide enhanced penalties related to the collection and sale of children’s information (i.e., triple penalties for violations). 
  • Provide increased protection for data of consumers younger than 16.
  • Provide a requirement to obtain permission from a parent or guardian before collecting data from consumers younger than 13.
  • Create a new agency or authority to enforce rights under its umbrella. It is not clear if this would also include enforcement of consumers’ rights under the CCPA.

If the CPRA does become law, companies which conduct business in California will face an even greater burden related to consumer privacy.

The California Consumer Privacy Act (CCPA)

The CCPA is a California state statute that grants California consumers the right to know about and control the personal information that businesses collect about them.

The CCPA became effective on January 1, 2020, with enforcement regulations taking effect on July 1, 2020. The business community unsuccessfully sought to postpone the July 1 start date.

In February 2020, the California Attorney General (AG) issued revisions to proposed regulations CCPA, and again in March 2020, to try to establish a road-map for how to apply the law. Some businesses are finding the changes to enforcement regulations to be costly in terms of making adjustments to their compliance programs while not making compliance easier or more understandable.

Significantly, the regulations seek to limit the scope of personal information (i.e., if data cannot be linked to an individual consumer household) and recognize that service providers may use personal information for research and development purposes without exceeding the scope of their engagement. Nevertheless, the legal community notes that compliance with the CCPA remains complex.

At various points in both the original and updated versions of the CCPA regulations, businesses are directed to use “reasonable security” measures, but the term remains undefined. This lack of clarity heightens the concern of businesses that may be sued via a private right of action – separate from enforcement actions by the AG.

The new changes to the CCPA allow the use of personal information where that use is not ‘materially different’ from that disclosed (which provides some leeway for interpretation).

The proposed changes also provide some direction as to when businesses must respond to consumer requests and the requirements when doing so.

The new regulations remove the requirement that businesses (including Internet-only business) have a toll-free telephone number to make requests to know, requests to delete, or similar requests so long as the business primarily contacts consumers through the Internet or mobile applications.

The current penalties under the CCPA remain unchanged:

  • $2,500 for each violation or $7,500 for each intentional violation for enforcement actions for non-compliance
  • Actual damages, or statutory damages from $100 to $750 per consumer per incident for a private right of action.

An open question is whether the AG will be able to justify the expense in terms of time and resources to bring an enforcement action. Some estimates by privacy lawyers indicate that the California Department of Justice will need to collect $57.5 million annually in civil penalties to pay for the costs of enforcing the CCPA. 

All businesses subject to the CCPA have an affirmative obligation to establish security procedures and practices to protect any personal information maintained.

Even during the current COVID-19 Pandemic, a compliance program must be in place.

Stand-alone Cyber Insurance Coverage

Regulatory Defense and Penalties:

Cyber insurance policy wordings are not standardized, and thus they vary. However, most policies include coverage for claim expenses and regulatory penalties that the insured becomes legally obligated to pay during a regulatory proceeding for a security failure or data breach.

Regulatory Penalties:

Typically, cyber insurance provides coverage for monetary fines and penalties imposed in a regulatory proceeding (to the extent insurable under applicable law).

Often, regulatory penalties do not include costs to comply with injunctive relief, improve privacy or security practices, or to audit, report, or comply with regulations.

Regulatory Proceedings:

Usually refers to a request for information, a civil investigation, or civil proceeding brought by or on behalf of the Federal Trade Commission (FTC), Federal Communications Commission (FCC), or any federal, state, local, or foreign governmental entity in its official capacity.

We have entered a new era of “Internet-reliance” during the COVID-19 Pandemic. That means we must be cyber secure in our use of these devices in all workplace environments. If we fail to do so, we could face costly legal liability.

TAKEAWAYS:

  • The unique convergence of multiple factors (e.g., COVID-19, increased use of Internet-connected devices, remote work, reduced cybersecurity) has created a broader attack surface for cybercriminals.
  • Compliance in the way in which you collect, use, store, share, and delete data is required now, during the crisis, as it was before the crisis.
  • If you are concerned about data privacy risks, reach out to a cyber specialist broker and insurance company to discuss:
    • Cybersecurity risk assessments
    • Cybersecurity scans
    • Privacy risks leaving you vulnerable to regulatory proceedings or third-party claims or lawsuits
    • Transferring your residual cyber risk (i.e., not 100% addressed by your cybersecurity measures and employee risk awareness training)

Schedule a meeting with Cyber Armada today to discuss your potential cyber exposures and financial losses. Contact us at 888.727.6232.

NEXT ARTICLE

Watch for our upcoming white paper on Data Privacy in 2020.
This article is made available for informational purposes and is not intended to be a substitute for professional or legal advice. No attorney client relationship is formed or implied between you and the authors(s) or Cyber Armada Insurance.

Topics: Cyber Security Covid-19 Privacy Legal

Articles & Insights Home
Cyber Armada Team
Posted by Cyber Armada Team on May 13, 2020
Facebook Linkedin Twitter
Application

Apply for Cyber Insurance Online

Answer a few questions online and Cyber Armada will design a cyber insurance policy tailored to your particular needs.

Apply Online
Apply for Cyber Insurance
Schedule an appointment with Cyber Armada
Appointment

Can we talk?

We're ready to talk when you are. You can schedule an appointment to speak with a representative from Cyber Armada when it is most convenient for you. Whenever possible we use online meetings to increase productivity and increase the amount of time we can spend with you. We use Zoom Meetings as our preferred video conferencing platform.

Schedule Appointment