Data Privacy Competence Amid The COVID-19 Pandemic: Pro-Active Compliance … · 2020. 4. 16. · Ensure compliance with relevant security rules and frameworks (e.g., HIPAA, GLBA,

Data Privacy Competence Amid The COVID-19 Pandemic: Pro-Active Compliance Workshop

CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.2

B R O U G H T T O Y O U B Y :

E x t e r r o i s t h e p r e f e r r e d p r o v i d e r

o f s o f t w a r e s p e c i f i c a l l y d e s i g n e d

f o r i n h o u s e l e g a l a n d I T t e a m s

a t G 2 0 0 0 o r g a n i z a t i o n s .


Panelists

Mark Schreiber, Partner, Global Privacy and Cybersecurity,

McDermott Will & Emery LLP

[email protected]

+1 617.535.3982

Robert Fowler,Director of Strategic Alliances, Exterro

[email protected]

314.249.3380

mailto:[email protected]


In this webcast our panel will review…

AN OVERVIEW OF DATA PRIVACY REGULATIONS

AND ENFORCEMENT

BEST PRACTICES OF HANDLING DATA PRIVACY COMPLAINTS/LAWSUITS

DEFENSIBLE PRACTICES TO AVOID ADVERSE LEGAL

AND FINANCIAL CONSEQUENCES


CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.

Today’s Complex Data Environment


Migrating from Abroad to the US


Pioneering US Privacy Laws – CCPA

A New Era of Data Privacy Rights

1. Right to Know Data Collected & Purpose

2. Right to Access Data

3. Right to Delete Data

4. Right to Know Categories of Third Parties

5. Right to Opt-Out of Sale

6. Right to Equal Treatment



New Frontier in Class Action Litigation

COVID-19: CYBERSECURITY

CONSIDERATIONS

Cybersecurity

Preparation

> Q: How can companies prepare their employees, contractors and others to identify and avoid

the unique cybersecurity threats related to online communications about COVID-19?

> A:

▪ Dept. of Homeland Security’s Cyber and Infrastructure Security Agency (CISA) issued report

that bad actors are using COVID-19 as pretext for scam emails

• FTC, Secret Service, WHO have issued similar warnings. See References pages at back for

links

• Common pretexts: online offers of vaccine, donation requests, urgent alerts

• Threat actors already identified as dropping malware in COVID-19 emails

• AA20-099A: COVID-19 Exploited by Malicious Cyber Actors – US CERT compendium

12 Information provided by McDermott Will & Emery

https://www.us-cert.gov/ncas/alerts/aa20-099a

Cybersecurity

Preparation (Cont.)

> Q: How can companies prepare their employees, contractors and others to identify and avoid

the unique cybersecurity threats related to online communications about COVID-19?

> A:

▪ Consider sending security reminder on best practices to avoid cyberattacks and scams

▪ Use outbreak as opportunity to reemphasize importance of cyber-vigilance with

employees/contractors/customers

▪ Be mindful of routine security hygiene: password complexity, VPN use, MFA, encrypted

laptops


Cybersecurity

Remote Work

> Q: What are the cybersecurity issues or risks in increasing remote work?

> A:

▪ Issues include: bandwidth limits, increased exfiltration of data to employees’ personal

devices, and greater security exposure due to larger numbers of remote workers, including

new or inexperienced ones

▪ Consider testing remote connectivity, including load testing

▪ Be conscious of workers with limited remote work experience and consider training

▪ Provide reminders on:

• remote access and acceptable use policies, BYOD

• physical security best practices (e.g., monitoring laptops/devices while in public, security

in the home)

▪ Consider SANS 5 Steps to Securely Work from Home (see in References at back)


Cybersecurity

Other Risk

> Q: What additional cybersecurity concerns or risks should companies be aware of in these

circumstances?

> A:

▪ SIEM/risk avoidance solutions may experience higher number of false positives because of

remote work

• Attackers may use situation to hide intrusion activities

▪ Review IRP, disaster recovery plan, and other security monitoring plans to ensure

preparation for security incident

▪ Websites remain vulnerable to traditional attacks:

• HHS subject to cyber attack approx. March 15

• Champaign-Urbana Public Health District website take down in ransomware attack

approx. March 10


Cybersecurity

Other Risk (Cont.)

> Q: What additional cybersecurity concerns or risks should companies be aware of in these

circumstances?

> A:

▪ Prepare for IT systems dislocations/failures

• Ensure availability of additional/backup IT resources

• Create/update plan in case systems go down

▪ IT/security resources may need to be boosted

• Ensure staffing, other resources sufficient to keep pace with increased demands

▪ Ensure compliance with relevant security rules and frameworks (e.g., HIPAA, GLBA, PCI DSS)

on transmitting COVID-19 information (e.g., PHI, consumer data, company classified data)


COVID-19: PERSONAL

INFORMATION

Personal Information

Disclosing COVID-19 Information

> Q: What is considered personal information?

> A: Personal information is information that identifies, relates to, describes, is reasonably

capable of being associated with, or could reasonably be linked, directly or indirectly, with a

particular consumer or household

▪ Includes health and geolocation data

▪ Very broad standard, comes from new California Consumer Privacy Act (CCPA) and similar

to standard under EU General Data Protection regulation, but best practice for even

companies that operate outside those jurisdictions



Collecting COVID-19 Information

> Q: What do we need to consider before collecting, using or sharing COVID-19 personal

information?

> A: Consider why you need – or want – to collect, use or share the information.

▪ To protect health or safety?

▪ Other valid, compelling business purpose?

▪ If not, don’t do it

> Q: Is contemplated collection, use, and sharing consistent with existing privacy policies?

> A: If not, update privacy policies before collecting new information.



Sharing COVID-19 Information

> Q: What if our privacy policy covers the types of personal information we are collecting, but

our intended use or sharing in response to COVID-19 will be unexpected to our guests or

consumers?

> A: Review existing privacy policies to ensure they cover new purpose for disclosure, e.g., to

governmental agency for public health purpose

▪ Common permitted purposes for sharing personal information:

• to protect health or safety of individuals;

• in response to valid legal process or lawful obligation

▪ If policies do not permit disclosure to governmental agencies, consider amending

• Also consider additional effects of any amendments (e.g., necessary changes to contracts

or internal procedures)



Sharing COVID-19 Information With Government Entities

> Q: If a government agency requests information about our employees, guests or customers,

what do we need to consider from a privacy perspective?

> A: Considerations should include:

▪ (1) Geography – privacy obligations differ based upon jurisdiction

▪ (2) Absent legal requirement, be careful about sharing personal information with

governmental entities

• Requesting explanation of legal basis v. requiring legal process

• Weigh potential public backlash of being seen as uncooperative in public health

emergency with importance of protecting privacy of customers/employees/partners

• With global spread of COVID-19, requests could come from many governments/agencies

– will your response be dependent on the identity of the requesting entity?

▪ (3) Even with legal requirement, tailor responses to limit potential for sensitive/harmful

information to be shared



Sharing COVID-19 Information With Government Entities (Cont.)

> Q: If we disclose information to a government agency about our employees, guests or

customers in relation to COVID-19, do we need to inform the individuals that we shared this

information?

> A:

▪ In US, obligation to inform affected individuals only in limited situations

• E.g., data subject request under CCPA for information shared with third parties



Other Disclosures

> Q: If we learn that an employee, guest or customer has tested positive for COVID-19, what

information may we disclose?

> A:

▪ If making disclosure at request of government agency, may provide information responsive

to agency’s requests

▪ If sharing voluntarily with other parties (e.g., employees, customers), only share minimal

amount necessary for each party to assess own personal health

• Avoid sharing PII without consent of affected individual


Using Data “For Good”

Our organization already holds a lot of personal data – how can we use it to help?

> Q: We are a data-rich company and would like to help. How can and should we use the data

we already hold?

> A: Consider whether the data you hold can help with important decisions, not just provide

general insights.

▪ Use de-identified, aggregate data wherever possible (but not always useful in this context)

▪ Be sure you have a focused strategy and defined objective for data use

▪ Use the data you already have; resist the urge to gather more

▪ Carefully supervise, manage and limit all uses – and users – of data

▪ Enforce safeguards, including quality of analysis and accountability

▪ Secure the data, even under time, WFH pressures

▪ Consider “downstream” privacy implications of project once current crisis has passed; genie

will be out of bottle


COVID-19:

GDPR

GDPR

Role of the Supervisory Authorities

> Q: Are data protection Supervisory Authorities giving guidance in response to COVID-19?

> A:

▪ Yes. Authorities from more than 20 EU countries, the EDPB and the EDPS have started

releasing guidance, including UK, Ireland, France, Italy, Germany, and Spain.

• Practical Impact: Whilst most of the guidance follows the same sorts of principles, there

are differences. Care should be taken that the appropriate local guidance is consulted for

any particular country.

▪ NB. Non EU countries are also releasing guidance: China, Singapore, Canada, New Zealand,

Mexico.


GDPR Considerations for COVID-19

> During the pandemic, we are worried that our data protection

practices might not meet our usual standard or our response

to information rights requests will be longer. Will the ICO take

regulatory action against us?

> No. We understand that resources, whether they are finances or

people, might be diverted away from usual compliance or

information governance work. We won’t penalise organisations that

we know need to prioritise other areas or adapt their usual approach

during this extraordinary period.

> We can’t extend statutory timescales, but we will tell people through

our own communications channels that they may experience

understandable delays when making information rights requests

during the pandemic.

> ICO: https://ico.org.uk/for-organisations/data-protection-and-

coronavirus/



> Q: If the Regulators are relaxing their enforcement of the GDPR, what is the new level of

compliance we should meet?

> A:

▪ Good question. It is not clear what the new standard of compliance should be. Further is it

not clear how long this relaxation will last and what should happen at the end of that

period.

• Practical impact: Where a lower standard of GDPR compliance is to be used, we

recommend undertaking a short form DPIA to assess the risks and to justify the lower

standard of compliance.

• Practical impact: Notify your Data Protection Officer (DPO) and keep them informed.

• Practical impact: Record each area where a lower standard of compliance has been

adopted, so that at the end of the relaxation period, those areas can be brought back

into compliance.


GDPR Considerations for COVID-19> Q: How does the GDPR differ from the US rules when dealing with COVID-19?

> A:

▪ (1) Both personal data and health information are defined very broadly under the GDPR,

and so information not caught by HIPPA or CCPA may be within the scope of the GDPR.

• Practical impact: check your data handling practices and data privacy notices to ensure

sufficient coverage.

▪ (2) The GDPR can apply to business operations in the US, merely because the personal

information concerns individuals located in the EEA or is obtained “in the context” of EEA

operations.

• Practical impact: Be careful when personal data coming from the EEA is being processed

or disclosed.

▪ (3) Health information or “sensitive personal data” is subject to additional controls.

• Practical impact: Make sure that the processing that you know to be lawful in the US, is

also lawful under the GDPR.

• Watch out for some cross border issues. For example, when the law provides that

disclosure is permitted by applicable law, that means domestic law, not foreign law.



> Q: How does the GDPR differ from the US rules when dealing with COVID-19?

> A:

▪ (4) The GDPR has strict requirements to keep “records of processing”.

• Practical impact: Ensure that you keep records of the processing that takes place. If

there is a EU Data Protection Authority investigation, this is the first thing they will ask to

see.

▪ (5) Be prepared to respond to data subject requests (DSRs) about COVID-19.

• Practical impact: Data Subject Access Requests are now a common tool for employees

and customers who want to find out information about themselves. Only documents

that concern that individual should be disclosed. Review your DSR policy and

procedures.

▪ (6) The GDPR and e-Privacy Directive also regulate the sending of emails; express consent is

required.

• Practical impact: Be careful about COVID-19 status communications, they may breach

the GDPR and e-Privacy Directive.


GDPR

Special GDPR Rules on COVID-19 Information

> Q: Are there special rules in the GDPR for pandemics such as COVID-19?

> A:

▪ Yes. One of the basis for processing sensitive personal data is where the processing is

necessary for public interest in area of public health.

▪ EU countries are issuing emergency rulings and guidance allowing processing of COVID-19

information under “public interest in area of public health” basis.

• Practical impact: If you think that this basis might apply – you should do a Data

Protection Impact Assessment (DPIA).

• In supplemental regulatory guidance the Regulators say that other GDPR principles about

lawfulness, transparency, confidentiality, data minimization, accountability, and

proportionality still apply, especially in context of disclosing personal data of COVID-19

patient.


GDPR

Guidance from Ireland’s Supervisory Authority

> Q: What has the Irish DPC said in light of COVID-19?

> A:

▪ The Irish DPC reminds companies that even where the processing of COVID-19 data is

authorized, there is still a need for suitable safeguards, including access controls, time limits

for erasure, staff training.

▪ Processing must be necessary and proportional, in a confidential manner.

▪ Companies must be transparent about processing, including purpose and retention period.

▪ Companies must strive to ensure security of data and process the minimum necessary

amount of data.

▪ Any decision making process must be documented.


GDPR

Guidance from Ireland’s Supervisory Authority (Cont.)

> Q: What else did the Irish DPC say in the guidance it released?

> A:

▪ Companies can ask questions to visitors about travel to affected areas, symptoms, exposure

but they need strong justification based on necessity and judgment of risk to issue

questionnaires.

▪ Companies can ask for details of employee’s illness, but collection must be justified and

factual, limited to what is necessary.

▪ Sending employees home is not a data protection matter, but an employment one.

▪ Disclosing details of employee who has virus should be avoided.

▪ Irish DPC recognizes that GDPR DSRs may face “unavoidable delays” as result of COVID-19

and recommends communicating with individuals submitting DSRs, responding in stages.


GDPR

Special Rules for Transferring COVID-19 Data Outside of EEA

> Q: Are there any special rules to consider when transferring sensitive personal data to a

controller outside of the EEA?

> A:

▪ The basis for legitimizing export are in addition to those for legitimizing processing.

▪ If using SCCs, check for further restrictions in clauses relating to sensitive personal data;

often onward transfer of sensitive personal data requires express consent.

▪ Check Privacy Shield self-certification or Binding Corporate Rules, if applicable


GDPR

Cyber security risk arising from COVID-19

> Q: What are the European Supervisory Authorities saying about cyber risks and COVID-19?

> A:

▪ The ICO has already identified the following types of exploitation:

• The Government asking for your bank details so money related to free school meals can

be transferred;

• HMRC stating you have a tax refund;

• Banks asking you to confirm your details;

• Emails from criminals disguising themselves as an organisation;

• Callers offering coronavirus testing kits and protective equipment; or

• Calls telling you your internet is going to be cut off in 24 hours because you’ve been

hacked.


GDPR

Cyber security risk arising from COVID-19 (Cont.)

> Q: What are the European Supervisory Authorities saying about cyber risks and COVID-19?

> A:

▪ The Supervisory Authorities also recognize that there may be additional cyber risk where

there is home working.

• Practical impact. Ensure that your Information Security policies and procedures are

effective where the workforce is remote.

• Practical impact. Ensure that there is still effective detection of cyber risks, where the

exploits are commissioned against remote staff.

• Practical impact. Ensure that Incident Response Policies are up to date, and operational

to deal with all the usual types of social engineering, phishing, Trojan Horses,

ransomware and the like.


GDPR

Conclusions

> Q: What conclusions and recommendations can we make?

> A:

▪ Although the European Data Protection Supervisory Authorities have indicated a relaxed

view, they still want the principles in the GDPR followed.

• Practical impact: All the usual steps of (i) making sure that the privacy notice is correct;

(ii) ensuring a valid basis for processing; (iii) ensuring that there is purpose limitation and

data minimization; (iv) documenting any processing; and (v) responding appropriately to

DSRs and complaints etc. must be undertaken.

• Practical impact: If in doubt about any new type of processing, undertake a Data

Protection Impact Assessment (DPIA)

▪ A lot of guidance has now been released by the European Data Protection Supervisory

Authorities.

• Practical impact: Although much of it is similar, appropriate guidance for the countries

that are in scope should be consulted.


GDPR

Conclusions (Cont.)

> Q: What conclusions and recommendations can we make?

> A:

▪ No guidance has been given about what happens at the end of the Pandemic.

• Practical impact: Keep records of what has been done so that at the end of the

Pandemic so that any steps taken that enjoyed a more relaxed approach can be adjusted

once the regulatory leniency has terminated.

• NB Regulatory leniency does not insulate companies from third party actions or class

actions brought for breaches of the GDPR.

▪ Cyber Security risk has increased dramatically.

• Practical impact: Ensure that all the policies and procedures are adjusted to work in our

new operating environment and check your Incident Response Policy is effective.



Your Guide to Defensible Data Practices

1. Know Your Data

2. Update Policies & Disclosures

3. Third Party Risk

4. Manage Consumer Requests

5. Employee Training

6. Defensible Compliance

7. Future Proof Your Compliance Approach


#1Know Your Data

A ROADMAP FOR

SUCCESS:


The Foundation for Defensible Compliance


#2Update Policies &

Disclosures

A ROADMAP FOR

SUCCESS:


#3Third Party Risk

A ROADMAP FOR

SUCCESS:


1 Who are our vendors?

4 Which ones are relevant to regulations?

What specific data to they touch?3

2 Which ones touch our data?

5 How are they protecting our data?



#4Manage Consumer

Requests

A ROADMAP FOR

SUCCESS:



#5Employee Training

A ROADMAP FOR

SUCCESS:


#6Defensible

Compliance

A ROADMAP FOR

SUCCESS:



#7Evaluate New Regulations

A ROADMAP FOR

SUCCESS:


What’s to come?

STATE

COMPREHENSIVE

PRIVACY LAW

COMPARISON


Questions?

THANK YOU TO OUR WEBCAST PANELISTS

Mark Schreiber, Partner, Global Privacy and Cybersecurity,

McDermott Will & Emery LLP

[email protected]

+1 617.535.3982

Robert Fowler,Director of Strategic Alliances, Exterro

[email protected]

314.249.3380

mailto:[email protected]

Additional Resources

• AA20-099A: COVID-19 Exploited by Malicious Cyber Actors

• https://www.mwe.com/insights/six-tips-for-working-cyber-safely-

from-home-during-covid-19/

• https://www.mwe.com/insights/privacy-global-pandemic-analysis-

covid19-guidance-data-protection-authorities/


https://www.us-cert.gov/ncas/alerts/aa20-099a

https://www.mwe.com/insights/six-tips-for-working-cyber-safely-from-home-during-covid-19/

https://www.mwe.com/insights/privacy-global-pandemic-analysis-covid19-guidance-data-protection-authorities/

Documents

Data Privacy Competence Amid The COVID-19 Pandemic: Pro-Active Compliance … · 2020. 4. 16. · Ensure compliance with relevant security rules and frameworks (e.g., HIPAA, GLBA,