Since our COVID-19 quarantine period began, I have been consumed with concerns about protecting data and privacy when people are working from home. As you can imagine, there are myriad privacy concerns that arise when your employees must suddenly start working remotely. To name a few:
The answers to these questions are legal as well as technical in nature. I’d like to share what I have learned so far in terms of legal guidance, plus some technical security tips provided by agencies like the Federal Trade Commission (FTC).
To date there has been little guidance published in the U.S. concerning working from home in the wake of COVID-19—but what has been published maintains that current data privacy laws and regulations should continue to be followed.
When it comes to HIPAA compliance, for example, the Department of Health and Human Services (HHS) and the Office for Civil Rights have jointly published guidelines affirming that HIPAA-covered data must continue to be protected as usual. The law cannot be set aside because we are in a state of emergency. If the protected health information must be shared, it should be done to the minimum extent necessary. To ease the burden, HHS has waived HIPAA sanctions and penalties for hospitals, and is planning to relax restrictions on sharing data electronically.
In a somewhat analogous situation, before the Y2K transition, the Department of Labor (DOL) reminded employers that it was their “fiduciary duty” to make sure their systems were ready to manage any potential loss of data concerning employee benefits. Employers, in turn, held their third-party providers accountable for services for employees, such as 401(k) administration. The DOL made it clear that the employer and its third-party service providers would be responsible for managing and preventing loss of financial data, as opposed to passing the buck to employees.
The same could be said in our current COVID-19 crisis. Companies and their third-party service providers, not the consumer, are best positioned to ensure the safety of data.
Thus, based on current federal agency guidance as well as historical disaster preparations such as the leadup to Y2K, the general legal consensus is that protection requirements continue to apply whether working from the office or from home. To be safe, you should take reasonable measures to comply with privacy requirements, whether in the U.S. or abroad. You should also remind your service providers to take reasonable measures to protect consumer data while their own employees are working from home.
When it comes to security measures, the FTC has published online security tips for working from home, including:
Even the FBI has recently joined the chorus of concerns, and it has also provided tips.
At the international level, the European Data Protection Board has also published guidelines regarding COVID-19. The General Data Protection Regulation (GDPR) has rules in place that apply to the processing of personal data in a context of an epidemic, in accordance with national law.
From a legal liability standpoint, then, you may not be able to claim that privacy protection standards have somehow been lowered just because of the coronavirus pandemic. So be prepared to defend your privacy-protection processes while your employees are working remotely. You should also remind your third-party service providers to do the same. Inform your employees working from home that company-wide privacy protection measures still stand—and give them the tools they need, such as the FTC guidelines, to protect data and privacy.
For more on how to safeguard privacy in the cloud, check out this recent webinar recording:
Case Studies on Information Governance in Microsoft 365