O’Melveny Coronavirus Task Force: Data Security and Privacy Considerations During the COVID-19 Response

March 16, 2020

As companies adjust operations and take steps to deal with the threat from COVID-19, it is important to increase vigilance regarding data security and privacy issues. Telework and changes in business practices increase vulnerability to malware and phishing attacks. And as companies collect information from employees as part of their incident management efforts, they need to be mindful of continuing data security and privacy obligations. This alert highlights some actions that companies can take to mitigate data security and privacy threats.

Telework Best Practices

With increased telework comes increased network vulnerability. Companies should ensure that they have telework security policies in place and aggressively communicate those policies to employees. Companies should consider requiring employees to use only encrypted home networks with up to date software and firmware patches. Companies should also discourage employees from using personal email and storing business information on their home computers. This may be a growing challenge if increased use of company networks and devices creates technical issues that cannot be resolved remotely.

Companies should also remind employees of the risk of phishing and take steps to manage internal communications. There has been a wave of phishing attacks masquerading as legitimate COVID-19 communications. Cyber threat actors are pretending to send communications from public health authorities and are creating malware-infected websites that look like legitimate sources of virus-related information. Companies should remind their employees to be particularly vigilant and to carefully review any email before clicking a link or downloading a file.

In addition, companies are sending out increased communications to employees as they manage the response to the crisis. To ensure that employees are interacting with only legitimate email - and not ignoring vital communications - employers should appoint a limited number of leadership officials to communicate updates to employees. Those officials should clearly communicate that they will be the primary conduit through which incident response information is shared. Companies should also remind employees of data security risks that are unrelated to technology, such as printing out and storing business information at their homes.

Data Privacy

Companies should ensure that they continue to follow employment rules and that any additional collection of information is consistent with international, federal, and state laws, as some jurisdictions limit the extent to which an employer may inquire about medical diagnoses and other health information. For example, the Americans with Disabilities Act places restrictions on the extent employers can conduct medical examinations and imposes requirements for protecting confidential medical information. Companies should consult existing guidance and look for new guidance issued by relevant government agencies.

The Health and Human Services, Office of Civil Rights has published guidance regarding COVID-19 and compliance with the Health Insurance Portability and Accountability Act (HIPAA). Entities subject to HIPAA should also carefully evaluate how the President’s March 13, 2020 national emergency declaration impacts applicable restrictions on sharing information. Likewise, the Department of Education recently issued guidance on how to apply the Family Educational Rights and Privacy Act (FERPA) in light of COVID-19. And companies should pay attention to state-level declarations and evaluate potential impacts on state data privacy requirements.  

Companies subject to the EU’s General Data Protection Regulation (GDPR) will need to ensure that there is a lawful basis for any additional data collection and pay close attention to announcements from European authorities concerning permissible data processing procedures. The Chair of the European Data Protection Board recently released this statement regarding the processing of health data and location data in response to COVID-19.

Companies should be mindful of how any personal information related to incident response is stored and ultimately used or destroyed when this crisis comes to an end. A collection and use of information that was reasonable during a crisis may no longer be reasonable when the crisis has abated.

Appropriate data security and privacy practices are a critical component of any incident response, and particularly so when facing a large-scale, sustained disruption. To ensure that business operations can continue, companies should increase data security measures, adopt reasonable data privacy postures, and stay up to date with any government guidance. 

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Steve Bunnell, an O’Melveny partner licensed to practice law in the District of Columbia, Lisa Monaco, an O’Melveny partner licensed to practice law in New York, Scott W. Pink, an O’Melveny special counsel licensed to practice law in California and Illinois, and John Dermody, an O’Melveny counsel licensed to practice law in California, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2020 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.