Privacy is not the top priority for most people or businesses dealing with a health crisis, and the spread of COVID-19 means that privacy will (rightly) take a backseat to handling individual and global health needs. Frankly, one of the biggest problems is managing the flow of disinformation/misinformation as it winds its way through social media, causing more harm in some areas than the disease itself. Of course, the benefit of social media is that, as soon as a crisis emerges, the world is flooded with new experts.
The problem (aside from newly-minted epidemiologists issuing opinions), is that any crisis begets its own particular consequences. In our own area of expertise, we’re seeing a lot of choices and commentary about what to do with respect to privacy in the midst of a health crisis, and much of it is just flatly wrong.
Privacy never stops mattering from a legal, operational, and commercial perspective. No matter what kind of crisis you’re in, there are serious consequences for forgetting how to manage the privacy-related components of your response. In order to help guide your actions in response to the present crisis, we’ve compiled a list of common privacy mistakes and especially egregious health privacy decisions so that you can make the most informed decisions possible. There’s no perfect way to protect privacy, but there are certainly some approaches that outperform others.
1. Don’t Loosen Data Safeguards
There is going to be a temptation to diminish your controls and safeguards over data in response to changing circumstances. Vendors will delay their services, employees will work from home, products will not arrive as they should — these kinds of operational and supply-chain problems are going to abound. But your response cannot be to drop your privacy and data security standards in response. It isn’t as if cybercriminals or bad actors are going to avoid the chaos created by a crisis and sit by as opportunities abound — as the N95 mask-wearing criminals who robbed a racetrack in New York this weekend can attest.
What does this mean practically? A wide range of things, but a few important ones are:
- Don’t turn off two-factor authentication for access to sensitive materials
- If you’re working from home, ensure that your VPN is secure
- Don’t randomly abrogate security measures
- Verify any unusual vendor requests (changed routines are an invitation to phishing)
More generally, just remember that the shift from normal routines in this crisis is not driven by increased need for speed — that is, diminishing your normal security routine is not going to make anything better, and isn’t even tied to an economic imperative. You don’t need to rush into transactions without the normal precautions. Follow your standard protocols and insist on security. There’s no reason not to.
2. Don’t Suddenly Become Big Brother
One response we’ve seen to Coronavirus is businesses and governments imposing massive new surveillance regimes on individuals, putatively with an eye towards managing and limiting further infections. Obviously, some of this is entirely necessary and a good thing. But some are advocating for an entirely different kind of response, moving towards a kind of self-reporting to employers that is entirely unhealthy.
Consider the approving response of some businesses to China’s employee-tracking system, which allows employers to identify where their workers go, with what frequency, and what their individual health status is. Calls for similar access to employee activity and health in the U.S. are on the rise, with some businesses demanding that employees in high-risk sectors (travel, healthcare, hospitality) submit all of their movements for analysis and tracking.
The problem with this approach must be self-evident: it’s not helpful. Mandating that employees provide massive amounts of data on their movements and their personal health is unthinkable under all but the most draconian of employment agreements, which means that employers likely have no basis whatever for demanding that kind of information. Worse, if employees provide it, then the business is in possession of data for which it has absolutely no pre-set safeguards (see above) or regulatory compliance regime. Want to give your legal team a collective cardiac event? Tell them that, as of this morning, the company is a covered entity under HIPAA.
Bottom line? If you don’t need information, don’t bring it in. We’ve talked about the dangers of data hoarding in the past, and those lessons apply with greater force now. Don’t make a bad situation worse by turning your company into a panopticon.
3. Don’t Forget to Think Long-Term
Responding to COVID-19 is going to require flexibility, as any unpredictable situation does. But that very flexibility is a chance to evaluate how and where you can make changes to how you approach privacy in particular and your operations in general. As your staff works remotely, or your customers alter their habits, or your vendors move to a different kind of delivery platform, you have the chance to identify how and where privacy practices could be improved.
That means that you need to use this time to recognize what works and what doesn’t when it comes to managing information in strained circumstances (e.g., are you really making the most reasonable/rational use of your data). Think about the tools and skills that help you manage this crisis and then apply them more broadly to your operations. Frustrated with lagtimes in your (now) virtual meetings? Reassess your infrastructure. Worried about how to support staff and employees? Use this as the opportunity to have honest conversations about what works and what doesn’t. Thinking about the other side of a crisis is one of the most important tools for coping with it. We all need to start doing that, together, now.