Understandably, there has been a lot of information concerning the novel coronavirus and its impact on insurance, business and, of course, people. However, there has not been much discussion on what happens if there is a cyber event over the next couple of weeks as the world deals with the COVID-19 pandemic. A cyber security breach during the novel coronavirus pandemic could sever the one thread connecting remote employees to their place of work.
While it is still early, there should be little dispute that the current pandemic will have a profound impact on the workplace, which, in turn, will have a profound impact on the use of data. Commentators have already offered the following concerning the new workplace:
If the future of work requires restructured workplaces, redefined roles, rapid learning, and reserves of trust—and it does, organizations are being challenged to do all that and more as they address the coronavirus pandemic. While we have long spoken about VUCA (volatile, uncertain, complex, and ambiguous) environments, we are finally and undoubtedly facing one. In the span of a few weeks, the world’s economy traveled a path from cautious observation and common-sense health advisories to massive cancelations, business shutdowns, and work from home mandates. JPMorgan, AT&T, Google, Amazon, Nike, Facebook, among many, many more are hustling to virtualize business operations as social distancing continues to be the best practice to “flatten the curve” of contagion.
Coronavirus, it turns out, might be the great catalyst for business transformation.
Without a doubt, once we get through this pandemic, we will need to address how the new workplace impacts privacy. The two most immediate concerns may be the opportunities for hackers and how regulations will be impacted by the overwhelming health and economic concerns.
- The Pandemic May Provide Opportunities For Hackers
While there are a number of uncertainties during this unprecedented situation, we have been able to piece together some information concerning our world in March of 2020:
- We are in pandemic caused by the novel coronavirus;
- In response to the pandemic, people are working from home transferring information without the security measures found in the workplace;
- The pandemic has created turmoil in the world’s financial and employment markets; and
- Workers are feeling not secure, which may lead to snap decisions.
Unfortunately, these four factors give rise to the perfect environment for opportunistic hackers. Data collectors may want to take the following approach in the coming weeks:
- Protect data transfers. In the coming weeks, as the pandemic unfolds, employee training or discussions on data safety will be key. Data collectors should remind their new remote workforce of the emerging risks they face in transferring data.
- Prepare for outages. There are new limitations on communicating with a remote workforce. Data collectors should consider what their business may look like if there is an international, national or local outage that would cut this limited access even further.
- Think about permanent solutions for the new workplace. The remote workforce will be able to return to their traditional workplaces at some point. Data collectors should think about what safeguards should be put into place if workers start working remotely more frequently.
Not surprisingly, we have already seen hackers target vital businesses that are essential during the coronavirus pandemic. German newspapers have reported that “Cyber criminals have launched a distributed denial-of-service (DDoS) attack against German food delivery service Takeaway.com (Liefrando.de), demanding two bitcoins (about $11,000) to stop the flood of traffic.” Commentators warn this may not be the end of cyber attacks:
Security experts anticipate these types of acts, intended to exploit essential services in times of crisis, will continue as restrictions due to COVID-19 remain in place. “Deplorably, we will likely see a further avalanche of cyberattacks targeting most susceptible online businesses,” says ImmuniWeb founder and CEO Ilia Kolochenko. As a result, many organizations may be forced to pay cybercriminals or invest in DDoS protection services to defend against advanced attacks.
Clearly, this will be a continuing threat over the next few weeks.
- The Pandemic May Cause Privacy Regulations To Get Dialed Back.
A couple of months ago, business, insurers and governments were starting to get the hang of this privacy thing. Previously, the biggest concern was compliance with privacy regulations such as the California Consumer Privacy Act (“CCPA”). (By the way, a number of organizations are now calling for the delay of the enforcement of the CCPA: https://www.ciodive.com/news/CCPA-coronavirus-extension/574547/) That was, of course, until the coronavirus pandemic sent workers home.
Being just a few weeks into the pandemic, we can be sure that privacy law will be profoundly impacted when deadlines are extended and the data is used by millions of workers that have moved offsite. After the pandemic, we will need to watch deadlines and be ready to modify compliance with privacy law.
If the adoption or enforcement of privacy regulations is delayed by the coronavirus pandemic, we may see data collectors struggle to find guidance for proper data and storage and collection. Looking at case law may fill this void left by relaxed deadlines and requirements. For example, data collectors may look to decisions such as the March 26, 2018 opinion in Hopper v. Schletter Inc., 17-cv-01, 2018 WL 1472485 (W.D. North Carolina 2018) as an example where a court was prepared to hold employers liable if they disclose their employees’ information by mistake. And, if courts around the country adopt the reasoning in Hopper, employers can expect to have their cyber security protocols closely scrutinized after the coronavirus pandemic.
Further, the facts giving rise to the incident in Hopper are instructive to remote workplaces. On April 19, 2016, the defendant in Hopper, Schletter Group, sent a letter advising its employees and former employees that Schletter had sent its employees’ W-2 forms by mistake to a third-party after it fell prey to a phishing scam. Schletter offered credit monitoring and identity theft protection to those impacted. After the plaintiffs filed a lawsuit seeking alleged damages as a result of this incident, Schletter filed a motion to dismiss the complaint. The District Court denied Schletter’s motion to dismiss the plaintiffs’ claims for negligence and breach of implied contract, invasion of privacy and violations of North Carolina’s Unfair Trade Practices and Privacy Acts. The District Court, however, dismissed the breach of fiduciary duty claim.
As an initial step, the District Court discussed all the warnings it believed Schletter had about phishing scams before it fell prey. In finding Schletter had ample notice of the potential for an incident, the District Court listed various FBI warnings, IRS alerts, articles and examples available of emails used in similar scams that it believed Schletter should have been aware of before the incident. After discussing all the ways the District Court believed the Defendant should have been aware of this scam, the District Court stated that “[d]espite the widespread prevalence of spoofing aimed at obtaining confidential information from employers and despite the warnings of the 2016 tax season W-2 email scam, [Schletter] provided its employees with unreasonably deficient training on cyber security and information transfer protocols prior to the Data Disclosure.” The District Court called Schletter’s preparation and response into question.
The District Court provided the following examples of how it believed Schletter failed to properly train its employees:
- How to detect phishing and spoofing emails and other scams including providing employees examples of these scams and guidance on how to verify if emails are legitimate;
- Effective password management and encryption protocols for internal and external emails;
- Avoidance of responding to emails that are suspicious or from unknown sources;
- Locking, encrypting and limiting access to computers and files containing sensitive information;
- Implementing guidelines for maintaining and communicating sensitive data; and
- Protecting sensitive employee information, including personal and financial information, by implementing protocols on how to request and respond to requests for the transfer of such information and how to securely send such information through a secure file transfer system to only known recipients.
Based on this reasoning, the District Court concluded “[t]he Data Disclosure was caused by the Defendant’s failure to abide by best practices and industry standards concerning the security of its computer and payroll processing systems.” In further support of its conclusion, the District Court listed the various ways it found Schletter had failed to implement the proper security measures to protect the W-2s.
It will be interesting to see if courts are going to give data collectors a “pass” for lapses in cyber security once the coronavirus pandemic has come to an end. Even though cyber security may be in flux, there is still a significant amount of guidance for data collectors.