Don’t Let Your COVID-19 Liability Response Become a Liability
Concerns around data privacy and data security didn’t vanish with the start of the COVID-19 pandemic. They’ve only been amplified, especially of late, as reopening organizations have sought to collect more information on their users in the effort to keep them safe. Routine temperature checks, contact tracing – many are counting on these (and similar) practices to help bring users back onsite and carefully usher in a return to normalcy. While useful toward promoting physical wellbeing, such procedures can leave organizations exposed from a cyber security and compliance perspective.
Here’s an example: Albion College, a small liberal arts school located in central Michigan, earned the wrong kind of national headlines after mandating the use of a contact-tracing app for returning students. The app would record a student’s COVID-19 status and track their movements around campus. If a student were to test positive, the app could help identify any others who may have been in contact with that person. This raised the anxieties of privacy-conscious students and parents. Those fears were heightened after the app was found to have a pair of security vulnerabilities. One of these allowed access to the app’s back-end servers. The other left details like a student’s name and COVID-19 test status accessible to prying eyes. Both have since been corrected by the app’s manufacturer.
Such scenarios certainly aren’t unique to Albion or even higher ed in general. Organizations in all industries are grappling with how to gather and use data to ensure a COVID-safe workplace without doing so at the expense of privacy. While this issue is still playing out in real time all around us, there have been some lessons learned.
6 questions to ask about data privacy in the face of COVID-19
Here are six questions our security team believes can help organizations strike a balance between data collection and data security.
- Do you have a data classification policy in place? These policies define data sets as public or private, sensitive or open, etc. Those definitions should then be used to determine how data sets are stored and who has access to them. Organizations that don’t have policies of their own in place regarding data classification should consider developing them, as data volume grows, either in-house or with the help of a security partner.
- Is your existing classification system set up to handle an influx of COVID-generated data? It’s not likely many employers were tracking their employees’ temperatures or scrutinizing their peer interactions too closely prior to COVID. Now? It’s commonplace. This newly-generated data will need to be classified under an existing system. How it should be classified remains up for debate. Right now, it’s best to lean on the interpretation of an in-house or partner resource with a legal and/or regulatory background. Should there be any lingering doubt, it’s best to err on the side of stricter designations rather than go too loose.
- What are our regulatory obligations? We’re in uncharted waters right now in terms of both data privacy and the ongoing pandemic response. Organizations should seek clarity on just what regulatory obligations they have, if any, regarding the new data flowing into their network. The risk – and cost – associated with playing catch up on this topic is too great. Instead, organizations must get out in front and seek the advice of an expert resource in the field.
- What’s the lifespan of this data? Once collected, how deep should a repository of employee temperatures go? Organizations will need to determine how long they want to/are obligated to retain this newly-targeted data. Longer retention periods will give rise to increased concerns around both security and storage. Organizations will need to clarify their individual responsibilities in this space from a compliance perspective and then make the necessary adjustments to their data center environment and cyber security posture.
- How are we going to collect this data? Albion’s experience shows the importance of choosing carefully when it comes to gathering data. If an app is the chosen avenue, will it be developed in-house or purchased from an outside organization? No matter where it comes from, what steps will be taken to ensure a safe and efficient rollout, including user training? Long-term, who owns the app and is therefore responsible for basic maintenance, such as implementing patches and updates? In the push to reopen, the security and functionality of the way in which all of this new data enters a network in the first place can’t be overlooked.
- What’s this data being used for exactly? The answer to this question is some variation of: “to make sure, as much as possible, that those who enter a facility are healthy and to keep them that way.” Good intentions, as evidenced again by the Albion example above, aren’t always enough to earn people’s trust. Organizations must be transparent with their users. Policies regarding why certain data is being collected, how it’s being used, where it’s being stored, that it’s being secured, etc. all must be put in writing and communicated to user bases. A more open process is less likely to be greeted with pushback and suspicion.
Next Steps: Keeping your users – and their data – safe
Need a hand auditing your organization’s approach to data privacy, including as it pertains to COVID-19? Arraya Solutions can help. Our team can work with you to analyze your approach and, if necessary, adjust to ensure your most sensitive data stays out of the wrong hands. Reach out to us today to get a conversation started!
Visit https://www.arrayasolutions.com/contact-us/ to connect with our team now.
Follow us to stay up to date on our industry insights and unique IT learning opportunities.