Privacy and cybersecurity should be considered as organizations think about how to tackle the effects of the coronavirus (“COVID-19”) outbreak. Questions to consider include: (1) What is considered “reasonable security procedures” when businesses are forced to abruptly shift to a remote workforce? (2) How should businesses balance employees’ privacy rights against the need to keep businesses up and running? (3) What steps can a business take now to prevent itself from becoming COVID-19’s virtual victim? The Cybersecurity, Information Governance, and Privacy attorneys at Troutman Sanders share best practices and tips through three separate publications:

  1. Cybersecurity Tips To Prevent Your Business from Becoming COVID-19’s Virtual Victim: While protecting the health of employees and clients should be every organization’s top priority, businesses would be naïve to ignore the cyber risks presented by the COVID-19 outbreak, which has forced a majority of businesses to shift to a work-at-home workforce. Hackers, looking to capitalize on fragmented operations and inherent employee vulnerabilities that exist even in the absence of crisis and panic, are leveraging COVID-19 to carry out their attacks. For cybersecurity tips to help protect your business from becoming COVID-19’s virtual victim, click here.
  2. COVID-19 Warrants Modified Cybersecurity for Work-At-Home: Many privacy and data protection statutes require businesses to implement “reasonable security procedures” to protect personal information. What is “reasonable” depends on the size of each business and the nature of the data it collects. As a result, many organizations rely on guidelines and frameworks when making decisions (e.g., National Institute of Standards and Technology Cybersecurity Framework, Center for Internet Security Controls Top 20, etc.). However, as COVID-19 continues to spread and businesses worldwide are forced to shift abruptly to a work-at-home workforce, the question arises as to whether the standard for “reasonable security” changes. Despite the fact that many organizations likely did not prepare for a global pandemic, the regulatory and agency guidance issued thus far seem to lead us to the same conclusion: COVID-19 warrants a shift in cybersecurity practices. For an in-depth analysis and security safeguards to consider when shifting to a remote workforce, click here.
  3. Notice to Employers: Remember Privacy Basics When Addressing COVID-19: As COVID-19 continues to spread, businesses are pushed to make swift decisions that impact not only business operations, but also the privacy and security of employees’ personal information. In times like these, the Fair Information Practice Principles (“FIPPs”) should be every organization’s guiding light. The FIPPs are principles that address the privacy of individuals’ personal information and provide the foundation for many United States state and federal privacy laws (e.g., California Consumer Privacy Act and Health Insurance Portability and Accountability Act) and international privacy laws (e.g., General Data Protection Regulation). When decisions must be made under pressure, businesses would be wise to refer back to the FIPPs as a sounding board prior to taking action. For an in-depth analysis of a few core privacy principles that should be at the forefront of every organization’s mind as it tackles the operational effects of COVID-19, click here.