Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

6/5/2020
10:00 AM
Aaron Shum
Aaron Shum
Commentary
50%
50%

The Privacy & Security Outlook for Businesses Post-COVID-19

Long-term business needs -- and the ethical implications that result -- don't simply go away just because we're navigating a global health crisis.

While the COVID-19 pandemic continues to wreak havoc, organizations in all sectors are being challenged to adapt to unpredictable waves of change. As various jurisdictions begin to allow offices and other physical operations to reopen, business leaders are looking toward employee surveillance and mobile contact-tracing systems to simultaneously protect employee health and wellness and mitigate business and operational risks.

As you review your own plans to loosen the reins and return to a new normal, consider your options carefully — or risk compromising your long-term road map.

Contact Tracing: A Tenuous Balancing Act
The process of identifying people who may have come into contact with an infected person, typically for public health reasons, has rightfully emerged as a technique leveraged by businesses for near-term survival. In the battle against COVID-19, artificial intelligence–driven technologies are being deployed at scale in the mad rush to reduce the spread of the virus.

However, this short-term solution comes with significant long-term implications because the impact of these predominantly reactive approaches warrants broader ethical debate.

While no one disputes the life-saving benefits of contact tracing, data privacy experts are concerned about the fallout from hastily deployed technologies during the COVID-19 pandemic response. The Stored Communications Act and other parts of federal law in the US include emergency exceptions that permit a company's release of personal data for government use — a public health pandemic or emergency being one example of an exceptional circumstance. This already allows technology and telecommunication companies to disclose, without individuals' consent, large amounts of data about them to the federal government, and at an unprecedented scale.

How the government uses and disposes of the data in the longer term remains to be seen. Meanwhile, your business's use of the same data is scrutinized by various compliance and regulatory requirements, even if exceptions apply during the COVID-19 pandemic response.

Businesses should, without delay, review their data privacy program to better understand the impact on employees and customers in the likely development that the states or the US government mandate disclosure of data to help with pandemic-reduction efforts.

By ensuring that any changes in the collection and processing of sensitive private information are aligned with both internal and external data privacy policies, businesses and IT leaders can safeguard against the risk of exposure or detrimental relaxing of data-handling best practices to enable pandemic-related data processing.

Public Safety vs. Privacy
Changes in operational processes can be viewed as an opportunity to reinforce your employee's knowledge in the following areas:

  • The organization's privacy policies
  • Compliance and legal obligations around data privacy and security
  • Procedural instructions around how to handle data, including providing personal data and other sensitive data to third parties

The business still needs to define where to draw the line between safeguarding the public and being surveillant of the public. How can we reap the benefits that contact tracing provides while still ensuring that the private information leveraged is obtained consensually and used only for specified purposes?

To answer these questions, business must reinforce the primary objective — that is, the maintenance of public safety and global health. With this objective in mind, we can move to establish a set of parameters around the business use of this data. These include:

  • A defined purpose for contact tracing data. Integrating contact tracing into business processes and data flows introduce ambiguities around where these datasets came from and what they can be used for. Responsibly defined boundaries around private information collected for contact tracing, leveraging techniques such as data tagging/data classification, and simply segregated storage of contact tracing data reinforces the primary objective of maintaining public health and ensuring that the data is not used for alternative purposes.
  • Retention periods attached to every business process. Data collected as part of COVID-19 contact-tracing efforts should be used and retained only within the context of the pandemic. Establishing set retention periods and communicating these retention periods via privacy policies are both imperative in establishing a layer of trust.
  • Documented handling procedures and elevated security. Sensitive private information collected during contact tracing often includes not just information about your employees but also people they have come in contact with. Documented and vetted handling procedures, including risk-mitigating processes such as data minimization or anonymization/deidentification of data, will ensure that appropriate consent mechanisms exist while reducing the attack surface on the contact-tracing data.

While businesses need to make quick decisions about privacy, they can also make thoughtful decisions by setting parameters and limits while ensuring employee consent. This will help both businesses and employees get through this challenging period. As noted in a recent MIT Technology Review article, "there's a strong argument that much of what we build for this pandemic should have a sunset clause — in particular when it comes to the private, intimate, and community data we might collect."

Related Content:

 
 
 
 
 Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register

With 20+ years of experience across IT, InfoSec, and data privacy, Aaron specializes in helping organizations implement comprehensive information security and cybersecurity programs, as well as comply with data privacy regulations. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5595
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a buffer overflow vulnerability, which may allow a remote attacker to stop the network functions of the products or execute...
CVE-2020-5596
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) does not properly manage sessions, which may allow a remote attacker to stop the network functions of the products or execute a mali...
CVE-2020-5597
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a null pointer dereference vulnerability, which may allow a remote attacker to stop the network functions of the products o...
CVE-2020-5598
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper access control vulnerability, which may which may allow a remote attacker tobypass access restriction and stop ...
CVE-2020-5599
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability, which may allow a remo...