Part 2: COVID-19 Privacy Q&A with Jodi Daniels
August 12, 2020
Part 2: COVID-19 Privacy Q&A with Jodi Daniels, CIPP/US
Founder of Red Clover Advisors & Evident Health Status Advisor
Q: As more and more companies postpone returning to the workplace, what are the biggest data privacy issues they face with a remote workforce?
A: Phishing is a big one. Imagine an employee gets a phishing email that says, for example, “You can’t come back to work until you take this health survey.” If they aren’t verifying who the email is coming from, and they fill in all their information, they’re suddenly giving it all up.
Phishing was already a big deal before COVID, but now we’re seeing new scams emerge. The first types we saw were the PPP-related phishing emails, and that won’t be the end of it. All an employee has to do is click on a link, and bad actors can come in and crash the company’s network.
Under CCPA, if a company experiences a data breach of this type, there’s potential for a class action lawsuit. The part that concerns me is that even if the company has great security measures in place, people who are litigious will file a lawsuit, which can also have a big impact on companies. Communication, training, and education on phishing is of major importance.
There’s also things like access controls to consider. Companies need to think about heightened security around remote access and how they’re going to patch their systems remotely in the event of a breach. Who knows if we’ll end up back in the workplace ever again after we’ve spent a year to 18 months working from home. The time to learn how to manage a remote workforce is now, so companies can prepare themselves for what happens in the fall and beyond.
Q: What should businesses be doing from a privacy perspective to make their employees feel more comfortable during this pandemic?
A: Employers want to maintain their businesses, but they can’t do that without their employees, so they need to think about their people first. Employees want to earn a paycheck, but they also want to make sure their data isn’t being misused.
The more you can look at what both sides want and put them together, the easier it will be to keep everyone informed about what the company’s doing with their data and how they’re going to keep it safe. If a business can tell their employees that they’re securing their data, storing it separately, and not retaining it forever, they are more likely to get their employees’ consent to use their data to help reduce COVID risk and liability in the workplace.
Even with that transparency, consent capture is still fuzzy, given the risk of harm that the virus can inflict on all employees. If companies are going to try to capture consent, it’d be better to inform an employee that they’ve consented to health monitoring, for example, and word it in a way that explains that what they’re doing is for the greater good and for everyone’s safety, without trying to coerce them. In fact, some companies are looking into anonymous health survey options to bypass consent capture altogether.
The point I try to emphasize with my clients is that they need to think about employees first and consider their objections – they just want a safe place where they can come to work and know that their information is protected.
Q: What’s something companies can start doing now, during the pandemic, to avoid potential privacy backlash later?
A: When it comes to limiting business risk and exposure to COVID-19, I think a lot of people are saying: “This is an HR problem – let them figure it out,” but it’s not just HR’s problem. Privacy, legal, security, and other people who deal with these topics need to be part of the conversation. Companies can’t just say: “Let’s create a new HR policy that includes health monitoring.” This is a company-wide decision that impacts everyone, and any policies introduced during a pandemic have to be consistent, especially from a privacy perspective.
Most companies don’t realize the importance of privacy – from where I stand, privacy is connected to trust. I’ll buy your product or service because it’s great and I believe in it and I trust you’ll deliver that to me, but when I give you my data to buy that thing or service, I also trust that you’re going to do the right thing with it. If you don’t, or you don’t take it seriously, or you do just the bare minimum above the law, it shows me that your business doesn’t care about me. I might not even know that you’ve dropped the ball until there’s an issue, and when that happens, you’ve lost me, and I’m going to be very upset.
Trust is certainly a big issue in America right now. We saw 400 big brands boycott Facebook in July because they decided they weren’t going to trust a platform that was allowing and creating a vehicle for hate. I don’t think companies are taking privacy and security as seriously as they should be, and most cyber professionals will tell you that the long-term effects of data breaches will sometimes take years to inflict real damage.
The bottom line is: if an employee doesn’t trust that their employer is protecting their data when they come to work, will they even try to do a good job? Sure, they might do the mandatory temperature checks, but if they don’t feel like the company cares about their best interests, will they even give you an accurate picture of their health? If they’re being forced to provide personal health information to help reduce their employer’s liability and risk and they have no idea what the company’s doing with their data, they won’t be as productive.
Taking care of your employees includes taking care of their personal data. This is especially important at a time when everyone is on edge about this virus. Data protection is a personal thing that affects literally everyone, and all an employee wants is to be able to earn their wage, do their job, and make sure that they’re protected.