By: Tamara Hunter | Kara N. Davis | David Spratley
The ongoing COVID-19 pandemic has brought about changes for all of us. While some of these changes are temporary, others may linger or even result in more permanent changes to the way we do business, even when the requirements for severe social distancing are relaxed or lifted entirely. Meanwhile, the simpler pace provides more time to envisage and plan our actions – whether we retain some of this contemplative capacity or transition to “full speed ahead” once the quarantine is lifted remains to be seen. In the meantime, your organization might consider using some of the current “down time” to evaluate the state of your privacy and data protection management, taking into account your organization’s current business model, which may have been impacted to varying degrees as a result of the pandemic.
Many organizations have made changes to how they do business in order to find ways of serving (and retaining) customers and maintaining revenue flows despite the COVID-19 isolation requirements. For example, some businesses have switched their focus to the electronic marketplace, now that the “bricks and mortar” option is largely unavailable. Many organizations now have numerous staff working from home, instead of in the office. When the social distancing requirements begin to ease, will organizations continue to focus on internet sales over in-person sales? Will they strive to maintain reduced overhead costs by continuing to have a portion of their workforce working from home? How will organizations wishing to return to “business as usual” safely bring employees back into the workplace?
All of these questions give rise to legal issues, including the potential implications for privacy and data protection. Now is a good time for organizations to consider these potential implications and make viable plans to address them in a way that is compliant with applicable privacy and data protection laws, consistent with best practices, and respectful and supportive of customer/employee trust in the organization. Israeli companies that have offices in Canada need to consider taking many of these measures. Such an approach will require a consideration of the organization’s policies and practices concerning the collection, use, disclosure and security of personal information with an eye to making adjustments and improvements where needed.
Increase in electronic sales and marketing
Moving to an ecommerce focus means that more transactions will take place without in-person customer communication, which may require placing increased consideration on an organization’s privacy policy. Questions you might ask about your current privacy policy include:
- Does the policy reflect all of the current purposes for which the organization collects, uses and discloses personal information of existing customers and new website visitors? Or, is the organization using an old “cookie-cutter” privacy policy that was hastily pulled together back when the its website was being created or revamped?
- Does the policy and any consent provisions used in the course of ecommerce meet the Privacy Commissioner of Canada’s January 2019 Consent Guidelines?
- Does the privacy policy clearly indicate whether the organization uses service providers located outside of Canada and whether a customer’s personal information may be transferred or stored outside Canada? The Privacy Commissioner of Canada has made clear that transparency on these matters is required under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), and the Alberta Personal Information Protection Act (“Alberta PIPA”) expressly requires that notice be provided on these points.
Increased concentration on electronic marketing also means that an organization must ensure its electronic messaging is compliant with Canada’s Anti-Spam Legislation (“CASL”). The mere presence of an unsubscribe mechanism in an electronic message is not sufficient to meet CASL requirements. To comply with CASL, an organization must also ensure that before sending an electronic marketing message, the organization can demonstrate to regulators that it either: (a) has obtained express prior consent in CASL-compliant form, or (b) has confirmed that an authorizing provision of CASL allows the organization to send the commercial electronic message without such express consent. Regulators have robust enforcement mechanisms and have reported that between April 1, 2019 and September 30, 2019, for example, over 145,000 complaints were made to the Spam Reporting Centre. Further, since CASL came into force in 2014, enforcement efforts have resulted in penalties totaling nearly $1.2 million.
Working remotely
Working remotely, or “teleworking,” presents unique cybersecurity challenges to the organization, the employee and the supply chain, especially when being done for the first time in a rapidly changing environment.
A number of entities have issued alerts warning of increased malicious cyber activity related to COVID-19. For example, the Canadian Centre for Cyber Security has implored organizations to remain aware of ongoing phishing and ransomware risks, which may be heightened during the pandemic. In the USA, the FBI has noted that cyber threat actors are seeking “to profit from a sudden growth in teleworking, increased use of virtual education systems for online classes, a surge in online shopping, and public appetite for information related to the pandemic…”. A recent Canadian National Post story has reported that “since the pandemic started, cyberattacks have surged around the world”.
Some of the key issues for organizations to consider when moving through this transformative period of remote working are discussed below. Please also see: Coronavirus: Cybersecurity considerations for your newly remote workforce.
Awareness and training
It is important for organizations to train network users on the latest security best practices. Security policies and procedures may need to be updated to include additional guidance for working remotely, and these policies and procedures should be redistributed to all remote employees. If employees use personal devices to access company resources, employers may consider reminding employees to:
- update their device’s operating system and apps;
- ensure appropriate anti-virus software is installed and running on all devices used for remote work; and
- enable security features for browsers and cloud-based applications and accounts.
Employees should also be reminded of best practices when connecting to Wi-Fi networks outside of their office, including securing wireless routers at home.
Email protection
Employees may be especially vulnerable at this time to email-facilitated cybercrime. The most prevalent schemes include phishing designed to trick employees into disclosing credentials or other confidential information, as well as business email compromises focused on diverting electronic payments to criminals’ accounts. Governments and cybersecurity experts are reporting a surge in COVID-19-related phishing activity.
Employees should be advised to be on alert for increased phishing attempts. Where appropriate, employers may consider providing specific examples to illustrate how to spot malicious messages or engaging a security firm to send test phishing messages.
The ways to potentially combat phishing attempts include:
- double checking the sender’s email address;
- confirming that the email address is the same and is correct on a reply message;
- paying close attention to grammar/typos, wording, sentence structure, tone and context for any message seeking information or some responsive action; and
- using a separate form of authentication (usually and most easily phone calls to a “known good” number) to confirm the authenticity of the email communication and any request for a funds transfer.
Secure systems enabling remote access
Virtual Private Networks (VPNs) are a common tool used to enable secure, remote access to an organization’s internal networks. It is a best practice to use VPNs or other secure “tunnels” whenever feasible, particularly if users are working from personal devices. Businesses should strongly consider confirming that systems enabling remote access, such as VPNs and other network infrastructure devices, are patched to the highest available version. Systems not previously made available outside of a business’s network may now be exposed out of necessity. Best practices generally include having IT administrators validate system configurations against security standard and reference architectures for those systems. Access to systems on the enterprise network should be limited to those with a clear business need and on a “least privilege” basis.
Multi-factor authentication
Multi-Factor Authentication (MFA) is a powerful tool in combating potential unauthorized access to systems where access credentials have been lost or stolen. As additional systems are made accessible outside of the business’s network and employees are targeted in phishing attempts, this additional layer of security can potentially help prevent many intrusions. Where feasible, it is a best practice for employees with remote access to have MFA enabled on their accounts.
Non-standard cloud technology
Employers should reaffirm which hardware, software and tools are approved and available for employees’ remote use and how confidential information should be handled. These controls work best where employees are made aware of which tools may be used to store and share files securely while working remotely. Blacklisting certain email and file-sharing websites and setting up a process for exceptions can effectuate policies that limit the use of non-standard technology.
Business continuity and IT support
IT practitioners have been working tirelessly to set up and support their user populations with secure, remote access. As employees work from home, organizations can expect an onslaught of IT issues related to remote access. Help desks may be overburdened and face significant delays triaging and identifying critical issues. IT managers are strongly encouraged to consider holding regular touchpoints with business leaders to identify critical issues affecting the remote workforce and to align on priorities for resolution. Lastly, employers are strongly encouraged to consider reminding employees of their responsibilities related to reporting potential information security incidents, especially considering the mandatory reporting and notification obligations set out in PIPEDA and in Alberta PIPA.
Time to revisit the cyber incident response plan
Every organization is encouraged to review – and revise, where necessary – its cyber incident response plan to account for new attack risks to its own network, as well as on its supply chain. Incident responders need out-of-network access to scenario-specific response protocols, business continuity/disaster recovery plans, team contact lists, key vendor agreements, communications packets, law enforcement contacts and legal resources (contract matrixes, data breach notification requirements, etc.). Businesses are urged to analyze cyber insurance policies for notification obligations and required approvals for the use of response vendors (legal, forensics, public relations, notifications, etc.).
Returning to the workplace
As and when the need for social distancing is reduced, organizations will be faced with issues connected to employees returning to the workplace. Should organizations engage in some form of health screening or testing of employees before allowing them to return to the workplace, given an employer’s obligation to take reasonable precautions for the protection of its workforce? The answer to this question will depend, in part, on the advice and requirements being issued at the relevant time by provincial medical and public health officials, together with the requirements of applicable employment, occupational health and safety, human rights and privacy laws.
To the extent any screening or testing mechanisms will be engaged, qualified individuals should administer these mechanisms in a safe, secure and private manner, employees should receive advance written notice regarding the purposes for which any screening/testing results will be used and how the results will be stored and secured, and the organization should obtain employee consent before actual screening/testing (even where screening/testing is considered mandatory by an organization for the employee to return to the workplace).
Organizations will also need to develop a plan for addressing situations where employees have returned to the workplace and later exhibit potential symptoms of COVID-19.
Guidance from the Privacy Commissioner of Canada
The Privacy Commissioner of Canada has recently issued a Framework for assessing privacy-impactful initiatives in response to COVID-19. While the Framework primarily focuses on government actions, it also provides some guidance for the private sector and identifies key privacy principles which should factor into any decisions being made regarding measures proposed to combat COVID-19. Organizations should consider this Framework (summarized below) when addressing the various issues identified above:
- All organizations must continue to operate with lawful authority, notwithstanding the pandemic. For the Canadian private sector, this means complying with applicable privacy legislation like PIPEDA, and substantially similar statutes in BC, Alberta and Quebec (provincial health privacy legislation may also apply in some circumstances).
- Measures being taken for public/workforce health purposes must be necessary and proportionate. Public/workforce health purposes must be science-based and measures must be tailored so as to be rationally connected to the specific purpose to be achieved.
- Personal information collected, used or disclosed to address public/workforce health effects of COVID-19 must not be used for other purposes (without informed prior consent of the affected individual) nor retained indefinitely. Generally, personal information collected for such purposes should be securely destroyed when the crisis ends, except where retention is required for narrow purposes, such as accountability.
- Organizations and government should consider whether personally-identifiable information is required in a particular context or whether de-identified or aggregate data would be sufficient.
- The use of location data should be carefully considered – real-time precise location data can be very challenging to fully anonymize or de-identify.
- Privacy-invasive measures should be time-limited, with obligations to end when they are no longer required.
This article highlights only some of the key data protection and privacy issues raised by the COVID-19 pandemic and its impact on organizations and employees. It is not intended to be comprehensive, and it does not constitute legal advice.
Please contact the authors or your DLA Piper relationship lawyer if you would like more specific advice, whether on privacy, data security matters or any wider business issues.