Privacy and the Remote Office in the Time of COVID-19
As privacy professionals, we are always fighting on two fronts: protecting our organizations, customers, and staff from internal and external threats while responding to incidents in real time. Now, with the fast-moving COVID-19 pandemic, the privacy “attack surface” has grown to include countless home offices and kitchen tables. And the challenge of coordinating privacy incident response across far-flung teams⎯of even identifying incidents as they happen⎯has grown exponentially.
We are in uncharted territory of Privacy during COVID-19
The good news is that we are not alone. Every one of us is figuring out ways to deal with this new world, and if we join forces and share what we learn, we can come through this stronger than before.
By now, many of your organizations have large numbers of people working from home. We polled some of you online, and the vast majority said the transition is going pretty smoothly. We recently had a conversation with Kristi Harding, Senior Vice President and Chief Compliance Officer at Venerable, an emerging U.S. variable annuity business, to see how she and her team are dealing with the pandemic and new working conditions.
Embrace the Webcam (and the Babies)
Harding’s organization is encouraging on-line video meetings. She says that not only have they become a core way of collaborating, they are also critical for maintaining connections between people.
“A lot of our teams have said that without the video meetings, they would have no opportunity to connect with someone outside their homes because of the social distancing, and they really appreciate that time.”
Harding’s management team has been also flexible with meeting schedules, as many employees have children who need to attend school online several hours a day.
“If you have that flexibility, I encourage you as leaders to embrace that. And be prepared for an occasional child to pop into the video. You never know what doll-baby you’re going to get to see!”
Enforce Remote Privacy Controls
Of course, there’s the challenge of maintaining privacy practices as people work from home. Harding recommends:
- using multi-factor authentication for logins
- putting controls in place to prevent on-screen information from being cut and pasted outside of the company network
- ensuring employees follow best practices, such as using only approved communication channels
- make employees aware that smart devices such as Alexa and Google Home are always listening. Her company asks people to unplug or disable those devices during meetings.
Privacy Training: From Theory to Reality
And if you’re wondering whether privacy is relevant right now, it’s more relevant than ever. In fact, Harding sees the current situation as an opportunity.
“This is a great time to join team meetings of various groups and remind them about frauds and other things that are happening. Eighty-six percent of the insurance industry is anticipating that fraudsters will contact their call centers and try to take advantage of the situation, to say that they’ve been displaced, or they’ve lost a device, or they’re at a hospital and they need immediate access to their funds. So, it’s important to reinforce the rules that you had in place before the pandemic and to remind staff that they need to follow the right authentication procedures. And, in general, make sure they continue to be mindful of phishing attempts.”
(There are many kinds of scams aiming to leverage people’s angst about the coronavirus. At the end of March, IBM’s Threat Intelligence group reported that coronavirus-themed spam had jumped by 14,000 percent in the previous 2 weeks, and Checkpoint reports that almost 20% of coronavirus-related sites are malicious.)
Safeguard PHI and PPI: HIPAA Sanctions and the CARES Act
The aftermath of the pandemic is also going to change our work. Some privacy requirements have relaxed during the pandemic. Those of us who are in healthcare know that some HIPAA requirements have been relaxed temporarily to allow public health authorities to track the spread of the coronavirus.
The economic recovery will also raise privacy issues. In our conversation, Harding mentioned how her team is approaching the requirements of the Coronavirus Aid, Relief, and Economic Security (CARES) Act.
“Some people may not realize that there’s a direct impact to their industry. For insurance companies, there are certain relief provisions. There are three criteria for a consumer to qualify for those provisions: they were diagnosed with COVID, a spouse or dependent family member was diagnosed with COVID, or they were financially impacted by COVID. There could be a tendency for organizations to track which of the three people fall under, but we don’t want to collect that sensitive information. We’ve told our teams to let the customer self-certify and just note that they qualify under one of the three. I encourage privacy teams to track what information your company is collecting related to CARES and decide whether you want that stored in your system.”
Take Care of Yourselves and Each Other
The next few months will continue to be stressful, so work/life balance is especially important right now. Harding’s advice is to decide on a work schedule, and when it’s time to log off, actually log off and shut your computer down.
“If your laptop is on, it’s too tempting to try to answer just one email, and suddenly you get sucked in and you’re on your computer for one, two, three hours. You may need to be flexible with working if you have children at home, but set a routine and try to stick to it.”
She also advises setting aside someplace in your home as the workspace, so you can leave work there when you’re spending time with your family.
The current crisis has changed our work processes overnight, and while we’re pivoting quickly to adjust, there are some unforeseen benefits. Ironically, through being separated we’re getting to know our colleagues better—homes, families, how they dress in real life. We’ll certainly be better prepared for the next crisis. And we may learn a few things that improve our privacy and security programs, even for normal times.
Meantime, stay strong and stay safe out there. The world needs you now more than ever.
You might also be interested in:
Topics: The Privacy Collective