Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

6/5/2020
10:00 AM
Aaron Shum
Aaron Shum
Commentary
50%
50%

The Privacy & Security Outlook for Businesses Post-COVID-19

Long-term business needs -- and the ethical implications that result -- don't simply go away just because we're navigating a global health crisis.

While the COVID-19 pandemic continues to wreak havoc, organizations in all sectors are being challenged to adapt to unpredictable waves of change. As various jurisdictions begin to allow offices and other physical operations to reopen, business leaders are looking toward employee surveillance and mobile contact-tracing systems to simultaneously protect employee health and wellness and mitigate business and operational risks.

As you review your own plans to loosen the reins and return to a new normal, consider your options carefully — or risk compromising your long-term road map.

Contact Tracing: A Tenuous Balancing Act
The process of identifying people who may have come into contact with an infected person, typically for public health reasons, has rightfully emerged as a technique leveraged by businesses for near-term survival. In the battle against COVID-19, artificial intelligence–driven technologies are being deployed at scale in the mad rush to reduce the spread of the virus.

However, this short-term solution comes with significant long-term implications because the impact of these predominantly reactive approaches warrants broader ethical debate.

While no one disputes the life-saving benefits of contact tracing, data privacy experts are concerned about the fallout from hastily deployed technologies during the COVID-19 pandemic response. The Stored Communications Act and other parts of federal law in the US include emergency exceptions that permit a company's release of personal data for government use — a public health pandemic or emergency being one example of an exceptional circumstance. This already allows technology and telecommunication companies to disclose, without individuals' consent, large amounts of data about them to the federal government, and at an unprecedented scale.

How the government uses and disposes of the data in the longer term remains to be seen. Meanwhile, your business's use of the same data is scrutinized by various compliance and regulatory requirements, even if exceptions apply during the COVID-19 pandemic response.

Businesses should, without delay, review their data privacy program to better understand the impact on employees and customers in the likely development that the states or the US government mandate disclosure of data to help with pandemic-reduction efforts.

By ensuring that any changes in the collection and processing of sensitive private information are aligned with both internal and external data privacy policies, businesses and IT leaders can safeguard against the risk of exposure or detrimental relaxing of data-handling best practices to enable pandemic-related data processing.

Public Safety vs. Privacy
Changes in operational processes can be viewed as an opportunity to reinforce your employee's knowledge in the following areas:

  • The organization's privacy policies
  • Compliance and legal obligations around data privacy and security
  • Procedural instructions around how to handle data, including providing personal data and other sensitive data to third parties

The business still needs to define where to draw the line between safeguarding the public and being surveillant of the public. How can we reap the benefits that contact tracing provides while still ensuring that the private information leveraged is obtained consensually and used only for specified purposes?

To answer these questions, business must reinforce the primary objective — that is, the maintenance of public safety and global health. With this objective in mind, we can move to establish a set of parameters around the business use of this data. These include:

  • A defined purpose for contact tracing data. Integrating contact tracing into business processes and data flows introduce ambiguities around where these datasets came from and what they can be used for. Responsibly defined boundaries around private information collected for contact tracing, leveraging techniques such as data tagging/data classification, and simply segregated storage of contact tracing data reinforces the primary objective of maintaining public health and ensuring that the data is not used for alternative purposes.
  • Retention periods attached to every business process. Data collected as part of COVID-19 contact-tracing efforts should be used and retained only within the context of the pandemic. Establishing set retention periods and communicating these retention periods via privacy policies are both imperative in establishing a layer of trust.
  • Documented handling procedures and elevated security. Sensitive private information collected during contact tracing often includes not just information about your employees but also people they have come in contact with. Documented and vetted handling procedures, including risk-mitigating processes such as data minimization or anonymization/deidentification of data, will ensure that appropriate consent mechanisms exist while reducing the attack surface on the contact-tracing data.

While businesses need to make quick decisions about privacy, they can also make thoughtful decisions by setting parameters and limits while ensuring employee consent. This will help both businesses and employees get through this challenging period. As noted in a recent MIT Technology Review article, "there's a strong argument that much of what we build for this pandemic should have a sunset clause — in particular when it comes to the private, intimate, and community data we might collect."

Related Content:

 
 
 
 
 Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register

With 20+ years of experience across IT, InfoSec, and data privacy, Aaron specializes in helping organizations implement comprehensive information security and cybersecurity programs, as well as comply with data privacy regulations. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-0532
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185196177
CVE-2021-0533
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185193932
CVE-2021-26461
PUBLISHED: 2021-06-21
Apache Nuttx Versions prior to 10.1.0 are vulnerable to integer wrap-around in functions malloc, realloc and memalign. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.
CVE-2021-0478
PUBLISHED: 2021-06-21
In updateDrawable of StatusBarIconView.java, there is a possible permission bypass due to an uncaught exception. This could lead to local escalation of privilege by running foreground services without notifying the user, with User execution privileges needed. User interaction is not needed for explo...
CVE-2021-0504
PUBLISHED: 2021-06-21
In avrc_pars_browse_rsp of avrc_pars_ct.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: ...