Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

6/5/2020
10:00 AM
Aaron Shum
Aaron Shum
Commentary
50%
50%

The Privacy & Security Outlook for Businesses Post-COVID-19

Long-term business needs -- and the ethical implications that result -- don't simply go away just because we're navigating a global health crisis.

While the COVID-19 pandemic continues to wreak havoc, organizations in all sectors are being challenged to adapt to unpredictable waves of change. As various jurisdictions begin to allow offices and other physical operations to reopen, business leaders are looking toward employee surveillance and mobile contact-tracing systems to simultaneously protect employee health and wellness and mitigate business and operational risks.

As you review your own plans to loosen the reins and return to a new normal, consider your options carefully — or risk compromising your long-term road map.

Contact Tracing: A Tenuous Balancing Act
The process of identifying people who may have come into contact with an infected person, typically for public health reasons, has rightfully emerged as a technique leveraged by businesses for near-term survival. In the battle against COVID-19, artificial intelligence–driven technologies are being deployed at scale in the mad rush to reduce the spread of the virus.

However, this short-term solution comes with significant long-term implications because the impact of these predominantly reactive approaches warrants broader ethical debate.

While no one disputes the life-saving benefits of contact tracing, data privacy experts are concerned about the fallout from hastily deployed technologies during the COVID-19 pandemic response. The Stored Communications Act and other parts of federal law in the US include emergency exceptions that permit a company's release of personal data for government use — a public health pandemic or emergency being one example of an exceptional circumstance. This already allows technology and telecommunication companies to disclose, without individuals' consent, large amounts of data about them to the federal government, and at an unprecedented scale.

How the government uses and disposes of the data in the longer term remains to be seen. Meanwhile, your business's use of the same data is scrutinized by various compliance and regulatory requirements, even if exceptions apply during the COVID-19 pandemic response.

Businesses should, without delay, review their data privacy program to better understand the impact on employees and customers in the likely development that the states or the US government mandate disclosure of data to help with pandemic-reduction efforts.

By ensuring that any changes in the collection and processing of sensitive private information are aligned with both internal and external data privacy policies, businesses and IT leaders can safeguard against the risk of exposure or detrimental relaxing of data-handling best practices to enable pandemic-related data processing.

Public Safety vs. Privacy
Changes in operational processes can be viewed as an opportunity to reinforce your employee's knowledge in the following areas:

  • The organization's privacy policies
  • Compliance and legal obligations around data privacy and security
  • Procedural instructions around how to handle data, including providing personal data and other sensitive data to third parties

The business still needs to define where to draw the line between safeguarding the public and being surveillant of the public. How can we reap the benefits that contact tracing provides while still ensuring that the private information leveraged is obtained consensually and used only for specified purposes?

To answer these questions, business must reinforce the primary objective — that is, the maintenance of public safety and global health. With this objective in mind, we can move to establish a set of parameters around the business use of this data. These include:

  • A defined purpose for contact tracing data. Integrating contact tracing into business processes and data flows introduce ambiguities around where these datasets came from and what they can be used for. Responsibly defined boundaries around private information collected for contact tracing, leveraging techniques such as data tagging/data classification, and simply segregated storage of contact tracing data reinforces the primary objective of maintaining public health and ensuring that the data is not used for alternative purposes.
  • Retention periods attached to every business process. Data collected as part of COVID-19 contact-tracing efforts should be used and retained only within the context of the pandemic. Establishing set retention periods and communicating these retention periods via privacy policies are both imperative in establishing a layer of trust.
  • Documented handling procedures and elevated security. Sensitive private information collected during contact tracing often includes not just information about your employees but also people they have come in contact with. Documented and vetted handling procedures, including risk-mitigating processes such as data minimization or anonymization/deidentification of data, will ensure that appropriate consent mechanisms exist while reducing the attack surface on the contact-tracing data.

While businesses need to make quick decisions about privacy, they can also make thoughtful decisions by setting parameters and limits while ensuring employee consent. This will help both businesses and employees get through this challenging period. As noted in a recent MIT Technology Review article, "there's a strong argument that much of what we build for this pandemic should have a sunset clause — in particular when it comes to the private, intimate, and community data we might collect."

Related Content:

 
 
 
 
 Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register

With 20+ years of experience across IT, InfoSec, and data privacy, Aaron specializes in helping organizations implement comprehensive information security and cybersecurity programs, as well as comply with data privacy regulations. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32606
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
CVE-2021-3504
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
CVE-2021-20309
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
CVE-2021-20310
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...
CVE-2021-20311
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker processed by an application using ImageMagick. The highest threat from t...