Irrespective of your industry, the current COVID-19 pandemic poses a new and unique challenge to organizations, their employees, and their customers. The emergence of COVID-19 has prompted organizations to collect and process personal information in new ways, and create and design technology solutions to address and mitigate the pandemic. Heartless hackers are seizing on the opportunities created by the disruption to normal business practices and executing targeted attacks on sensitive data, critical systems and widely used communication vehicles.
As part of White & Case's ongoing legal updates on COVID-19-related issues affecting our clients' businesses around the world,1 this alert examines COVID-19 data privacy and cybersecurity considerations and guidance issued by various U.S. state and federal regulatory agencies.
Guidance from the Regulators
COVID-19-related guidance issued in the U.S. reflects the country's disjointed and sector-specific data privacy regime. As described below, U.S. regulators in several sectors have been active in advising businesses on how to manage their data collection, processing and sharing practices during the COVID-19 pandemic.
Health Information Privacy
The Office for Civil Rights at the U.S. Department of Health and Human Services (OCR) has released guidance documents that detail its regulatory priorities under the Health Insurance Portability and Accountability Act (HIPAA). The OCR's guidance provides much needed flexibility for healthcare providers and their business associates2 regarding their compliance obligations during the COVID-19 crisis.
Guidance on Information Sharing
In February 2020, the OCR released a bulletin reiterating when the HIPAA Privacy Rule permits a covered entity to disclose certain patient health information without the respective individual's authorization. Such permitted disclosures include:
- As necessary to treat the patient or to treat a different patient, including the "coordination or management of healthcare and related services by one or more healthcare providers and others."
- To support the public health activities of public health authorities, such as the CDC or state or local health departments.
- To the family, friends, and others involved in an individual's care.
- To prevent or lessen a serious or imminent threat to the health and safety of a person or the public.
The OCR emphasized that the covered entity must limit such disclosures to the "minimum necessary" to accomplish the purpose of the disclosure. In a separate notice, the OCR indicated its intention to waive penalties and sanctions against certain hospitals that fail to abide by the privacy notice and patient authorization requirements under the HIPAA Privacy Rule.
Enforcement Discretion for Telehealth and Business Associates
The OCR has also represented in two subsequent notices that it is exercising its discretion in how it applies the HIPAA Privacy Rule with regard to telehealth and business associates during the public health emergency. Under the telehealth notice, the OCR stated that it "will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered healthcare providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency." The notification specifies that covered healthcare providers may request to examine patients exhibiting COVID-19 symptoms, or any other medical condition, using a nonpublic-facing video chat application connecting the provider's and patient's phones or desktop computers.
Under the business associates notice, the OCR has similarly indicated it will exercise its enforcement discretion and will not impose penalties against a business associate or covered entity if (1) the business associate makes a good faith use or disclosure of the covered entity's protected health information for public health activities or health oversight activities, and (2) the business associate informs the covered entity of this use or disclosure within ten (10) calendar days. The notice provides examples of such good faith uses or disclosures, which include disclosure to the CDC or a similar public health authority for the purpose of controlling the spread of COVID-19, or disclosure to the CMS or a similar health oversight agency for the purpose of overseeing the healthcare system as it relates to the COVID-19 response.
Financial Information Security
Guidance for the financial services industry has focused on cybersecurity risk management, with some regulators imposing reporting requirements. On March 10, 2020 and again on April 13, 2020, the New York Department of Financial Services (NYDFS) issued Industry Letters detailing requests to regulated entities to prepare and submit plans of preparedness in response to COVID-19. These plans must touch on a number of issues, including cybersecurity. NYDFS identified specific areas of focus for organizations, including recognizing increased risks of cyberattacks and fraud, effectiveness of remote access to ensure operations, adequacy of governance and backup procedures, and preparedness of critical service providers. Regulated entities are required to submit responses "as soon as possible and in no event later than thirty (30) days from the date of" the Industry Letter.
The Financial Industry Regulatory Authority (FINRA) also issued an alert on March 26, 2020 providing guidance to firms on steps to "address increased vulnerability to cybersecurity attacks and to protect customer and firm data." FINRA's guidance describes several measures for improving existing controls including ensuring secure connections between home and firm networks, upgrading access controls, increasing employee awareness of prevalent cyberattacks and incident response preparedness.
Employee Information Privacy
The Equal Employment Opportunity Commission (EEOC) released COVID-19-related guidance for employers on March 19, 2020 clarifying that it will not be a violation of the Americans with Disabilities Act (ADA) and the Rehabilitation Act if employers ask employees who report feeling ill whether they are experiencing any symptoms consistent with the coronavirus infection. Similarly, the EEOC clarified that it will not be a violation of the ADA if an employer requires employees to submit to non-invasive temperature testing to ensure employees are fever-free.
Education Information Privacy
On April 9, 2020, the Federal Trade Commission (FTC) issued guidance for companies operating in the education space during the COVID-19 pandemic, to ensure that organizations are aware of their compliance obligations with regard to the collection of personal information from children, as education moves online. Citing the Children's Online Privacy Protection Act (COPPA), the FTC's guidance reiterated several obligations imposed on education technology companies, including to provide a compliant, easily understandable privacy notice to schools that can be shared with both parents and children. The FTC also clarified that education technology companies can obtain the necessary parental consent from the schools as long as the child's personal information is used for a school-authorized educational purpose and for no other commercial purpose.
Similarly, the Department of Education (DOE) issued guidance designed to assist certain education agencies and institutions in preserving student privacy during the disclosure of personally identifiable information (PII) from student education records for COVID-19-related purposes. Citing to the Federal Education Rights and Privacy Act (FERPA), the DOE emphasized that an exemption from written consent requirements relating to the disclosure of student education records containing PII exists for disclosures made pursuant to a "health or safety emergency."
Increased Threat of Cybersecurity Incidents
The rapid changes in how and where businesses operate, and in particular, the shift to "work-from-home" has created a number of new threat vectors for cyber-attacks against companies.3 These include virus information-related phishing attacks, spoofing of public health center accounts, and the increased targeting of remote services.4 Astonishingly, healthcare providers are also seeing an increase in ransomware attacks at a time where hospital operations are most critical.
Regulators in several sectors have issued alerts on cybersecurity concerns and provided guidance for entities to consider in protecting company systems and sensitive data. The FBI has warned businesses (fbi.gov/news/pressrel/press-releases/fbi-anticipates-rise-in-business-email-compromise-schemes-related-to-the-covid-19-pandemic) to be on the lookout for business email compromise attacks involving fraudulent internal requests for payments or transfers of money, as fraudsters will look to take advantage of urgent payment requests and potential gaps in verification procedures. In addition, the Cybersecurity and Infrastructure Security Agency (CISA) has issued several alerts, encouraging organizations to adopt a heightened state of cybersecurity. CISA's guidance encourages organizations to focus on the security of remote access through virtual private networks (VPN) by updating existing infrastructure, applying necessary patches and implementing multifactor authentication, among other suggestions. CISA has also issued a joint alert with the UK National Cybersecurity Center warning of the "exploitation by cybercriminal and advanced persistent threat (APT) groups of the COVID-19)" global pandemic and suggesting the organizations update or implement robust incident response procedures.
As we have set forth in detail here, businesses should evaluate their cybersecurity posture and issue guidance to employees to employ secure connections and be aware of phishing attempts, among other things. By issuing these cybersecurity reminders to employees and implementing reasonable security protocols that are appropriate to the sensitivity of the personal information the business maintains, the business can protect its data and systems from significant impact during this crisis.
Impact of Regulations on COVID-19 Data Privacy Practices
Overall, the regulatory measures and guidance provided in the U.S. have eased some of the data privacy concerns and obligations that might be present under normal conditions. By alleviating the regulatory bite of these obligations, regulators are aiming to facilitate a rapid and effective response to the COVID-19 pandemic. For example, employers collecting body temperature information from employees will not become a target of EEOC inquiry or investigation. Similarly, hospitals or other healthcare providers who may be processing, sharing or transmitting protected health information with public health officials for research purposes, or private entities for use in the development of technology to monitor and predict the spread of COVID-19, will not be an enforcement priority for OCR. Additionally, physicians and other healthcare providers can provide urgent health care services to affected individuals using telecommunication solutions provided by business associates without concern for many of the procedural requirements under HIPPA. Despite this leniency, organizations should, nonetheless, take reasonable steps to comply with data privacy requirements in their response to the COVID-19 pandemic. Regulators have made no indication that organizations are temporarily relieved of all data privacy regulatory requirements and obligations. At least one regulator, the California Attorney General, has made clear that the COVID-19 pandemic will not delay any enforcement activity under the CCPA.
COVID-19 has quickly created a new environment within which organizations must adjust to novel threats and emerging business practices to ensure their continued operations. Businesses and regulators alike are entering this environment with little precedent. Regulators have aimed to provide much needed guidance to organizations by clarifying existing requirements or noting where new enforcement approaches are being taken with regard to data privacy and cybersecurity.
Organizations should fully consider this regulatory guidance when assessing their data privacy and cybersecurity risk, and taking the steps necessary to strengthen its existing program. Despite the regulatory leniency indicated by this summary, we recommend that businesses consider all data privacy and cybersecurity rules and requirements before implementing any new data collecting or sharing measures in response to the COVID-19 pandemic.
1 For further information, please visit the White & Case Coronavirus Resource Center.
2 "Business associates" are entities that collect or process protected health information (PHI) on behalf of, or provides services to, a covered entity pursuant to a business associate agreement that directs and limits the processing of such PHI.
3 See Crowdstrike, Situational Awareness: Cyber Threats Heightened by COVID-19 and How to Protect Against Them (March 24, 2020).
Kyle Levenberg (White & Case, Law Clerk, Washington DC) contributed to the development of this publication.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2020 White & Case LLP