Mary Hildebrand visited her office for the first time since March last week. The residual evidence of what life used to be was scattered across the office — newspapers last dated from mid-March.
When businesses across industries went remote, the move introduced "clashes" between security and privacy for the new remote and scattered office, Hildebrand, chair and founder of the Privacy and Cybersecurity practice at Lowenstein Sandler, told CIO Dive.
Shifting remote meant more personal data than ever before was available online, and cybercriminals were aware. "If you want to do business online, or you want to get on Zoom, just to talk to your friends, gaming or anything, you have no choice but just fill in the blanks," she said.
In response, CIOs, CTOs and CISOs had to account for losing "control of the work environment" and borderless security, she said.
Businesses are also dealing with contradictory privacy actions brought on by COVID-19. As the California Consumer Privacy Act's (CCPA) final rules await approval and the beginning of enforcement, the privacy regulation landscape has become more complex. For example, The HHS Office of Civil Rights (OCR) relaxed guidelines for HIPAA-compliant companies responding to COVID-19.
Though states are rolling out phases to return to daily life before COVID-19, an immediate return to an office is unlikely — and a return to the same office environment is inconceivable. Privacy issues unraveled for employees just as much as consumers in the last few months.
There aren't a lot of privacy protections for employees because the assumption is that "when you start your job, you basically have employee monitoring that your employer wants to do," Heather Federman, VP of Privacy and Policy at data privacy firm BigID, told CIO Dive. Employees and employers agree to standard measures to monitor output, now that supervision is amplified.
"We're going to end up doing a lot of surveillance, and this might be necessary for this short-term period," said Federman. "I don't know how much the CCPA can really help with that, because [it's] more just about privacy, self management," not tracking an employee's productivity.
Contact tracing apps would rely on employee input and engagement. They also force policy changes to protect — and to a certain extent promote — changes in employee behaviors.
Apple and Google's contact tracing framework gave organizations the ability to develop their own apps, but in doing so, the companies "took on the role of, if you will, legislating some of the privacy protections" built into the apps, according to Hildebrand. "I would almost call it a quasi governmental role" because there hasn't been definitive legislation to regulate the data collection and consent.
As organizations navigate a complex privacy landscape with contradictory components, businesses are at a greater risk for a mishap. HIPAA's temporary rollback is juxtaposed with the California Attorney General's refusal to delay the CCPA's enforcement date.
Because so much data moved online, the AG's viewpoint is "this is no time to take your foot off the gas," according to Hildebrand.
OCR suspended enforcement so information could be shared more freely between public and private entities for COVID-19 response. When Washington state toyed with the idea of restaurants collecting patron data for contact tracing efforts, HIPAA-related privacy concerns arose.
Could restaurants become HIPAA compliant? The short answer: no, because they are not a healthcare provider, according to Hildebrand. The restaurants — and patrons — would be providing that information voluntarily.
The lack of a unified federal data privacy law makes everything "dicey," Hildebrand said, especially when the nature of the CCPA is agnostic to industries — it's all about personal data itself.
"You're making significant changes in practices and assumptions, she said. "The paradigm around data is changing."