Data Privacy Competence Amid The COVID-19 Pandemic: Pro-Active Compliance Workshop
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.2
B R O U G H T T O Y O U B Y :
E x t e r r o i s t h e p r e f e r r e d p r o v i d e r
o f s o f t w a r e s p e c i f i c a l l y d e s i g n e d
f o r i n h o u s e l e g a l a n d I T t e a m s
a t G 2 0 0 0 o r g a n i z a t i o n s .
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.3
Panelists
Mark Schreiber, Partner, Global Privacy and Cybersecurity,
McDermott Will & Emery LLP
+1 617.535.3982
Robert Fowler,Director of Strategic Alliances, Exterro
314.249.3380
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.4
In this webcast our panel will review…
AN OVERVIEW OF DATA PRIVACY REGULATIONS
AND ENFORCEMENT
BEST PRACTICES OF HANDLING DATA PRIVACY COMPLAINTS/LAWSUITS
DEFENSIBLE PRACTICES TO AVOID ADVERSE LEGAL
AND FINANCIAL CONSEQUENCES
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.5
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.
Today’s Complex Data Environment
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.7
Migrating from Abroad to the US
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.8
Pioneering US Privacy Laws – CCPA
A New Era of Data Privacy Rights
1. Right to Know Data Collected & Purpose
2. Right to Access Data
3. Right to Delete Data
4. Right to Know Categories of Third Parties
5. Right to Opt-Out of Sale
6. Right to Equal Treatment
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.9
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.10
New Frontier in Class Action Litigation
COVID-19: CYBERSECURITY
CONSIDERATIONS
Cybersecurity
Preparation
> Q: How can companies prepare their employees, contractors and others to identify and avoid
the unique cybersecurity threats related to online communications about COVID-19?
> A:
▪ Dept. of Homeland Security’s Cyber and Infrastructure Security Agency (CISA) issued report
that bad actors are using COVID-19 as pretext for scam emails
• FTC, Secret Service, WHO have issued similar warnings. See References pages at back for
links
• Common pretexts: online offers of vaccine, donation requests, urgent alerts
• Threat actors already identified as dropping malware in COVID-19 emails
• AA20-099A: COVID-19 Exploited by Malicious Cyber Actors – US CERT compendium
12 Information provided by McDermott Will & Emery
Cybersecurity
Preparation (Cont.)
> Q: How can companies prepare their employees, contractors and others to identify and avoid
the unique cybersecurity threats related to online communications about COVID-19?
> A:
▪ Consider sending security reminder on best practices to avoid cyberattacks and scams
▪ Use outbreak as opportunity to reemphasize importance of cyber-vigilance with
employees/contractors/customers
▪ Be mindful of routine security hygiene: password complexity, VPN use, MFA, encrypted
laptops
13 Information provided by McDermott Will & Emery
Cybersecurity
Remote Work
> Q: What are the cybersecurity issues or risks in increasing remote work?
> A:
▪ Issues include: bandwidth limits, increased exfiltration of data to employees’ personal
devices, and greater security exposure due to larger numbers of remote workers, including
new or inexperienced ones
▪ Consider testing remote connectivity, including load testing
▪ Be conscious of workers with limited remote work experience and consider training
▪ Provide reminders on:
• remote access and acceptable use policies, BYOD
• physical security best practices (e.g., monitoring laptops/devices while in public, security
in the home)
▪ Consider SANS 5 Steps to Securely Work from Home (see in References at back)
14 Information provided by McDermott Will & Emery
Cybersecurity
Other Risk
> Q: What additional cybersecurity concerns or risks should companies be aware of in these
circumstances?
> A:
▪ SIEM/risk avoidance solutions may experience higher number of false positives because of
remote work
• Attackers may use situation to hide intrusion activities
▪ Review IRP, disaster recovery plan, and other security monitoring plans to ensure
preparation for security incident
▪ Websites remain vulnerable to traditional attacks:
• HHS subject to cyber attack approx. March 15
• Champaign-Urbana Public Health District website take down in ransomware attack
approx. March 10
15 Information provided by McDermott Will & Emery
Cybersecurity
Other Risk (Cont.)
> Q: What additional cybersecurity concerns or risks should companies be aware of in these
circumstances?
> A:
▪ Prepare for IT systems dislocations/failures
• Ensure availability of additional/backup IT resources
• Create/update plan in case systems go down
▪ IT/security resources may need to be boosted
• Ensure staffing, other resources sufficient to keep pace with increased demands
▪ Ensure compliance with relevant security rules and frameworks (e.g., HIPAA, GLBA, PCI DSS)
on transmitting COVID-19 information (e.g., PHI, consumer data, company classified data)
16 Information provided by McDermott Will & Emery
COVID-19: PERSONAL
INFORMATION
Personal Information
Disclosing COVID-19 Information
> Q: What is considered personal information?
> A: Personal information is information that identifies, relates to, describes, is reasonably
capable of being associated with, or could reasonably be linked, directly or indirectly, with a
particular consumer or household
▪ Includes health and geolocation data
▪ Very broad standard, comes from new California Consumer Privacy Act (CCPA) and similar
to standard under EU General Data Protection regulation, but best practice for even
companies that operate outside those jurisdictions
18 Information provided by McDermott Will & Emery
Personal Information
Collecting COVID-19 Information
> Q: What do we need to consider before collecting, using or sharing COVID-19 personal
information?
> A: Consider why you need – or want – to collect, use or share the information.
▪ To protect health or safety?
▪ Other valid, compelling business purpose?
▪ If not, don’t do it
> Q: Is contemplated collection, use, and sharing consistent with existing privacy policies?
> A: If not, update privacy policies before collecting new information.
19 Information provided by McDermott Will & Emery
Personal Information
Sharing COVID-19 Information
> Q: What if our privacy policy covers the types of personal information we are collecting, but
our intended use or sharing in response to COVID-19 will be unexpected to our guests or
consumers?
> A: Review existing privacy policies to ensure they cover new purpose for disclosure, e.g., to
governmental agency for public health purpose
▪ Common permitted purposes for sharing personal information:
• to protect health or safety of individuals;
• in response to valid legal process or lawful obligation
▪ If policies do not permit disclosure to governmental agencies, consider amending
• Also consider additional effects of any amendments (e.g., necessary changes to contracts
or internal procedures)
20 Information provided by McDermott Will & Emery
Personal Information
Sharing COVID-19 Information With Government Entities
> Q: If a government agency requests information about our employees, guests or customers,
what do we need to consider from a privacy perspective?
> A: Considerations should include:
▪ (1) Geography – privacy obligations differ based upon jurisdiction
▪ (2) Absent legal requirement, be careful about sharing personal information with
governmental entities
• Requesting explanation of legal basis v. requiring legal process
• Weigh potential public backlash of being seen as uncooperative in public health
emergency with importance of protecting privacy of customers/employees/partners
• With global spread of COVID-19, requests could come from many governments/agencies
– will your response be dependent on the identity of the requesting entity?
▪ (3) Even with legal requirement, tailor responses to limit potential for sensitive/harmful
information to be shared
21 Information provided by McDermott Will & Emery
Personal Information
Sharing COVID-19 Information With Government Entities (Cont.)
> Q: If we disclose information to a government agency about our employees, guests or
customers in relation to COVID-19, do we need to inform the individuals that we shared this
information?
> A:
▪ In US, obligation to inform affected individuals only in limited situations
• E.g., data subject request under CCPA for information shared with third parties
22 Information provided by McDermott Will & Emery
Personal Information
Other Disclosures
> Q: If we learn that an employee, guest or customer has tested positive for COVID-19, what
information may we disclose?
> A:
▪ If making disclosure at request of government agency, may provide information responsive
to agency’s requests
▪ If sharing voluntarily with other parties (e.g., employees, customers), only share minimal
amount necessary for each party to assess own personal health
• Avoid sharing PII without consent of affected individual
23 Information provided by McDermott Will & Emery
Using Data “For Good”
Our organization already holds a lot of personal data – how can we use it to help?
> Q: We are a data-rich company and would like to help. How can and should we use the data
we already hold?
> A: Consider whether the data you hold can help with important decisions, not just provide
general insights.
▪ Use de-identified, aggregate data wherever possible (but not always useful in this context)
▪ Be sure you have a focused strategy and defined objective for data use
▪ Use the data you already have; resist the urge to gather more
▪ Carefully supervise, manage and limit all uses – and users – of data
▪ Enforce safeguards, including quality of analysis and accountability
▪ Secure the data, even under time, WFH pressures
▪ Consider “downstream” privacy implications of project once current crisis has passed; genie
will be out of bottle
24 Information provided by McDermott Will & Emery
COVID-19:
GDPR
GDPR
Role of the Supervisory Authorities
> Q: Are data protection Supervisory Authorities giving guidance in response to COVID-19?
> A:
▪ Yes. Authorities from more than 20 EU countries, the EDPB and the EDPS have started
releasing guidance, including UK, Ireland, France, Italy, Germany, and Spain.
• Practical Impact: Whilst most of the guidance follows the same sorts of principles, there
are differences. Care should be taken that the appropriate local guidance is consulted for
any particular country.
▪ NB. Non EU countries are also releasing guidance: China, Singapore, Canada, New Zealand,
Mexico.
26 Information provided by McDermott Will & Emery
GDPR Considerations for COVID-19
> During the pandemic, we are worried that our data protection
practices might not meet our usual standard or our response
to information rights requests will be longer. Will the ICO take
regulatory action against us?
> No. We understand that resources, whether they are finances or
people, might be diverted away from usual compliance or
information governance work. We won’t penalise organisations that
we know need to prioritise other areas or adapt their usual approach
during this extraordinary period.
> We can’t extend statutory timescales, but we will tell people through
our own communications channels that they may experience
understandable delays when making information rights requests
during the pandemic.
> ICO: https://ico.org.uk/for-organisations/data-protection-and-
coronavirus/
27 Information provided by McDermott Will & Emery
GDPR Considerations for COVID-19
> Q: If the Regulators are relaxing their enforcement of the GDPR, what is the new level of
compliance we should meet?
> A:
▪ Good question. It is not clear what the new standard of compliance should be. Further is it
not clear how long this relaxation will last and what should happen at the end of that
period.
• Practical impact: Where a lower standard of GDPR compliance is to be used, we
recommend undertaking a short form DPIA to assess the risks and to justify the lower
standard of compliance.
• Practical impact: Notify your Data Protection Officer (DPO) and keep them informed.
• Practical impact: Record each area where a lower standard of compliance has been
adopted, so that at the end of the relaxation period, those areas can be brought back
into compliance.
28 Information provided by McDermott Will & Emery
GDPR Considerations for COVID-19> Q: How does the GDPR differ from the US rules when dealing with COVID-19?
> A:
▪ (1) Both personal data and health information are defined very broadly under the GDPR,
and so information not caught by HIPPA or CCPA may be within the scope of the GDPR.
• Practical impact: check your data handling practices and data privacy notices to ensure
sufficient coverage.
▪ (2) The GDPR can apply to business operations in the US, merely because the personal
information concerns individuals located in the EEA or is obtained “in the context” of EEA
operations.
• Practical impact: Be careful when personal data coming from the EEA is being processed
or disclosed.
▪ (3) Health information or “sensitive personal data” is subject to additional controls.
• Practical impact: Make sure that the processing that you know to be lawful in the US, is
also lawful under the GDPR.
• Watch out for some cross border issues. For example, when the law provides that
disclosure is permitted by applicable law, that means domestic law, not foreign law.
29 Information provided by McDermott Will & Emery
GDPR Considerations for COVID-19
> Q: How does the GDPR differ from the US rules when dealing with COVID-19?
> A:
▪ (4) The GDPR has strict requirements to keep “records of processing”.
• Practical impact: Ensure that you keep records of the processing that takes place. If
there is a EU Data Protection Authority investigation, this is the first thing they will ask to
see.
▪ (5) Be prepared to respond to data subject requests (DSRs) about COVID-19.
• Practical impact: Data Subject Access Requests are now a common tool for employees
and customers who want to find out information about themselves. Only documents
that concern that individual should be disclosed. Review your DSR policy and
procedures.
▪ (6) The GDPR and e-Privacy Directive also regulate the sending of emails; express consent is
required.
• Practical impact: Be careful about COVID-19 status communications, they may breach
the GDPR and e-Privacy Directive.
30 Information provided by McDermott Will & Emery
GDPR
Special GDPR Rules on COVID-19 Information
> Q: Are there special rules in the GDPR for pandemics such as COVID-19?
> A:
▪ Yes. One of the basis for processing sensitive personal data is where the processing is
necessary for public interest in area of public health.
▪ EU countries are issuing emergency rulings and guidance allowing processing of COVID-19
information under “public interest in area of public health” basis.
• Practical impact: If you think that this basis might apply – you should do a Data
Protection Impact Assessment (DPIA).
• In supplemental regulatory guidance the Regulators say that other GDPR principles about
lawfulness, transparency, confidentiality, data minimization, accountability, and
proportionality still apply, especially in context of disclosing personal data of COVID-19
patient.
31 Information provided by McDermott Will & Emery
GDPR
Guidance from Ireland’s Supervisory Authority
> Q: What has the Irish DPC said in light of COVID-19?
> A:
▪ The Irish DPC reminds companies that even where the processing of COVID-19 data is
authorized, there is still a need for suitable safeguards, including access controls, time limits
for erasure, staff training.
▪ Processing must be necessary and proportional, in a confidential manner.
▪ Companies must be transparent about processing, including purpose and retention period.
▪ Companies must strive to ensure security of data and process the minimum necessary
amount of data.
▪ Any decision making process must be documented.
32 Information provided by McDermott Will & Emery
GDPR
Guidance from Ireland’s Supervisory Authority (Cont.)
> Q: What else did the Irish DPC say in the guidance it released?
> A:
▪ Companies can ask questions to visitors about travel to affected areas, symptoms, exposure
but they need strong justification based on necessity and judgment of risk to issue
questionnaires.
▪ Companies can ask for details of employee’s illness, but collection must be justified and
factual, limited to what is necessary.
▪ Sending employees home is not a data protection matter, but an employment one.
▪ Disclosing details of employee who has virus should be avoided.
▪ Irish DPC recognizes that GDPR DSRs may face “unavoidable delays” as result of COVID-19
and recommends communicating with individuals submitting DSRs, responding in stages.
33 Information provided by McDermott Will & Emery
GDPR
Special Rules for Transferring COVID-19 Data Outside of EEA
> Q: Are there any special rules to consider when transferring sensitive personal data to a
controller outside of the EEA?
> A:
▪ The basis for legitimizing export are in addition to those for legitimizing processing.
▪ If using SCCs, check for further restrictions in clauses relating to sensitive personal data;
often onward transfer of sensitive personal data requires express consent.
▪ Check Privacy Shield self-certification or Binding Corporate Rules, if applicable
34 Information provided by McDermott Will & Emery
GDPR
Cyber security risk arising from COVID-19
> Q: What are the European Supervisory Authorities saying about cyber risks and COVID-19?
> A:
▪ The ICO has already identified the following types of exploitation:
• The Government asking for your bank details so money related to free school meals can
be transferred;
• HMRC stating you have a tax refund;
• Banks asking you to confirm your details;
• Emails from criminals disguising themselves as an organisation;
• Callers offering coronavirus testing kits and protective equipment; or
• Calls telling you your internet is going to be cut off in 24 hours because you’ve been
hacked.
35 Information provided by McDermott Will & Emery
GDPR
Cyber security risk arising from COVID-19 (Cont.)
> Q: What are the European Supervisory Authorities saying about cyber risks and COVID-19?
> A:
▪ The Supervisory Authorities also recognize that there may be additional cyber risk where
there is home working.
• Practical impact. Ensure that your Information Security policies and procedures are
effective where the workforce is remote.
• Practical impact. Ensure that there is still effective detection of cyber risks, where the
exploits are commissioned against remote staff.
• Practical impact. Ensure that Incident Response Policies are up to date, and operational
to deal with all the usual types of social engineering, phishing, Trojan Horses,
ransomware and the like.
36 Information provided by McDermott Will & Emery
GDPR
Conclusions
> Q: What conclusions and recommendations can we make?
> A:
▪ Although the European Data Protection Supervisory Authorities have indicated a relaxed
view, they still want the principles in the GDPR followed.
• Practical impact: All the usual steps of (i) making sure that the privacy notice is correct;
(ii) ensuring a valid basis for processing; (iii) ensuring that there is purpose limitation and
data minimization; (iv) documenting any processing; and (v) responding appropriately to
DSRs and complaints etc. must be undertaken.
• Practical impact: If in doubt about any new type of processing, undertake a Data
Protection Impact Assessment (DPIA)
▪ A lot of guidance has now been released by the European Data Protection Supervisory
Authorities.
• Practical impact: Although much of it is similar, appropriate guidance for the countries
that are in scope should be consulted.
37 Information provided by McDermott Will & Emery
GDPR
Conclusions (Cont.)
> Q: What conclusions and recommendations can we make?
> A:
▪ No guidance has been given about what happens at the end of the Pandemic.
• Practical impact: Keep records of what has been done so that at the end of the
Pandemic so that any steps taken that enjoyed a more relaxed approach can be adjusted
once the regulatory leniency has terminated.
• NB Regulatory leniency does not insulate companies from third party actions or class
actions brought for breaches of the GDPR.
▪ Cyber Security risk has increased dramatically.
• Practical impact: Ensure that all the policies and procedures are adjusted to work in our
new operating environment and check your Incident Response Policy is effective.
38 Information provided by McDermott Will & Emery
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.39
Your Guide to Defensible Data Practices
1. Know Your Data
2. Update Policies & Disclosures
3. Third Party Risk
4. Manage Consumer Requests
5. Employee Training
6. Defensible Compliance
7. Future Proof Your Compliance Approach
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.
#1Know Your Data
A ROADMAP FOR
SUCCESS:
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.41
The Foundation for Defensible Compliance
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.
#2Update Policies &
Disclosures
A ROADMAP FOR
SUCCESS:
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.
#3Third Party Risk
A ROADMAP FOR
SUCCESS:
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.44
1 Who are our vendors?
4 Which ones are relevant to regulations?
What specific data to they touch?3
2 Which ones touch our data?
5 How are they protecting our data?
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.45
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.
#4Manage Consumer
Requests
A ROADMAP FOR
SUCCESS:
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.47
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.
#5Employee Training
A ROADMAP FOR
SUCCESS:
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.
#6Defensible
Compliance
A ROADMAP FOR
SUCCESS:
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.50
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.
#7Evaluate New Regulations
A ROADMAP FOR
SUCCESS:
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.52
What’s to come?
STATE
COMPREHENSIVE
PRIVACY LAW
COMPARISON
CONFIDENTIAL © 2020 Exterro, Inc. All rights reserved.
Questions?
THANK YOU TO OUR WEBCAST PANELISTS
Mark Schreiber, Partner, Global Privacy and Cybersecurity,
McDermott Will & Emery LLP
+1 617.535.3982
Robert Fowler,Director of Strategic Alliances, Exterro
314.249.3380
Additional Resources
• AA20-099A: COVID-19 Exploited by Malicious Cyber Actors
• https://www.mwe.com/insights/six-tips-for-working-cyber-safely-
from-home-during-covid-19/
• https://www.mwe.com/insights/privacy-global-pandemic-analysis-
covid19-guidance-data-protection-authorities/
55 Information provided by McDermott Will & Emery