Coronavirus Disease 2019 (COVID-19)

Companies shifting to a more permanent remote workforce need a detailed policy for employees who will work remotely on a limited or ongoing basis. The policy should clearly state acceptable use guidelines employees must abide by when working remotely. Considerations should include instructions on using computer devices provided by the business versus using personal devices, and guidelines for software installation and accessing third-party file storage or personal email accounts. Confidentiality policies need to be updated to include language on protecting confidential business information when working remotely. Conduct and professionalism policies need to be updated to address attire and communications standards while working remotely and using videoconference and WebEx tools. The policy should contain language about vigilance and notification regarding potential information security threats. Additionally, any remote work policies should address wage and hour concerns and be reviewed by your employment counsel.

It is important for companies to have a Written Information Security Program (WISP) and Incident Response Plan (IRP) now more than ever, and contingencies need to be added to existing WISPs and IRPs. These plans offer a roadmap to how organizations will respond to a variety of incidents in a controlled way with an emphasis on preparedness and effective communication among various stakeholders. Bradley works with clients regularly to develop these plans, and we can also create tabletop exercises that are focused on particularly critical areas – including remote services – and reveal deficiencies in response plans before they can do real harm, without any disruption of systems.

It is important to establish best practices for employees to follow when using virtual meetings. A few examples include:

• Limit the reuse of access codes.
• If the topic is sensitive, use additional security.
• Use a “green room” or “waiting room.”
• Enable notification when attendees join.
• If available, use a dashboard to monitor attendees – and identify all generic attendees.
• Don’t record the meeting unless it’s necessary.
• If it’s a web meeting (with video):
  • Disable features you don’t need.
  • Consider using a PIN.
  • Limit who can share their screen to avoid any unwanted or unexpected images. 

Geography matters, so first and foremost, follow your state’s lead. If your state remains under a stay-at-home or shelter-in-place order and your business doesn’t qualify as essential, stay closed. Some places are hotspots for the disease while other places appear to have barely been touched by the virus. If your state starts to lift restrictions, you can probably start bringing people back into the office. But, to protect your employees and to limit your liability, follow the lead of the states where your employees are located.

Consider at least three main laws when creating a back-to-work plan or policy: the new Families First Coronavirus Response Act (FFCRA), the Americans with Disabilities Act (ADA), and the Family Medical Leave Act (FMLA). See Bradley’s blog post “Getting Your Employees Back to Work After the Pandemic” for additional details about these laws.

The bad news is that there is no silver bullet. The good news, however, is that there are proactive steps that you can start taking right now to create thorough re-opening plans that also protect employee data and privacy.

• Encourage voluntary participation in contact-tracing programs. Rather than immediately mandating employees download an app (for example), pitch contact-tracing programs to employees as voluntary. Most of your workers are just as worried as you are about getting sick and, when given the chance, may gladly participate in programs to mitigate risks for themselves and their coworkers.
• Build ownership over the plan you create. Rather than forcing a top-down approach, consider surveying your employees to determine what they are most worried about when coming back into the workplace. Perhaps their worries and yours are different – this might create an otherwise invisible opportunity to cultivate trust (while protecting physical health and data privacy to boot).
• This is a time to overcommunicate with your employees. Make sure they understand the policies and procedures you have created before they come back to the workplace. Offer the opportunity for questions and answers, host a webinar, post videos, schedule trainings, send carrier pigeons – just make sure you are communicating early and often about what is expected.

Financial institutions should pay close attention to New York State Department of Financial Services (NYDFS) cybersecurity rules, including credential access and multi-factor authentication access. It is more important than ever for financial institutions to have a strong plan in place to make sure you are not violating cybersecurity regulations. Publicly traded companies also need to make sure they provide accurate cybersecurity disclosures to the SEC. Companies need to disclose if they have had a major change in cybersecurity requirements by shifting more employees to a remote work environment. 

Although construction and other businesses have been deemed “essential” or “critical” in many jurisdictions, you should first confirm that your business is permitted to continue under the relevant government stay-at-home orders. If your business has been deemed “essential” or “critical” by state and local authorities, your employees are likely allowed to continue traveling to and from their places of work. In response to government stay-at-home orders, many owners and contractors have issued safe passage letters to their employees. We are currently helping clients draft these letters and advising them on how to comply with relevant orders. 

On May 7, 2020, five United States senators introduced a bill aimed at protecting consumers whose data is used to track COVID-19. Sens. Wicker (R-Miss.), Thune (R-S.D.), Moran (R-Kan.), Blackburn (R-Tenn.), and Fischer (R-Neb.) introduced the COVID-19 Consumer Data Protection Act of 2020. The bill would impose data-privacy restrictions on companies using consumers’ data for tracking the spread of COVID-19, including for contact tracing.

Targeted at data being used to fight the pandemic, the bill covers geolocation, proximity, and health data being used for purposes related to COVID-19. Further, the bill is time limited: Its effect would end once Health and Human Services declares that the public health emergency has ended. You can read our full analysis of the bill here.

Additionally, two other United States senators have introduced a second bill aimed at protecting consumers whose data is used to track COVID-19. The bill to create the Public Health Emergency Privacy Act (PHEPA) will compete with the earlier bill mentioned above, which was introduced by Sen. Wicker (R-Miss.) and others.

This bill from Sens. Blumenthal (D-Conn.) and Warner (D-Va.) shares with the Wicker bill an emphasis on health, geolocation, and proximity data and requires affirmative express consent from consumers from whom such data is collected. But the Blumenthal bill expands the scope and enforcement of the protections. You can read our full analysis of this second bill here.

Some regulators have provided guidance, while others have not. For example, the Information Commissioner’s Office (ICO), the U.K.’s data protection authority (DPA), has stated that it will take into account “the compelling public interest in the current health emergency” and will take a “reasonable and pragmatic” approach to enforcing data protection obligations during the pandemic. Regulators such as the ICO recognize the unprecedented challenges faced by privacy professionals and data controllers during the pandemic and recognize the need to adapt to an uncertain environment.

Other regulators, such as the California attorney general, have remained largely silent on whether or not they will take into account the upheaval experienced by many businesses during the pandemic in considering compliance with or enforcement of the California Consumer Privacy Act (CCPA).

• For universities, colleges, and post-secondary institutions: Consider whether your institution should consider drafting a Distance Learning Policy to address the expectations of students, faculty, and staff for online curriculum or update your data privacy or technology use policies. With more students engaging online or through university-owned equipment, current policies, procedures, and guidance may be outdated and ineffective at protecting university interests and expose institutions to potential security risks.

• For primary and secondary educational institutions (elementary, middle, and high schools and school districts): With millions of students now completing schoolwork online, schools are using “ed tech” tools to keep them engaged. The FTC recently issued COPPA guidance to schools and ed tech companies during the pandemic. It is important to remember that there are privacy considerations with the rise in use of ed tech tools as they capture personal information from students. Schools should consult with their attorneys and IT specialists to review the privacy policies of the ed tech tools they are utilizing. Key considerations include types of PI collected from students, how it is used, if it is shared, and how it is protected. See Bradley’s article on Family Educational Rights and Privacy Act (FERPA) to read more about online learning considerations during the pandemic.

Yes. FERPA is a federal law that protects the privacy of student education records. The law applies to all educational agencies and institutions that receive funds under any program administered by the Secretary of Education. FERPA prohibits educational agencies (e.g., school districts) and institutions (i.e., schools) from disclosing personally identifiable information (PII) from students’ education record without the prior written consent of a parent or “eligible student,” unless an exception to FERPA’s general consent rule applies. For instance, pursuant to one such exception, the “health or safety emergency” exception, educational agencies and institutions may disclose to a public health agency PII from student education records without prior written consent in connection with an emergency if the public health agency’s knowledge of the information is necessary to protect the health or safety of students or other individuals.

The U.S. Department of Education published frequently asked questions addressing personal information disclosures during the COVID-19 pandemic. The department reiterates that parental consent for disclosure is still required in most cases but does address certain exceptions relating to health and safety emergencies, particularly where information is necessary to protect the health and safety of a student or other individuals. The guidance also includes a model consent form at the end of the document.