In a recent article by CSO Online, Culhane Meadows’ Boston office partner Peter McLaughlin discusses data security for employee health information in light of COVID-19.
Here are some excerpts from Peter’s interview:
Businesses re-opening in the wake of COVID are faced with keeping track of who in the company is healthy, who is sick, and who needs to isolate. A new International Association of Privacy Professionals (IAPP) study shows that 60% of employers are keeping records of employees diagnosed with COVID-19. These new sensitive datasets come at a time when many established security controls are in a state of flux due to large-scale remote working. CISOs need to know the risks associated with these datasets and help decide what data to collect and how.
Where COVID-19 data resides in terms of compliance requirements isn’t so clear cut in the US. HIPAA will not apply to all organizations in the US even if they are collecting health-related data, while the Americans with Disabilities Act (ADA) will likely not apply to all employees. And while some state-level regulations such as the California Consumer Privacy Act (CCPA) might dictate planning around how data is protected,
each state will have different expectations around the data.
“For the CISO, you’re in the most unfortunate position of trying to predict the classifications and the layer of protection that should be applied to these databases,” says Peter F. McLaughlin, partner at law firm Culhane Meadows. “Whether it’s SARS or H1N1 or HIV, contact tracing apps are not new, but at the moment I’m not sure where on the spectrum of sensitivity a COVID diagnosis falls.”
“We’re taking sort of a new batch of data and trying to figure out what category does this fit in and what levels of protection do we need to apply,” McLaughlin adds. “This environment is going to be viewed with the benefit of 20/20 hindsight, so you want to make sure that you’re applying a process that’s appropriate, rigorous, and that you’re doing it consistently.”
In lieu of any single regulation that might help guide data protection thinking (and assuming they haven’t adopted a policy of global GDPR compliance), McLaughlin recommends that US organizations look to well-established standards such as ISO 27001, ISO 27002, ISO 27005, or NIST’s Data Privacy Framework for best practices, and document decision making in case organizations are later challenged on why certain actions were taken.
“Certainly, if the data were lost, the Federal Trade Commission would be among the first to send a letter saying, ‘You had all this sensitive information about your employees and you lost it. Please talk to us about what happened,’” says McLaughlin. “Some of the first questions are going to be, ‘What did you do? Please show us your documentation. How did you arrive at the decision that you did, and what was the process?’ You’ll be in a better place if you’re able to demonstrate that the things that you did and that the technologies and the configurations and so forth are consistent with generally recognized benchmarks.”
The complete article can be found here with a subscription to CSO Online.
About Culhane Meadows – Big Law for the New Economy®
The largest woman-owned national full-service business law firm in the U.S., Culhane Meadows fields over 70 partners in ten major markets across the country. Uniquely structured, the firm’s Disruptive Law® business model gives attorneys greater work-life flexibility while delivering outstanding, partner-level legal services to major corporations and emerging companies across industry sectors more efficiently and cost-effectively than conventional law firms. Clients enjoy exceptional and highly-efficient legal services provided exclusively by partner-level attorneys with significant experience and training from large law firms or in-house legal departments of respected corporations. U.S. News & World Report has named Culhane Meadows among the country’s “Best Law Firms” in its 2014 through 2020 rankings and many of the firm’s partners are regularly recognized in Chambers, Super Lawyers, Best Lawyers and Martindale-Hubbell Peer Reviews.
The foregoing content is for informational purposes only and should not be relied upon as legal advice. Federal, state, and local laws can change rapidly and, therefore, this content may become obsolete or outdated. Please consult with an attorney of your choice to ensure you obtain the most current and accurate counsel about your particular situation.