COVID-19 has heightened the emphasis on cybersecurity issues. But as people slowly make their way back to the workplace, there is also a shift surrounding the protection of data. Cybersecurity is vital, of course, but questions are rising about data privacy.
Data privacy has taken on a higher profile since GDPR entered the lexicon and consumers began to realize they finally had the ability to do something to protect themselves before and after a data breach. This is especially manifesting itself as organizations want to use contact tracing to monitor and prevent the spread of COVID-19 as the country reopens. But there is a lot of distrust around contact tracing and who will have access to that information.
People need to know that the data collected through contact tracing will be used only to monitor this health issue, said Dan Caprio, co-founder and executive chairman of The Providence Group, a panelist in a recent webinar, “Cybersecurity, Data Privacy, and Digital Regulation During the Coronavirus Pandemic,” hosted by the Pacific Research Institute, a California-based think tank.
The information won’t be used by the government or by law enforcement, Caprio said. That’s good news for protestors who won’t have to worry about being tracked and possibly face retribution for taking to the streets.
But much of the privacy for contact tracing is being undertaken by Google and Apple, both of which understand the challenges around data privacy. “In terms of digital trust,” said Caprio, “consumers have lost faith in company use of data. Contact tracing eliminates that problem.”
A Need for Federal Privacy Laws
Privacy standards surrounding contact tracing highlights the need for federal privacy laws, Caprio pointed out. There is no standard in place right now that has federal implications. There are many who think that CCPA and California Privacy Rights Act (CPRA)—also known as CCPA 2.0 and a ballot initiative for November’s elections—are a substitute for a federal law because as California goes, often so goes the nation. We’ve seen it happen before.
“We’ve all gotten used to the notion of data security and state data breach laws,” he said. “In its own peculiar way, you can make those work … with a patchwork of state laws. There’s mostly agreement. If you have a data breach, you can navigate around it nationally.”
CCPA, however, is not going to work the same as data breach laws because the regulation is so specific to California residents. Organizations won’t have the same need to protect data privacy for residents of the other 49 states the same way—made worse if other states begin passing and implementing unique data privacy laws. If there is a data breach, it would create a logistical nightmare for organizations and not provide any real data security or privacy for consumers in the end.
“We really need a federal privacy law,” Caprio added. If we depend only on CCPA and CPRA as our guideline, he noted, it could stifle innovation, raise compliance costs and not do anything to protect data privacy.
Bring Stability to Data Privacy
One thing we’ve learned from remote work is that organizations no longer have to be tied down by geography for their workforce. If work-from-home was successful for an organization, the practice opens up the applicant pool for future hiring. It also means needing to take into consideration how privacy laws will impact someone in a singular location. In addition, we’re holding meetings by Zoom or similar technology, using cloud applications for all business operations.
CCPA looks like it could be the logical data privacy compliance choice, yet states aren’t taking any steps to follow it, and most are looking at their own legislation.
It doesn’t make sense to follow something that keeps changing, said webinar panelist Jim Halpert, a partner at DLA Piper. CCPA went into effect Jan. 1 and is going to be fully implemented July 1, yet already there has been new legislation introduced to upgrade it.
There’s also no flexibility to the law, added Bartlett Cleland, senior fellow in Technology and Innovation at the Pacific Research Institute. CCPA and CPRA don’t take into account the future of how we view online interactions. We need thoughtful forward progress, he stated, and think through issues critically.
COVID-19 has shown us why having a federal standard in data privacy (and even data breach protections) is necessary. “We have all these different regulatory compliances—privacy, healthcare, licensing. Then you also have location issues come up,” said Halpert. “When you have a national crisis, you need to be able to cut through and come up with solutions that really work. Right now, it is complicated. It would be better to cut through the red tape and be able to respond at a local level, a state level and a national level.”