As much as COVID-19 is a global healthcare crisis, it has also brought to the forefront a new set of risks and compliance challenges. Here are a few challenges we’ve heard from our community in the past few days:
- Organizations’ leaders have legal questions around the types of medical information they’re allowed to collect from employees to verify whether they have the virus.
- Leaders need to understand the legal implications of cost-cutting measures such as hour reduction and layoffs.
- The move to remote work has exacerbated cybersecurity risks, as workers conduct business on personal devices outside of enterprise firewalls, and hackers move quickly to deploy coronavirus-related attack schemes.
- Security controls aren’t being performed as IT security staff are working remotely or worse, sick themselves.
- Remote work has made IT security audits more difficult to complete. So much of audit-related work is done face-to-face under normal circumstances.
All of these challenges come at a time when companies must maintain trust with their customers, partners, suppliers and other stakeholders.
During these unprecedented times, your ability to adapt to a new reality and project confidence are essential to the long-term sustainability of your organization. Now more than ever, your employees, leaders and customers need your leadership and your service.
Here are some of the top initiatives risk and compliance leaders should be driving right now to help their organizations adapt to this new reality and emerge stronger on the other side.
1. Clarify data privacy regulations as they relate to your COVID-19 response
As organizations collect personal information about employees’ health and travel as part of their response to limit the spread of infection, they need to take appropriate measures to protect employees’ privacy and stay compliant with applicable data privacy regulations, including EU’s General Data Protection Regulation (GDPR), the Americans With Disabilities Act (ADA), the California Consumer Privacy Act (CCPA), and the United State’s Health Insurance Portability and Accountability Act (HIPAA).
As your team takes swift steps to prevent the spread of COVID-19, you are likely to come across compliance challenges you’ve never dealt with before.
For one, the regulations themselves can be complicated to apply. If your business operates in the U.S., there are at least four disparate regulations that may apply to your data collection and sharing practices that impact your ability to collect personal medical information in the interest of health and safety, including EU’s GDPR, CCPA, ADA and HIPAA.
For detailed guidance on data privacy and COVID-19, refer to our newly developed guide on the top regulations that govern the collection and sharing of personal medical information.
To help organizations navigate through novel data privacy challenges, we’ve decided to offer our continuous compliance software subscription at no cost during the COVID-19 crisis. This includes our core platform and two compliance templates focused on privacy mandates passed in the United States and European Union: The California Consumer Privacy Act (CCPA) and The General Data Protection Regulation (GDPR).
We chose to make these two specific programs available because of the increasing amount of personally identifiable information that needs to be exchanged at record speeds in order to protect our communities.
You can contact us here to get the software at no cost.
2. Be diligent in keeping up with updates from regulatory bodies
Regulations are changing quickly as leaders at the federal level take a pragmatic approach to containing this virus. For instance, under normal circumstances in the U.S., employers aren’t legally allowed to take employees’ temperature at work (this is governed by The Americans with Disabilities Act). But now that the WHO has declared the novel coronavirus to be a global pandemic, the EEOC has confirmed that it is lawful for U.S. employers to take an employee’s temperature and inquire into their symptoms to determine whether they have the novel coronavirus.
Notwithstanding the above, there are still multiple laws in place requiring employers to maintain all employee illness as confidential medical information. Risk and compliance leaders need to be clear on these laws.
Now is the time to review your existing privacy policies and notices to determine whether they sufficiently cover the personal information the company intends to collect, and the manner in which your organization plans to use or share that personal information. This may require review of multiple policies (e.g., employee privacy policy, external-facing website privacy policy).
One specific section to review is your privacy policy to ensure that the policy covers the disclosure of personal health information to a governmental agency for the requested purpose (e.g. to stem a public health crisis). Privacy policies typically provide that information can be shared to protect the health or safety of individuals, or in response to legal process or a lawful obligation. Companies may want to evaluate whether the personal information collected may be used for a novel or unexpected purpose that is not covered by the privacy policy, and amend their privacy policy accordingly. For instance, this is required by the CCPA.
3. Be prepared for new attack vectors
When employees work from home outside of secure corporate networks, they become more susceptible to hacking attempts. There are new schemes specifically attempting to exploit COVID-19. Your IT security team should remind employees to take precautions, reiterate key concepts covered in your security training and ensure that all monitoring systems are operating correctly.
Additionally you should be ready to respond to any security incidents promptly. For instance the Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert on March 6 on “Defending against COVID-19 Cyber Scams” encouraging individuals to remain vigilant and take the following precautions. IT teams should communicate the following to employees:
- Avoid clicking on links in unsolicited emails and be wary of email attachments. See Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams for more information.
- Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19.
- Do not share personal or financial information in email, and do not respond to email solicitations for this information.
- Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information.
- Review CISA Insights on Risk Management for COVID-19 for more information.
Lastly, you may consider a temporary augmentation of your IT staff during this time, so you have enough capacity to support employees as they work from home and respond promptly to security incidents.
4. Continue to make progress on scheduled audits
Audits not only provide internal leaders the assurance that your key systems and processes are running optimally, they also provide the assurances your customers need to trust you with their valuable assets (e.g., their data, the performance of critical services, their reputation).
Although audits are harder to do remotely, it’s important to make an effort to keep your audits on track. It is more difficult to build new business relationships in times of economic uncertainty. By continuing to maintain and demonstrate your compliance stance, you can remove a significant headwind that threatens to slow your business activity.
When we realized how difficult it was for our Audit partners to conduct business in the face of COVID-19, we at Hyperproof decided to rally our engineering team to develop a new set of remote assessment capabilities within our continuous compliance platform. Our continuous compliance software now features tight integration with video-conferencing services, beginning with Zoom.
Organizations can now collaborate on their compliance programs, controls, and evidence remotely. Conferences can be linked and stored back into Hyperproof’s system of record so that each organization is protected against compliance risk at this critical time.
5. Broaden your concept of business continuity and update your plan
Once you are out of firefighting mode, it’s time to turn your attention to long-term planning.
Update your business continuity plan to accommodate a wider range of outcomes than you may have contemplated previously.
Most business continuity plans go into great depth on the treatment of technology assets that an organization relies upon. These plans talk about what would happen should a data center go offline or a network is disrupted, and how to connect people back into the network. Far fewer of these plans go into great depth in terms of how to organize their human resources in the face of a pandemic or other social distancing and remote work situations.
The COVID-19 pandemic has taught us that there are so many more situations to consider. What about gaps in employee availability as they deal with challenging personal circumstances? Shouldn’t we inventory the processes in the organization that are most reliant on face-to-face communications? What about contingencies to deal with employees’ mental health and wellbeing under difficult and unexpected circumstances?
There’s so much more we can do to prepare if we take the time to learn from this experience. As responsible employees and empathetic human beings, we should dedicate ourselves to making any future recurrences a better, more thoughtful and more human experience.
6. Get clear on employment laws before implementing any cost-cutting measures
If your organization cannot avoid reductions in hours or layoffs, it’s important to understand the legal implications of cost-cutting measures before taking further action. Consider doing an analysis to see if any proposed changes have a disparate impact on a protected category of workers, which could lead to discrimination claims.
Check the Department of Labor website for up-to-date guidance addressing wage and hour issues for employers affected by COVID-19. The Department recently released a FAQ clarifying employers’ responsibilities under the federal Fair Labor Standards Act (FLSA), and addressing pay issues regarding teleworkers.
Parting thoughts
Remember that you’re doing incredibly important and valuable work. Even though the current circumstances have created a challenging work environment and difficulties in our personal lives, each of us is part of the solution in our own way. If you embrace the challenges ahead, approach these challenges with a growth mindset and rally your team and co-workers, you and your organization will come out stronger on the other side. You will remember this challenging time as a key moment of growth when you look back at your career ten years from now. We at Hyperproof are working alongside you to do our part and we’re here at your disposal if we can be of any help to you during these challenging times.
Banner photo by Dan Cook on Unsplash
Monthly Newsletter