As many have learned over the last several years, ransomware is a type of malware that denies affected users access to critical data by encrypting it. Attackers profit handsomely by requiring victims to pay substantial sums, typically tendered in a cryptocurrency such as Bitcoin. A look at some of the numbers over the past two years is troubling. And, perhaps even more troubling, as in all “industries,” products evolve and there are new entrants to the marketplace.

MAZE and Sodinokibi

A comprehensive report by Coveware analyzing ransomware developments during the first quarter of 2020 highlights several interesting trends. In addition to calling attention to the uptick following the coronavirus COVID-19 outbreak, the report explains the rise in average ransom payments and the most common attack types and vectors. It also points to a disturbing new trend – data exfiltration.

For some time, the general view of ransomware has been that attackers encrypt their victims’ systems and files believing that many will be without good backups, increasing pressure to pay the ransom in order to recover critical business information, despite the risks that come with such transactions. That view is shifting. According to the Coveware report, and what we are seeing in our own experience:

Data exfiltration, where data is downloaded from victim computers and is threatened to be released publicly, became a prevalent tactic during ransomware attacks in [the first quarter of 2020]. This was a big change from the previous quarter where it was virtually non-existent.

Two popular variants driving this new trend in ransomware attacks are MAZE and Sodinokibi. Tactics include auctioning off stolen data and/or publicly shaming victims into paying the ransom. (This Krebsonsecurity post includes a snapshot showing such an auction on the dark web by the REvil ransomware group). The expectation is that these kinds of attacks will continue.

“WASTED”

As part of managing the data breach response services we provide to our clients around the country, we maintain relationships with forensic experts, such as Arete Advisors, LLC. These experts work with us to support our clients’ incident response needs, while tracking emerging threats. Arete recently reported on a new variant, “WASTED,” that appears to have certain features to be aware of:

  • Ransom demands have been nonnegotiable, and have been in the range of 40 BTC to 1,000 BTC. As of this writing, that means between approximately $360,000 to over $900,000, and the attackers threaten to increase the ransom every 24 hours.
  • The attackers sometimes enter through VPN with compromised credentials. As Arete suggests, using multifactor authentication on VPN connections can help prevent these and other attacks.
  • Ransomware payloads are customized to the victim’s environment. The file extension will have 3 characters that represent the victim’s company name along with a reference to the variant, e.g., “abcwasted.”
  • The attackers can be slow to respond, 12+ hours in some cases.

Organizations may not be able to prevent all attacks, but it is important to remain vigilant and be aware of emerging trends. There also are several steps organizations can take to minimize the chance and impact of a successful attack.

In late-March and April 2020, the Equal Employment Opportunity Commission (EEOC) released guidance addressing various questions with answers concerning COVID-19 and related workplace disability-related issues under the Americans with Disabilities Act (ADA). Recently, on June 17th, the EEOC updated its guidance to include a new question regarding antibody testing.

Most of the questions concern general employee rights and privacy and employer obligations during the current state of the COVID-19 pandemic. A few of the questions relate to the anticipated gradual return to the office of employees temporarily working remotely due to the pandemic as the crisis subsides.

The EEOC’s April update, inter alia, included a determination that employers can administer COVID-19 testing (i.e. testing for active virus), and recommended that employers do the following:

  • Determine that tests are accurate and reliable.
  • Review guidance from the Food and Drug Administration (FDA), U.S. Centers for Disease Control and Prevention (CDC), and other public health authorities and regularly check those authorities for updates.
  • Consider incidences of false positives and false negatives associated with particular tests.
  • Keep in mind that a negative test does not mean an employee will not contract the virus in the future.
  • Require that employees continue infection control practices, including social distancing, handwashing, and other cleanliness and disinfecting measures.

The April update was silent on whether its determination regarding COVID-19 testing also included antibody testing. Antibody testing (i.e. serological testing), is able to detect antibodies from a previous infection. However, the test can take one to three weeks for antibodies to develop following onset of symptoms, and it is not certain that antibodies provide immunity or, if so, how long immunity would last – the current reliability and utility of these tests is in question.

The June 17th update to the EEOC guidance weighs in on antibody testing in the workplace. Specifically, the EEOC provides an answer to the following question:

CDC said in its Interim Guidelines that antibody test results “should not be used to make decisions about returning persons to the workplace.” In light of this CDC guidance, under the American with Disabilities Act (ADA) may an employer require antibody testing before permitting employees to re-enter the workplace? 

 The EEOC concludes that antibody testing constitutes a medical examination under the ADA, and employers cannot require antibody testing before permitting employees to re-enter the workplace.

In light of CDC’s Interim Guidelines that antibody test results “should not be used to make decisions about returning persons to the workplace,” an antibody test at this time does not meet the ADA’s “job related and consistent with business necessity” standard for medical examinations or inquiries for current employees. Therefore, requiring antibody testing before allowing employees to re-enter the workplace is not allowed under the ADA.”

 It is important to note that as with other types of COVID-19-related guidance, the EEOC will continue to monitor the CDC’s recommendations, and update its discussion on this topic in response to changes in the CDC’s recommendations.

Takeaway

 In general COVID-19 testing methods come with administrative burdens to implement and ensure compliance. Such testing presents privacy implications, particularly with respect to testing that requires a blood sample or swab. Moreover, any information collected should be protected with access appropriately limited, particularly if the organization is using a third party. As issues and concerns around COVID-19 unfold daily, employers must prepare to address the threat as it relates to the health and safety of their workforce.

 

 

 

The Department of State (DOS) has been collecting (and maintaining) information on social media use from all visa applicants (immigrant and non-immigrant) since June 2019. The DOS’s collection and maintenance of this information is the subject of a lawsuit. Despite claims of being part of the vetting process, concerns about privacy and misuse of information remain. Our analysis of these issues here.

Most companies continue to grapple with compliance with the California Consumer Privacy Act (“CCPA”), which went into effect in January. Companies have overhauled their privacy programs and policies and designed new systems to comply with the CCPA.

Now, the privacy-right activist group that sponsored the CCPA – Californians for Consumer Privacy – is pushing for an even more stringent privacy bill, the California Privacy Rights Act (“CPRA”). The group recently announced it secured the 900,000 signatures needed to qualify for a place on the state’s November 2020 ballot.

If this appears on the ballot and passes, companies will have to once again review their privacy programs and likely amend further to comply. Many other states are also attempting to pass new legislation, so this could all create a complex regime of multiple states with different laws.

The CPRA, as drafted, would amend the CCPA, which has been criticized for over broad definitions and ambiguous language. It would expand the privacy rights of California residents and increase compliance obligations for companies. The CPRA would, as written and among other things:

  • New data category. Add a new category of information, known as “sensitive personal information”, which would include health, financial, and geolocation collected, and allow California consumers to block businesses from using this information. Much of this information is covered by federal privacy laws, like HIPAA and GLBA.
  • Privacy for children’s data. Enhance children’s privacy rights and triple fines for collecting and selling information of minors under 16 years of age.
  • Enforcement Arm. Establish new enforcement authority to protect data privacy rights.
  • Correction of data. Give Californians the right to ask businesses to correct inaccurate personal information.
  • More breach liability. Update data breach liability, specifically for breaches of a consumer’s email with password or security question. In such cases, hackers would be able to access the consumer’s account, and the CPRA would result in liability for the company experiencing the breach.

However, one thing the CPRA does that may help businesses is provide an additional two-year extension to exemptions for employee and business-to-business data. The current exemption is set to expire at the end of 2020. It is important to note that under the current exemption, while employees are temporarily excluded from most of the CCPA’s protections, two areas of compliance remain: (i) providing a notice at collection, and (ii) maintaining reasonable safeguards for personal information driven by a private right of action now permissible for individuals affected by a data breach caused by a business’s failure to do so.

While the CPRA may have enough signatures to qualify it for the upcoming ballot, the California Secretary of State and local election officials will have to certify the signatures by June 25, 2020. Of the 900,000 signatures submitted, 675,000 must be certified as valid for the CPRA to be included on the November ballot.

We will continue to monitor CPRA developments and provide guidance on compliance with CCPA and new regulations and guidance from the California Attorney General.

As the COVID-19 pandemic presses on, privacy and security matters continue to be at the forefront for federal and state legislature. We recently reported that Washington D.C. updated its data breach notification law. Now, the Vermont legislature also amended its data breach notification law, with significant overhauls including expansion of its definition of personal information, and the narrowing of permissible circumstances under which substitute notice may be applied. Bill S.110 amending Vermont’s Security Breach Notice Act, V.S.A §§ 2330 & 2335, b23-0215, was signed into law by Governor Phil Scott, and will take effect July 1, 2020.  In addition Bill S.110, creates a new duties and prohibitions with respect to student privacy directed towards educational technology services (similar to a law first enacted in California, and later adopted by over 20 states).

Key updates to Vermont’s Security Breach Notice Act include:

  • Expansion of Personally Identifiable Information (PII)

Following many other states, the new law will add to the data elements that if breached could trigger a notification obligation.  Prior to this amendment, the definition of PII in Vermont was limited to four basic data elements that when unencrypted, a consumer’s first name or first initial and last name in combination with:

    • Social Security number;
    • Driver license or nondriver identification card number; • Financial account number or credit or debit card number, if circumstances exist in which the number could be used without additional identifying information, access codes, or passwords; or
    • Account Passwords, personal identification numbers, or other access codes for a financial account.

The amended law includes these elements, and adds the following when combined with a consumer’s first name or first initial and last name:

    • Individual taxpayer identification number, passport number, military identification card number, or other identification number that originates from a government identification document that is commonly used to verify identity for a commercial transaction;
    • Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;
    • Genetic information; and
    • Health records or records of a wellness program or similar program of health promotion or disease prevention; a health care professional’s medical diagnosis or treatment of the consumer; or a health insurance policy number.

The amended law will also include notification requirements for breaches of “login credentials”. The amendment defines “login credentials” as “a consumer’s user name or e-mail address, in combination with a password or an answer to a security question, that together permit access to an online account.” If a breach is limited to “login credentials” (and no other PII), the data collector is only required to notify the Attorney General or Department of Finance, as applicable, if the login credentials were acquired directly from the data collector or its agent.

  • Substitute Notice

Previously, substitute notice was permitted where the cost of Direct Notice via writing or telephone would exceed $5,000, more than 5,000 consumers would be receiving notice, or the data collector does not have sufficient contact information.

Under the amended law, substitute notice is only permitted where the lowest cost of providing Direct Notice via writing, email, or telephone would exceed $10,000, or the data collector does not have sufficient contact information. It is no longer permitted to provide substitute notice where the number of consumers exceed a certain threshold.

Student Privacy Law 

Finally, Bill S.110 also includes the Student Online Personal Information Protection Act, which prohibits an “operator” from sharing student data and using that data for targeted advertising on students for a non-educational purpose. Under the new law, “operator” means the operator of an Internet website, online service, online application, or mobile application used primarily for K-12 purposes, and designed and marketed as such. The passage of this law is particularly relevant during the COVID-19 pandemic, as student use of education technology services has dramatically increased.

Conclusion

This amendment keeps Vermont in line with other states across the nation currently enhancing their data breach notification laws in light of recent large-scale data breaches and heightened public awareness.  Organizations across the United States should be evaluating and enhancing their data breach prevention and response capabilities.

 

In the midst of COVID-19 challenges, privacy and security matters continue to be at the forefront for federal and state legislature. In late March, the Washington D.C. (“D.C.”) legislature amended its data breach notification law, with significant overhauls including expansion of its definition of personal information, updates to notification requirements and new credit monitoring obligations. The Security Breach Protection Amendment Act of 2019, b23-0215, passed the 12-member D.C. Council unanimously and was signed by D.C. Mayor Muriel Bowser on March 26. The new law became effective on May 19, 2020.

Key updates to D.C.’s new law include:

  • Expansion of personal information

Following many other states, the new law will add to the data elements that if breached could trigger a notification obligation.  Currently, personal information is defined as (1) any number or code or combination of numbers or codes, such as account number, security code, access code, or password, that allows access to or use of an individual’s financial or credit account, (2) or an individual’s first name or first initial and last name, or phone number, or address, and any one or more of the following data elements: Social Security Number; Driver license number or DC identification card number; or Credit card number or debit card number.

The amendment significantly expands the definition of personal information to include the following new data elements:

  • Identifiers including taxpayer identification number, passport number, military identification number and other unique identification numbers issued on a government document;
  • medical information;
  • genetic information and DNA profile;
  • health insurance information, including a policy number, subscriber information number, or any unique identifier used by a health insurer that permits access to an individual’s health and billing information;
  • biometric data; and
  • any combination of data elements listed above, that would enable a person to commit identity theft without reference to the individual’s name.

Personal information also includes “a user name or email address in combination with a password, security question and answer, or other means of authentication, or any combination of data elements [listed above] that permits access an individual’s email account.”

  • Notification to Attorney General

Notification to the Office of the Attorney General is now required for any breach affecting 50 or more D.C. residents. Notice must be provided in the “most expedient manner possible, without unreasonable delay, but in no event later than when notice is provided”. There are also several specific content requirements for notice to the Attorney General, including whether there is knowledge of any foreign country involvement.

  • GLBA/HIPAA Exemption

The new law exempts entities subject to GLBA or HIPAA if those entities maintain breach notification procedures and provide notification as required under those law, as applicable. However those entities must still notify the Attorney General of any breach that requires notification by GLBA or HIPAA.

  • Risk of Harm Threshold

If a person or entity reasonable determines, after reasonable investigation and consultation with the Office of the Attorney General and federal law enforcement agencies, that the breach likely will not result in harm to affected individuals, notice is not required.

  • Free Mitigation Services for Affected Residents

D.C. joins California, Connecticut, Delaware and Massachusetts in requiring companies to provide identity theft protection or credit monitoring services to residents affected by a breach at no cost. The new D.C. law requires that a person or entity that experiences a breach that includes Social Security numbers and/or taxpayer identification numbers, must offer affected individuals at least 18 months of identity theft protection services at no cost.

Data Security Requirements

Finally, the new law, notably, establishes data security requirements for covered businesses. In short, any business that owns, licenses, maintains, handles or otherwise possesses personal information of D.C. residents must implement and maintain reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information and nature and size of the entity of the operation. Further, covered entities must enter written agreements with their third party service providers requiring the service provider to implement and maintain similar security procedures and practices.

This amendment keeps Washington D.C. in line with other states across the nation currently enhancing their data breach notification laws in light of recent large-scale data breaches and heightened public awareness.  Organizations across the United States should be evaluating and enhancing their data breach prevention and response capabilities.

States are reopening – find out which ones here. As they do, organizations will begin and/or continue adhering to a complex set of distancing, screening, capacity, sanitization, mask, posting, reporting, and other guidelines designed to maintain COVID19 curve flattening efforts. For organizations with operations in multiple states, the patchwork of federal, state, and local “guidelines” becomes even more complex. For organizations that tackle these guidelines, their job still may not be complete.

The risk of COVID19 infection in areas such as on a salesfloor, in common areas of an apartment complex, on a loading dock, or in an office environment is not limited to the members of an organization’s workforce or its customers or clients. Virtually all organizations rely on third-party service providers or vendors, directly or indirectly, to operate efficiently, including those providers and vendors. In a retail business, service providers or vendors might include delivery companies, manufacturer representatives, temporary staffing companies, and IT support services. Senior living communities might have similar service providers or vendors as retail businesses, along with landscape companies, building maintenance technicians, and equipment suppliers. The same is true for professional service providers, whose service providers or vendors also could include office equipment maintenance providers, window and office cleaners, food service providers, and transportation vendors.

As organizations develop policies and devise procedures to address COVID19 in their facilities, they should be taking their third-party service providers or vendors into account, especially when the workforce members of those entities will need to interact with the organizations’ employees, customers, clients, etc. How to do so presents some difficult questions and additional challenges. Some organizations may want to (or be required to) play a more active role, such as screening a vendor’s employees before being permitted to enter the organization’s facilities. Others might prefer to rely on the vendor’s compliance efforts. Either way, these decisions raise critical health, liability, insurance, public relations, operational, and business issues.

Depending on how organizations decide to approach the risks posed by third-party service providers or vendors, below is a checklist of items an organization might want to cover with respect to each of those entities.

  • Modifying the delivery of products and/or services to minimize COVID19 risk.
  • Compliance with all applicable federal, state, and local COVID19 guidelines, including those specific to the organization which may not be applicable to the service provider or vendor, and including changes to those guidelines and best practices as the pandemic continues to evolve.
  • Allocating responsibility for COVID19-related issues, such as reporting, exposures, liabilities, etc. For example, organizations may want to confirm whether they or their service providers are responsible to provide personal protective equipment (PPE) in the organizations’ facilities. Organizations also may want to reevaluate insurance coverage requirements, indemnification provisions, and limitation of liability clauses to ensure they align with a changing risk landscape due to the pandemic.
  • Ensuring service provider and vendor workforce members are aware and trained on the organization’s applicable COVID19 policies and procedures including without limitation social distancing, sanitization, screening, cleaning supplies, contact tracing, and other measures.
  • Administering screening/testing for all vendor or service provider workforce members prior to entering the organization’s facilities, and who is responsible for carrying it out.
  • Arranging for communication and reporting of COVID19 symptoms, or infections or likely infections in order to carry out contact tracing. As contact tracing efforts expand, many organizations are considering different approaches such as contact tracing apps. Depending on the circumstances, having service providers use the same contact tracing app could enhance the organization’s efforts.
  • Pushing service provider and vendor’s obligation downstream to their agents, subcontractors, and third-party service providers where applicable.
  • Ensuring cooperation and consistent communications in the event of any investigation concerning COVID19 infection believed to be at the organization’s facilities.
  • Maintaining a process to assess compliance and appropriate record keeping. Some organizations may want to be able to review a service provider or vendor’s record keeping to show they have been complying with applicable COVID-19 guidelines.
  • Confirming that service providers and vendors have hardened their privacy and cybersecurity protections as ransomware, business email compromise, and other attacks are on the rise with COVID-19 and could result in business interruption. Much of this post relates to increased physical interaction as organizations reopen. However, significant segments of the workforce will continue to work from home, including service providers and vendors, extending these heightened risks.

A “compliance with all applicable laws” or related clauses in the service provider or vendor’s master services agreement (MSA) likely will not be sufficient to address many, if not all, of these issues. COVID19 implications are far reaching, affecting the provision of services, service level agreements, costs, liabilities, etc. Organizations and their service providers and vendors may need to rethink certain provisions of their MSAs to address the new reality of how products and services are provided and performed during the coronavirus pandemic, including amendments that outline specific COVID19-related operational issues, practices, etc.

With California’s mandatory COVID-19 stay-at home orders impacting some 40 million people by forcing the vast majority of them to connect remotely to work, go to school, order necessities, socialize and do many other things, California’s Attorney General Xavier Becerra recently issued an alert reminding consumers of their privacy rights and to encourage them to be vigilant about practicing sound security practices while online.

In his alert, Attorney General Becerra urges consumers to take steps to understand their rights under the California Consumer Privacy Act (“CCPA”), a new law that went into effect on January 1, 2020 and provides important consumer privacy rights both during and after the COVID-19 public health crisis. To learn more about the CCPA’s consumer privacy rights, see our previous posts on this blog located at this link.

Attorney General Becerra’s alert also warns consumers about common COVID-19 phishing email scams; provides tips on how to enable privacy and security settings during virtual meetings and otherwise protect home networks from outside hackers; and recommends online resources that “help parents set boundaries and guide their children towards becoming good digital citizens.”

Visit our previous blog posts for more information about the CCPA and other privacy and security developments during the COVID-19 pandemic:

As the COVID-19 pandemic presses on, legislators and regulators continue to remind the public of the importance of data security and privacy protections. On April 30th, U.S. Senator Roger Wicker (R-Miss), Chairman of the Senate Committee on Commerce, Science, and Transportation, announced plans to introduce (jointly with several co-sponsors) the COVID-19 Consumer Data Protection Act. The bill aims to provide consumers with greater “transparency, choice, and control” over their health, geolocation and proximity data. Further, the bill would impose data privacy and security requirements on businesses that handle personal data related to COVID-19.

The text of the bill has not yet been released to the public, however according to Senator Wicker’s announcement, the COVID-19 Consumer Data Protection Act would:

  • Require companies under the jurisdiction of the Federal Trade Commission to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.
  • Direct companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained.
  • Establish clear definitions about what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to protect consumer data from being re-identified.
  • Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
  • Direct companies to provide transparency reports to the public describing their data collection activities related to COVID-19.
  • Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity.
  • Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.
  • Authorize state attorneys general to enforce the Act.

Although the bill focuses exclusively on data related to the spread of COVID-19, its consumer protections are similar in kind to those provided for in the California Consumer Protection Act (CCPA), including, for example, notice requirements, a consumer’s right to opt out, data security obligations and more.

“While the severity of the COVID-19 health crisis cannot be overstated, individual privacy, even during times of crisis, remains critically important…This bill strikes the right balance between innovation – allowing technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread – and maintaining privacy protections for U.S. citizens,” stated Senator John Thune, a co-sponsor of the bill.

The bill is still in early stages of the legislative process, but may have greater success than some of the attempts at a federal consumer privacy law of late, given the urgency of the COVID-19 pandemic.

These are difficult times for many businesses, and while there has been significant flexibility from legislatures and regulators in certain areas of the law, the proposal of the COVID-19 Consumer Data Protection Act signals that data privacy and security protections continue to be a priority. Moreover, with the emergence of technologies such as contact tracing apps and social distancing wearables, increasingly used in the workplace to help limit the spread of COVID-19, collection of sensitive data related to the virus is almost inevitable. Organizations should be assessing and reviewing their data collection activities, and ensuring that a robust data protection program and written information security program (WISP) are in place.

As organizations work feverishly to return to business in many areas of the country, they are mobilizing to meet the myriad of challenges for providing safe environments for their workers, customers, students, patients, and visitors. Chief among these challenges are screening for COVID19 symptoms, observing social distancing, contact tracing, and wearing masks. Fortunately, innovators are rising to meet this need, developing a range of technologies – wearables, apps, devices, kiosks, AI, etc. – all designed to support these efforts. But, for many organizations, the question is what technologies are out there and what should they be thinking about in deciding to adopt one or more of them.

Wading through the wide variety of COVID19-related technologies can be like scrolling through your cable provider’s movie guide – lots of time spent, not sure what to choose. So, to help you get a quick, bird’s eye view of some of the kinds of technologies being developed and which may be available, please see our table of “Selected COVID19 Distancing, Screening, Contact Tracing, and Other Technologies” (Table)*

Needless to say, compiling, implementing, enforcing, and documenting extensive and sometimes conflicting federal, state, and local mandates and recommendations for screening, distancing, contact tracing, and mask wearing requires a significant and on-going effort. Technologies, such as those listed in the Table, can help.  Some of the features of these technologies include:

  • Wearables that alert the wearer that he or she is getting too close to a colleague may boost an organization’s efforts to adhere to distancing requirements.
  • Kiosks with thermal scanning capabilities may facilitate temperature screening in a faster more efficient way while minimizing contact that might further spread of COVID19.
  • Apps that track the locations of individuals could automate otherwise laborious manual contact tracing activities.

The advantages of these technologies can be substantial, quickening the path to compliance and opening the organization’s doors to business. However, organizations should proceed carefully to examine not only whether the particular solution will have the desired effect, but whether it can be implemented in a compliant manner with minimal legal risk. Below are some questions organizations should be considering:

  • What is the organization’s goal for the technology? If the goals of the organization is keep workers who may have COVID19 from entering its facility, then screening technologies are something the organization may consider.  However, if the goal is the identify other workers who may have been exposed to a COVID19 positive co-worker, the contact tracing technologies may be more appropriate.  To this end, it is important to consider the organizations goals prior to selecting technologies for implementation.
  • Does the technology work? For temperature taking/scanning technology, this may mean validation of the accuracy of the device.  When looking at contact tracing, accuracy will similarly be key in your efforts to identify co-workers who may be potentially impacted by COVID19.
  • Will the technology require employees to incur expenses that must be reimbursed? In some states, the implementation of this technology may require reimbursement if workers must incur costs or expenses as part of the implementation. For example, if an app requires an employee to have a mobile device for work purposes, expense reimbursement obligations with respect to that device may exist.
  • Is bargaining with the union required? As organizations look to these technologies, there may be numerous instances where the organization will need to consult, and possibly engage in bargaining with, the applicable union(s).  Depending on which technology is being contemplated may dictate whether the organization’s efforts are supported or challenged.
  • Is notice/consent required? This may be a difficult question to answer without having an understanding of the data that the technology is collecting. For example, collecting the geolocation of employees as well as their COVID status, and interactions with others all are likely elements of personal information under the California Consumer Privacy Act (CCPA) which applies to employees that reside in California if the organization is subject to the law.   Similarly, electronic tracking of workers or the collection of worker’s biometric information (facial scans, etc.) may require notice and/or consent depending on the state of implementation.  If the technology requires access to an employee’s personally-owned device, notice and consent are likely required, but most certainly a best-practice.  While many think HIPAA is implicated in the collection of workers’ temperature or responses to screening questions, this is often not the case unless a third-party provider or lab (i.e., a covered entity) is performing the screening, in which case an authorization is needed to share the results with the employer.
  • Will workers participate? Determining whether technology implementation may require notice or consent is discussed above.  However, if implementation and/or usage is voluntary the effectiveness of the technology in meeting the organizations goals may be substantially impacted. Regardless of whether implementation is voluntary or required, it is important for organizations to communicate with their workers to explain the goals of the technology, answer questions regarding same, and address concerns over privacy and relates issues in order to ensure buy-in and effectiveness.
  • How is data collected, shared, secured, returned? Understanding the answers to these questions are imperative in order to help ensure compliance. This is especially true as there are numerous laws which may be implicated when data is collected from workers.  These include the Americans with Disabilities Act (ADA), the Genetic Information Nondiscrimination Act (GINA), state laws, CCPA, and the General Data Protection Regulation (GDPR).  In addition to statutory or regulatory mandates, organization will also need to consider existing contracts or services agreements which may provide for or limit the collection, sharing, storage, or return of data.  Finally, whether mandated by law or contract, organizations should still consider best practices to help ensure the privacy and security of the data it is responsible for.
  • Are employees implementing the technology capable, trained? Should “managers” be viewing dashboards which provide extensive information about many of the organization’s workers? In these uncertain times an organization may be left with no choice other than to expand the list of individuals who may have access to workers’ personal information. However, when doing so organizations still need to be mindful of the ADA’s confidentiality requirements, discrimination, as well as state laws protecting against discrimination for lawful off-duty conduct (that may be discovered during the monitoring process). Addressing privacy and security obligations through a confidentiality agreement may be one way to help address these concerns.
  • What is the relationship with the vendor? The organization’s relationship with the vendor is established way of contract or service agreement. It is important for these contracts/agreements to include confidentiality, data security, and similar provisions.   This is most important if the vendor will be maintaining, storing, accessing, or utilizing the information collected about the organization’s workers.
  • When should we stop using the technology? The Equal Employment Opportunity Commission (EEOC) has said that currently COVID19 meets the ADA’s direct threat standard and thus organizations may screen, take the temperatures of, and test workers prior to permitting those workers onsite. The EEOC has not yet expressly addressed contact tracing.  As organizations look to the future, and the hopeful end to the COVID19 pandemic, they will need to consider when the state of the pandemic no longer supports the use of these technologies.  The EEOC may provide that guidance, however, organizations may still have reasons to continue utilizing some of these technologies.  For example, contract tracing may continue to help slow/limit spread within an organization.  Similarly, organizations may face contractual demands from customers or clients who are looking to limit future risks or outbreaks related to COVID19.  At points during this process, organizations also will need to consider whether and how long to retain the data collected.

In short, in 2020 we have extensive technology at our disposal and/or in development which may play a crucial role in helping organizations address COVID19, ensuring a safe and health workplace and workforce, and preventing future pandemics.  Nevertheless, organizations must consider the legal risks, challenges, and requirements with any such technology prior to implementation.

 

*As noted, the Table is for general information purposes only. We have sampled none of these products or services. Neither the selection of these products and services nor the exclusion of others is in any way intended as an endorsement of, or opposition to, any type of product, service, application, or any manufacturer. The listing is intended solely to provide readers with a general, high-level overview of the kinds of products being developed to address certain aspects of COVID19 remediation. This is by no means an exhaustive list. All readers must carefully evaluate their own specific needs for COVID19 mitigation and compliance, review the specific features and specifications of any technology being considered, configure and install same with qualified information systems specialists, and obtain experienced and informed legal counsel concerning the applicable legal and compliance requirements concerning the selection and implementation of any technology solution.