Skip to main content
close search
site logo

Where privacy and security 'clash' for remote work

Shifting remote meant more personal data than ever before was available online, and cybercriminals were aware.

Published June 9, 2020
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Fotolia

Mary Hildebrand visited her office for the first time since March last week. The residual evidence of what life used to be was scattered across the office — newspapers last dated from mid-March. 

When businesses across industries went remote, the move introduced "clashes" between security and privacy for the new remote and scattered office, Hildebrand, chair and founder of the Privacy and Cybersecurity practice at Lowenstein Sandler, told CIO Dive. 

Shifting remote meant more personal data than ever before was available online, and cybercriminals were aware. "If you want to do business online, or you want to get on Zoom, just to talk to your friends, gaming or anything, you have no choice but just fill in the blanks," she said.

In response, CIOs, CTOs and CISOs had to account for losing "control of the work environment" and borderless security, she said.

Businesses are also dealing with contradictory privacy actions brought on by COVID-19. As the California Consumer Privacy Act's (CCPA) final rules await approval and the beginning of enforcement, the privacy regulation landscape has become more complex. For example, The HHS Office of Civil Rights (OCR) relaxed guidelines for HIPAA-compliant companies responding to COVID-19. 

Though states are rolling out phases to return to daily life before COVID-19, an immediate return to an office is unlikely — and a return to the same office environment is inconceivable. Privacy issues unraveled for employees just as much as consumers in the last few months.

There aren't a lot of privacy protections for employees because the assumption is that "when you start your job, you basically have employee monitoring that your employer wants to do," Heather Federman, VP of Privacy and Policy at data privacy firm BigID, told CIO Dive. Employees and employers agree to standard measures to monitor output, now that supervision is amplified. 

Outcomes of remote work and potential privacy faux pas, include dropping applications on employee devices to monitor keystrokes and productivity, and contact tracing for a return to the office. 

"We're going to end up doing a lot of surveillance, and this might be necessary for this short-term period," said Federman. "I don't know how much the CCPA can really help with that, because [it's] more just about privacy, self management," not tracking an employee's productivity. 

Contact tracing apps would rely on employee input and engagement. They also force policy changes to protect — and to a certain extent promote — changes in employee behaviors. 

Apple and Google's contact tracing framework gave organizations the ability to develop their own apps, but in doing so, the companies "took on the role of, if you will, legislating some of the privacy protections" built into the apps, according to Hildebrand. "I would almost call it a quasi governmental role" because there hasn't been definitive legislation to regulate the data collection and consent. 

As organizations navigate a complex privacy landscape with contradictory components, businesses are at a greater risk for a mishap. HIPAA's temporary rollback is juxtaposed with the California Attorney General's refusal to delay the CCPA's enforcement date.

Because so much data moved online, the AG's viewpoint is "this is no time to take your foot off the gas," according to Hildebrand. 

OCR suspended enforcement so information could be shared more freely between public and private entities for COVID-19 response. When Washington state toyed with the idea of restaurants collecting patron data for contact tracing efforts, HIPAA-related privacy concerns arose. 

Could restaurants become HIPAA compliant? The short answer: no, because they are not a healthcare provider, according to Hildebrand. The restaurants — and patrons — would be providing that information voluntarily. 

The lack of a unified federal data privacy law makes everything "dicey," Hildebrand said, especially when the nature of the CCPA is agnostic to industries — it's all about personal data itself.

"You're making significant changes in practices and assumptions, she said. "The paradigm around data is changing."

Recommended Reading

Filed Under: Security, Leadership

Editors' picks

Company Announcements

View all | Post a press release
Only Cynet Delivers 100% Protection and 100% Detection Visibility in the 2024 MITRE ATT&CK Eva…
From Cynet Security
December 11, 2024
Welo Data Launches Innovative Model Assessment Suite, Advancing Multilingual Causal Reasoning …
From Welocalize, Inc.
December 17, 2024
Smart City Expo USA 2025 Speakers Announced
From Smart City Expo USA
December 11, 2024
Celonis Appoints Benoit Fouilland as Chief Financial Officer to Drive Next Phase of Growth
From Celonis
December 05, 2024
Editors' picks
Latest in Security
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.