Coronavirus Covid-19 and the Future of Cybersecurity

Briefing

The global covid-19 pandemic will have lasting effects. It will transform information security practices and cybersecurity.  These adjustments and the pace of change will depend on individual business sector norms, end user demands and workforce demographics. Seismic changes are now inevitable in the medium to longer term because of the shift in working practices, the rise in cyber threats and the economic challenges that will face many companies and organisations. Although there will be various overarching themes, the following five trends stand out:

  1. The rise and rise of Working from Home and Teleworking

For the largest companies and organisations that now allow hundreds and thousands of staff to work from home, by default, the cybersecurity challenges are enormous and ever evolving. The rise in ransomware and phishing attacks have been the most obvious challenges requiring new forms of training, policies and procedures and closer network monitoring. The rise in network access points and endpoints and the use of personal devices (Use Your Own Device) to access corporate networks have expanded the threat surface, increased the likelihood of human error and created stocks of unpatched and less-secure endpoints. While cybersecurity teams can find ad hoc solutions in the short term, the medium to longer term will require the increase in zero trust practices and the intensive use of new data loss prevention policies, services and tools. Specialised training in remote-working data protection compliance and staff training to avoid social engineering will need to be imbedded.

  1. The unlocking of Video Collaboration

One clear effect of Covid-19 has been to greatly increase the use of video conferencing and multimedia collaboration tools. Applications and services that are white-listed on corporate networks and adapted by companies and organisations do not pose unmanageable risks. However, the main risk arises from collaboration and video conferencing software and applications that sit outside of corporate networks, but are readily available, easy to use and popular. A number of these applications were not built for the enterprise but were consumer-focussed products and services which have poor data protection, General Data Protection Regulation (GDPR), California Consumer Protection Act (CCPA), information management and weak cybersecurity standards and practices. Information security teams will need to have an answer to staff and teams that use these services and rely on the utility and convenience. Organisations should actively test these products and services against relevant industry standards and the organisation’s own cybersecurity risk appetite. New governance standards and rules should be applied to mitigate risks. Vigilance is key, even for services that sit outside the corporate network, but are increasingly used for business activities.

  1. Cyber Resilience

Covid-19 has brought cyber resilience to the forefront, both as a tangible corporate aim and as an ongoing state of dynamic vigilance. Resilience is no longer a distant intention, but results from blending cybersecurity strategy, business continuity and disaster recovery objectives into a holistic set of principles and measurable outcomes. This analysis must also include considerations of the insurance in place for physical assets, cyber assets, intellectual property assets, data assets, know-how and personal data. The pandemic is also a signal that companies and organisations must see cybersecurity resilience through the prism of multiple emerging threats such as climate change, unusual weather events, terrorism, future epidemics, wars, civil unrests and high value persistent state-sponsored hacktivism.

  1. Scrutiny of Future Supply Chain Security

Covid-19 has exposed the frailties of just-in-time supply chains and the reliance of excessively long supply routes. Future supply chains will be judged for their cybersecurity resilience, cyber insurance protections and effectiveness. Cloud services and hosting will be asked to provide greater cybersecurity assurances and evidence of their business continuity and disaster recovery plans. Information security teams will increasingly develop second and third preference suppliers and explore the ability of new providers to step in, augment, or take over information technology services. It is also inevitable that information security suppliers will be held to higher standards of compliance to international information security certifications, cybersecurity best practice, sector norms, information management and data protection standards. Supply chain information security risks will receive greater scrutiny from boards and senior leaders.    

  1. The Future of Digital Transformation

The focus of digital transformation will move way from broadly defined aims of efficiency, innovation and cost savings. The new and emerging metrics driving digitisation will be elasticity, scalability, cybersecurity resilience, ease of adoption and maintenance (leading to long term savings). The adoption of Cloud services, especially Infrastructure as a Service (Iaas) are set to increase, driven by cybersecurity concerns and the need to increase cyber resilience. 

Cybersecurity: Focus on Ireland’s National Cyber Strategy

Briefing

Ireland is an important player in the global digital economy. According to the Commission for Communications Regulation (“ComReg”) and other estimates, 30% of the European Union’s data are hosted in Ireland. The Republic of Ireland ranks 7th out of 28 EU member states in the European Commission Digital Economy and Society Index (DESI) 2019. It is a leading country in the EU for the adoption and use of digital technologies. Several of the world’s largest technology companies are headquartered in Ireland, where many of their data centres are located. At the end of 2019, the Irish government published its second National Cyber Security Strategy for 2019 – 2024, to increase its cybersecurity readiness and resilience. Security of Ireland’s network and information systems is important for economic growth, investment, trust, national security and innovation.  

A cybersecurity Journey  

A key proposal is to develop Ireland’s National Cyber Security Centre (NCSC), increase incident monitoring, respond to incidents and threats and work with the Defence Forces and the Gardai (Police) on critical national infrastructure issues. There is also a growing realisation that cybersecurity resilience, national security and critical national infrastructure should embrace new partnerships between the public sector and private sector. ComReg recommends allowing intelligence on threats to national security to be shared between Irish state agencies and the private sector. Access by private companies to intelligence on national security risks is seen as the best way to guarantee and secure telecoms networks in Ireland.

Key elements of Ireland’s National Cyber Security Strategy 2019-2022

The strategy’s main objectives are to:

  • Continue to improve Ireland’s ability to respond to and manage cybersecurity incidents, including those involving national security
  • Identify and protect critical national infrastructure by increasing its resilience to cyber attacks and ensure that operators of essential services have appropriate incident response plans to reduce and manage disruptions to services
  • Improve the resilience and security of public sector IT systems to better protect data and the services that people rely on
  • Invest in educational initiatives to prepare the workforce for advanced IT and cybersecurity careers
  • Increase business awareness of the need to secure their networks, devices and information and to drive research and development in cyber security in Ireland, including new technology investment
  • Continue to engage with international partners and international organisations to ensure that cyberspace remains open, secure, unitary, free and able to facilitate economic and social development
  • Increase the general level of skills and awareness among private individuals about basic cyber hygiene and support them with information and training.

The strategy’s other key deliverables include the appointment of Cyber Attachés to Ireland’s key foreign diplomatic missions, ratification of the Budapest Convention on Cybercrime, expanding the current Threat Sharing Group (TSG), refining existing arrangements with the UK on information sharing and incident response and providing support to Cyber Ireland to develop a Cyber Security Cluster of industry, academia and government.

Action Plan: Monitor progress, review outputs and evaluate results

Companies, organisations, the public sector and investors must monitor the implementation of the strategy. The Irish government’s overall budget for this strategy has not been published. Priorities within the strategy for each major objective has not been fully outlined. The role of Small and Medium Sized Enterprises (SMEs) and their position in supply-chain cybersecurity resilience, should be monitored as this is underdeveloped in the strategy. The key question is whether Ireland’s NCSC will become a larger, more confident and technically well-resourced cybersecurity champion in the coming years. 

Ireland’s data protection approach should also be monitored in conjunction with the National Cyber Security Strategy. Ireland’s Data Protection Commission (DPC Ireland), the data protection and General Data Protection Regulation (GDPR) regulator received a total budget allocation of €16.9 million for 2020, which included a less than requested budget increase. The quadruple challenges of Brexit, coronavirus covid-19, the post-election uncertain government and a cooling Irish economy in the second half of 2020 will directly affect the immediate implementation of the strategy.

Coronavirus COVID-19: Regulators around the world offer data guidance

Global Briefing

The novel coronavirus, COVID-19, has been classified as a global pandemic. At such a critical time for public health, nations and the global economy, the World Health Organisation, governments, Chief Medical Officers and public health organisations provide much needed scientific and practical expertise.  In our data-driven world, data and information are vital to effectively responding through contact tracing, outbreak analysis, vaccine research, risk-assessments, diagnosis, treatment, modelling and government policy decisions. In this emergency, transparent and proportionate data privacy practices, confidentiality and data security procedures can help to inform these efforts, increase trust and encourage win-win outcomes. Data excellence is crucial.  

Health Data: The sword and shield to combat the crisis

Health and medical data are often classified as sensitive and confidential. In the European Union, the General Data Protection Regulation (GDPR) lists these as special categories of personal data. Collecting, storing and sharing these types of data in high-volumes is called high risk data processing.  Globally, best practice in health care data management insists that these kinds of data must be kept secure, data sharing should be specific and limited, data must be highly accurate, complete and relevant. Individual consent is often the means by which these types of data are collected, stored and used. Health data processing for COVID-19 identification, treatment and public health countermeasures necessarily pressures and adjusts this status quo.  The frequency and intensity of health data processing and sharing around the world, will challenge data controllers, data owners, data guardians and individuals alike. A targeted and purposive approach is required. In this crisis, necessity must be the mother of invention and provide much needed public health and medical solutions and outcomes.  

Looking for Leadership: Guidance from Key Data Regulators

Aware of the increase in health data collection, storage and use as well as the increased data security risks, data protection and other key regulators have published guidance to assist companies, organisations, governments, health care systems and individuals. These include:

Italy

The Italian data protection regulator, the Garante (Garante per la protezione dei dati personali), has published a statement encouraging employers not to collect covid-19 related health data and location information about employees in a spontaneous, systematic and generalised way. Health data collection should be left to the health authorities or otherwise such collections must be specifically required by law. Employers are encouraged to strictly comply with requests and nationwide initiatives from Italy’s Ministry of Health.  The statement clarifies that employees have a duty to inform their employers of health and safety risks, such as exposure to COVID-19. Employers may invite employees to notify them of exposure. The statement in Italian, is here.

Ireland

The data protection regulator for the Republic of Ireland, the Data Protection Commission Ireland (DPC Ireland) has issued guidance stating that measures taken to combat COVID-19, including the collection and use of health data should be necessary and proportionate. All decisions should be informed by the guidance and instructions of public health and other relevant authorities. The GDPR should be applied and key GDPR principles of proper legal bases for processing health data, transparency, confidentiality, data minimisation and accountability should be practiced. The guidance presents a number of employment scenarios, as questions and answers. DPC Ireland acknowledges that an organisation’s response to an individual’s data protection rights may be impacted or delayed by COVID-19 and this will be taken into account, but GDPR legal obligations cannot be waived. Where COVID-19 impacts data protection compliance, organisations should communicate with individuals, respond as quickly as possible, reply in stages and maintain clear internal records. The guidance is here.

Spain

Spain’s data protection regulator, La Agencia Española de Protección de Datos (AEPD), has published a statement and a report on data protection and COVID-19. AEPD clearly states that data protection rules should not be used as a barrier to respond to COVID-19. The GDPR and local Spanish laws provide the proper legal basis for dealing with these exceptional cases, public interest efforts and activities to protect the vital interests of individuals. Employers should process health data that are necessary to safeguard staff and limit further contagion. The statement is here and the report is here, in Spanish.

United Kingdom

The United Kingdom’s data protection regulator, the Information Commissioner’s Office (ICO), issued a statement asserting that data protection and electronic communications laws do not prevent responding to COVID-19, including the additional collection of personal data for public health reasons.  The ICO says that it is a reasonable and pragmatic regulator who will consider the compelling public interest in the coronavirus health emergency. It offers its website address and helpline number as sources of assistance. The statement is linked to questions and answers with scenarios about employers, employees and health professionals. The statement and questions and answers in English are here.

France

France’s data protection regulator, the Commission Nationale de l’Informatique et des Libertés (CNIL) issued guidance emphasising that the GDPR applies to health data collection relating to COVID-19. It outlines prohibitions which include employers asking staff and visitors to provide temperature readings every day or to collect health questionnaires from all employees. Systematic and generalised collection of health data is discouraged. Employees are encouraged to inform their employers about their potential COVID-19 exposure and employers can provide reports to public health authorities and set up business continuity plans. Organisations should follow the recommendations of the health authorities and collect data in accordance with their requests and instructions. The guidance is available in French, is here.

United States of America

The United States responds to COVID-19 both on the federal level and on the state level, in each 50 states. City, regional and local-level responses are also evident. Without comprehensive all-sector national or federal-level data privacy laws, the broadest guidances available relate to the Federal Health Insurance Portability and Accountability Act 1996 (HIPAA). The Department for Health and Human Sciences published a Bulletin covering HIPAA and COVID-19 related issues, which is here. The US Centers for Disease Control and Prevention provides up to date general coronavirus updates, advice, health guidance and mitigation strategies, available here.

China

The National Health Commission of China published a notice, available in chinese here,  on the personal data protection issues in responding to Covid-19. In addition, one of China’s key cybersecurity and data protection bodies, the Cyberspace Administration of China (CAC) published a Circular on “Ensuring Effective Personal Information Protection and Utilization of Big Data to Support Joint Efforts for Epidemic Prevention and Control” to provide detailed guidance, which is available in chinese, here.

Switzerland

Switzerland’s data protection regulator, the Federal Data Protection and Transparency Officer (PFPDT) has published guidance on the protection of personal data while containing COVID-19. The guidance is available in German, French and Italian.

Belgium

Belgium’s data protection regulator, Autorité de protection des données, has published guidance on COVID-19. The guidance is available in French, here.

Germany: Baden-Württemberg

The Baden-Württemberg data protection regulator, LfDI Baden-Württemberg published frequently asked questions (FAQs) on data protection compliance and COVID-19. The FAQs are here.

New Zealand

New Zealand’s data protection regulator, the Office of the Privacy Commissioner of New Zealand (OPCNZ) published frequently asked questions (FAQs) on COVID-19. The FAQs are here.

Denmark

Denmark’s data protection regulator, Datatilsynet, has published guidance on COVID-19. The guidance is available in Danish, here.

Iceland

Iceland’s data protection regulator, Persónu Vernd, has published guidance on COVID-19. The guidance is available in Icelandic, here.

Luxembourg

Luxembourg’s data protection regulator, Commission Nationale pour la Protection des Données, has published guidance on COVID-19. The guidance is available in French, here.

Norway

Norway’s data protection regulator, Datatilsynet, has published guidance on COVID-19. The guidance is available in Norwegian, here

Poland

Poland’s data protection regulator, Urząd Ochrony Danych Osobowych, has published guidance on COVID-19. The guidance is available in Polish, here

Netherlands

The Netherland’s data protection regulator, Autoriteit Persoonsgegevens, has published guidance on COVID-19. The guidance is available in Dutch, here

Hungary

Hungary’s data protection regulator, Nemzeti Adatvédelmi és Információszabadság Hatóság, has published guidance on COVID-19. The guidance is available in Hungarian, here.

Slovakia

Slovakia’s data protection regulator, Úrad na ochranu osobných údajov Slovenskej republiky, has published guidance on COVID-19. The guidance is available in Slovak, here.

Slovenia

Slovenia’s data protection regulator, Informacijski pooblaščenec, has published guidance on COVID-19. The guidance is available in Slovenian, here.

Brexit, Data Flows and GDPR: Board and Leadership Priorities

Briefing

The impact of the United Kingdom leaving the European Union on 31 January 2020 (Brexit) on UK/EU personal data flows and General Data Protection Regulation (GDPR) compliance will soon become clear.  The short transition period, which ends on December 31, 2020 creates a buffer zone, but companies and organisations must plan for various outcomes on 1 January 2021 and beyond. Individual rights, supply chains and the flow of trade could be affected. Boards and leadership teams need clear strategy, creativity, communication and responsiveness to adapt to the emerging political, economic and data realities. Target operating models for brexit-affected personal data flows should be agile and pragmatic.  

1. Degrees of Divergence

Boards and leadership teams must closely monitor how much regulatory divergence the UK and EU accepts. Divergence is inevitable, it is the natural consequence of the UK leaving the EU.  However, the key question is a political and economic one: what will be the extent of UK regulatory divergence from the EU in the final trade agreement (if one is agreed)? Data is at the heart of global trade, innovation and is increasingly crucial in bilateral trade deals. Current political and economic positioning will define personal data flows and GDPR compliance long into the future. The EU asserts that a non-member should not have the same rights and access to its internal market as EU members but prefers a regulatory level playing field with the UK. The UK insists that it seeks regulatory freedom to govern itself free from the EU single market, institutions, systems, laws and courts. Where will both sides place data protection in their list of priorities? Is there room for enlightened pragmatism on personal data governance? 

2. Personal Data in Supply Chains

Modern supply chains are increasingly dynamic, empowered by mergers and acquisitions, low interest rates on borrowing for corporate expansion, investments from sovereign wealth funds, hedge fund-backed takeovers and tax-friendly globalisation. Supply chains can change quickly, data ownership can be transferred instantaneously, and rapid data sharing enabled by 5G and cloud data storage. Brexit complicates this picture even further. Since the 2016 brexit decision, many businesses and organisations have been in a state of constant reorganisation. Staff have been relocated, new EU businesses established, capital and assets redirected to the EU and business models modified. Boards and leadership teams should be clear about their priorities and communicate these to their supply chain partners. They should also risk assess their suppliers based on value, impact and the risks of change. Data Protection Officers and Privacy Leaders should plan to update data protection notices, data protection polices, contract clauses about GDPR and schedule ongoing supply chain reviews.

3. UK Adequacy Decision

The EU has the power to grant the UK a data protection adequacy decision stating that the UK provides an adequate level of data protection comparable to the EU. This would allow the EU to reduce the GDPR regulatory hurdles on the UK’s ability to transfer personal data. The UK intends to apply to the EU for a decision, based on its existing GDPR alignment. However, the adequacy process includes wide-ranging investigations and a formal decision of the European Commission in consultation with other EU bodies. The decision is unlikely to be made for many months and it may become entangled in the UK/EU trade agreement negotiations occurring throughout 2020. An adequacy decision requires UK data protection alignment, reliable UK enforcement and minimal divergence. Without an adequacy decision for the UK, or a delayed decision, the risk to UK/EU personal data flows and the costs to businesses and organisations significantly increases.

4. Replacing the UK Information Commissioner’s Office (ICO) as an EU GDPR Lead Supervisory Authority, GDPR One Stop Shop Authority and GDPR Binding Corporate Rules (BCR) Approval Authority

Boards and leadership teams need to review their previous analysis of the UK ICO as their lead Supervisory Authority for GDPR, their GDPR One Stop Shop Authority and the authority to which their GDPR Binding Corporate Rules can be submitted and agreed. Alternative EU Supervisory Authorities should be considered and selected to replace the UK ICO’s existing role for these activities, to properly comply with GDPR over the longer term. Expert advice may be required to imbed these changes. For the largest companies and organisations, the transition period should be used to consider and begin to action these changes, if this work has not yet been done.

5. New Appropriate Safeguards for International Data Transfers

Where there is no UK data protection adequacy agreement, Boards and leadership teams must empower their organisations to adopt new appropriate safeguards to facilitate EU/UK personal data transfers. EU Standard Contractual Clauses are the most common solution, but the data exporter must be in the EU and the data importer outside the EU, so these will not typically facilitate data transfers from the UK to the EU, after the transition period. The existing EU/US Privacy Shield will no longer cover the UK (for UK to USA data transfers) unless a UK version is created and agreed. Binding Corporate Rules are a stable solution, but these cover only intra-group personal data transfers and take a long time to prepare and receive approval from EU data protection Supervisory Authorities. Boards and leadership teams must be creative, pragmatic and responsive to their supply chains, clients, staff and partners.

Five Key Things to Know about California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act 2018, or CCPA, is a US state privacy law that took effect on 1 January 2020. The CCPA protects the rights of California consumers and gives them new data privacy and online rights. These new privacy rights include the right to know what information is held and used, the right to delete personal information, the right to opt-out of the sale of personal information (called “Do Not Sell”) and the protection from discrimination for individuals who exercise their CCPA rights. The California Attorney General is the CCPA regulator. Regulator enforcement begins on 1 July 2020.

1. What types or organisations are covered by CCPA?

The law applies to businesses that operate for profit and that fall into any one of the following categories:

  • Annual gross revenue in excess of $25 Million (US Dollars); or
  • Buys, receives or sells the personal information of 50,000 or more consumers, households or devices; or
  • Earns 50% or more of annual revenues from selling consumer personal information

2. What types of data or information are covered by CCPA?

The CCPA protects the personal information of California consumers. Personal information includes many different types of data and information including identifiers (name, address, social security number and online identifiers etc), protected characteristics, commercial information, biometric information, internet activity, geolocation data, audio files, visual files, employment information, education information, profiles and inferences taken from data that reveal a consumer’s characteristics, psychology, predispositions, attitudes and intelligence.

3. What are the main CCPA obligations for businesses?

Businesses must:

  • Provide notices to consumers at or before data collection
  • Create procedures to respond to consumer requests to opt-out, know and delete information, including putting “Do Not Sell My Information” notices on websites and mobile applications.
  • Respond to consumer requests to know, delete and opt-out within specific timeframes
  • Verify the identity of consumers who make requests to know and to delete, whether or not the consumer has a password-protected account with the business

4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR), will they automatically comply with CCPA?

No. GDPR and CCPA have different scopes, definitions and compliance requirements. However, there are important similarities. GDPR data mapping and records of processing activity logs can help to identify California consumers’ personal information. GDPR Privacy Notices, Policies and GDPR processes used to respond to GDPR rights can assist CCPA compliance, but these must be tailored. Data processing agreements and online notices must be specifically updated. Do Not Sell notices and their underlying systems are unique to CCPA and present several practical, technical and technological challenges.

 5. Does the CCPA apply to businesses in other US states or to foreign companies?

Yes, it can. If a business falls within the CCPA qualifying criteria and holds personal information about California consumers, then CCPA applies. Businesses that are based in other US states and companies from outside of the United States may have to comply with the CCPA.  All organisations should seek specialist advice, monitor the development of the CCPA enforcement regulations, examine official guidance and watch the Regulator.

1 7 8 9 10