Navigating Privacy Rules in a Virtual World
The transformation to a work from home/work from anywhere model has become the new normal and even after the pandemic ends, many expect that model to continue. This accelerated transition has forced companies to embrace virtual technologies without much forethought. Along with opportunities and flexibility, this change has ignited a set of new risks. And, the evolving legal landscape makes identifying and mitigating those risks even more challenging.
In this presentation, Vinson & Elkins partner Devika Kornbacher is joined by Lily Fang, Senior Director of Privacy at Juniper Networks, to discuss the key privacy challenges implicated in our modern virtual world and share how companies can tackle these critical developments without hindering their success in this accelerated digital transition. The program will include discussion of the following topics:
- True meanings of and differences between cybersecurity and data privacy
- The myriad of data privacy issues presented by the virtual workspace, including the risks involved for the company and management
- Overview of evolving compliance landscape through a virtual workspace lens
- State data protection laws such as the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA)
- International regulations such as the General Data Protection Regulation (GDPR) and Personal Information Security Specification (China)
- Practical tips on how companies can increase compliance in their data processing interactions and resulting benefits in a virtual world
- Elements of a comprehensive information security program, including mobile device considerations
- Increased threat vectors in a virtual work environment, including considerations for responding to ransomware attacks
- Supplier onboarding and vendor due diligence guidelines
- Essential Takeaways
Seven Data Privacy Considerations in a Remote-Working World
Due to a surge in remote working due to the COVID-19 pandemic, which has the potential to leave significantly fewer employees operating from comparatively secure offices, meeting data privacy requirements has become more complex than ever according to participants in “Navigating Privacy Rules in a Virtual World,” a webinar hosted by Vinson & Elkins on June 17.
The session, which focused on identifying data privacy challenges and the tools for addressing them, was led by V&E partners Jessica Heim, a San Francisco-based partner who focuses on white collar criminal defense and government investigations; and Devika Kornbacher, who leads the firm’s Cybersecurity & Data Privacy practice and its Technology Transaction Team; as well as Lily Fang, Associate General Counsel and Senior Privacy Director for Juniper Networks in Sunnyvale, California. Both Jessica and Devika are designated as Certified Information Privacy Professionals (CIPP/US) by the International Association of Privacy Professionals (IAPP).
While the field of data privacy is constantly transforming, the discussion culminated in seven key takeaways companies should consider now to avoid potential litigation, headline and regulatory risk, and possible jurisdictional conflicts in the future:
1. Weigh the Fair Information Practice Principals.
From the outset, principal elements of data privacy management should constantly be weighed against one another. They are comprised of the balancing act between giving notice and helping individuals be aware of how their personal data is being used; providing some choice and consent about the use of their data; and granting access and participation as to how that data is utilized. Of course, personal data must be sufficiently secured and, since breaches do occur, companies should proactively consider enforcement and redress policies. While many companies have yet to fully grasp what operating with a majority-remote workforce means, one way that managers who aren’t information security professionals can “keep it in the lanes” is to focus on those elements. With virtual workspaces, Fang pointed out that there are three core things general counsel need to consider: “maintaining security, enforcing confidentiality, and balancing employee monitoring.”
2. Consider the Hazards Inherent in Increased Usage of Personal Devices.
The COVID-19 shutdown forced companies that had previously banned use of personal devices for work-related tasks to reconsider or risk business disruption as employees began relying on personal digital networks or opted for home-office computers with large monitors rather than tiny corporate-issued laptops. According to Fang, a stricter policy on virtual private networks (“VPN”) or virtual desktop infrastructure (“VDI”) can mitigate some of the accompanying risks, but at the same time, it may create fresh challenges. While VDI is very secure, it entails fine-tuned notice and consent procedures, since it allows companies to monitor activities of employees and contractors who may be working from anywhere in the world rather than in the single jurisdiction where an office is based. Reliance on personal devices also raises questions about access and ownership — for instance, if corporate information-technology departments have access to copy images when needed as part of the company’s discovery obligations in litigation.
3. Remember Remote Workplace Risks.
There are a number of risks that were not a factor when employees were in the office. Employees using corporate data at home may be more inclined to do things with that data they wouldn’t have in a pre-pandemic environment, Heim noted. That might include forwarding data to a personal account at home for printing purposes. Other examples of risk may include a household with two employees of competing companies working within earshot of each other; human-resource professionals and managers discussing sensitive topics in front of family members or even in the presence of Amazon’s Alexa; working in public spaces for faster Internet access; and leaving sensitive documents with personal information in plain view or discarding them in household trash. “It’s one thing to leave documents lying around your secure office; it’s a different thing to leave them lying around your not-secure home office,” Kornbacher said. “All of these can result in liability as potential breaches of privacy promises that are made with regard to maintaining sensitive data.”
Heim agreed; “all of these seemingly minor infractions add up,” she noted, “each and every one of them could be breaching your privacy promises, and these promises are very important. One thing companies should surely do is periodically revisit their privacy policies to make sure they’re honoring the promises they’ve made.”
4. Appreciate the Difference Between Videoconferencing and Phone Calls versus In-person Meetings.
Because of the record-keeping capabilities available through videoconferencing tools, meetings conducted with them may create personal information records that are within the scope of the California Consumer Privacy Act (CCPA) or other regulations. California’s measure covers information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” That includes network activity information, as well as audio and visual records. The state’s law, passed in the wake of the Cambridge Analytica scandal, applies not only to people within the state, but those who are domiciled there and outside the state’s borders temporarily. In remote work, if someone who is domiciled in California decides to work from Canada or the European Union, that individual’s data — to the extent they are a consumer versus an employee when it comes to notice — is still governed by the CCPA. A practical approach, particularly with small teams, is to opt for stricter application of the law and treat video and audio records as personal data.
5. Take Care with Public Privacy Promises.
Executives of publicly traded companies should be wary of external statements about their data-privacy practices, especially in a period when remote-working has raised the risk of non-compliance by employees lacking the safeguards of an office, observed Heim. Such statements can be construed as promises and run afoul of U.S. laws that require accuracy in corporate disclosures. “Be careful about those statements,” she warned.
6. Keep Regulatory Frameworks in Mind.
The patchwork of regulations internationally, as well as within different jurisdictions inside the U.S., has long worried Silicon Valley executives who have pushed for greater uniformity. Absent that, varying rules can leave businesses trapped between the sweeping privacy protections conferred by Europe’s General Data Protection Regulation (“GDPR”), for example, and the expectation of U.S. courts to be granted access on demand in litigation. Executives are forced to risk not complying with U.S. discovery laws, which may mean a lost case, or severe sanctions for violating the laws of other countries, Heim noted. U.S. judges generally haven’t been sympathetic to reliance on foreign blocking statutes that would deprive litigants in American courts of their right to evidence, she added.
7. Make Adjustments for the “New Normal.”
There are measures that can be taken to help executives negotiating virtual workspace risks, including reviewing, updating, and implementing a formal remote-work policy with cybersecurity and privacy provisions; reminding employees to be wary of phishing e-mails; expanding use of multi-factor authentication; updating and expanding network infrastructure, including VPN capacity; and providing employees with resources to help address home-network issues.
Data privacy is a constantly morphing responsibility. Not only are laws changing as states develop their own policies with little federal guidance, but growing dependence on e-commerce, cloud-based data storage and remote-working are also broadening the amount of information to be managed. Despite its complexities, this is an important area to monitor with an eye towards avoiding costly issues in the post-pandemic era.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.