Skip to content

Practising Law Institute's Panel “The New Normal: What Privacy Rules Apply in a Virtual World?"

Practising Law Institute's Panel “The New Normal: What Privacy Rules Apply in a Virtual World?" Background Image

The widespread adoption of remote work arrangements during the COVID-19 pandemic and the need for employers to provide flexibility for the foreseeable future have heightened data-privacy risks for U.S. companies, who face a patchwork of regulations that differ not only from country to country but also from state to state.  This reality was made clear to participants in a Practising Law Institute seminar titled “The New Normal: What Privacy Rules Apply in a Virtual World?” on October 20, 2021.

Add human behavior into the landscape, and the situation becomes even more complex. “In a remote work environment, employees are going to be much more inclined to do things with data that they wouldn’t be tempted to do in a regular office environment,” said Vinson & Elkins partner Jessica Heim, a member of the firm’s Government Investigations and White Collar practice and its Data Privacy and Cybersecurity practice.

Remote work arrangements required much of American industry to rapidly shift and survive during nearly two years of pandemic-induced lockdowns and social distancing, but that flexibility comes with a price.

Data security, difficult to maintain even when employees worked from their private and secure offices with company-issued devices and information security protocols, is exponentially more challenging when those workers are stationed in their homes.

Or, given the ubiquity of wireless communication, in coffee shops, public parks and vacation spots.

Many of the actions inherent in remote work are seemingly innocuous: Conducting a video call within earshot of family members or roommates, for instance.  Forwarding an e-mail to a personal account so it can be printed on a home-based device.

But depending on the circumstances, any or all of these actions might violate privacy commitments relied on by consumers and evaluated by regulatory agencies, said Heim, who joined Devika Kornbacher, a partner in V&E’s Intellectual Property and Technology Transactions practice and head of its Data Privacy and Cybersecurity practice, and Lily Fang, Vice President and Chief Privacy Officer for Palo Alto Networks in Sunnyvale, California, for the presentation.

The widespread adoption of Bring Your Own Device, or BYOD, policies that allow or even encourage employees to use personal laptops, tablets and phones, further heightens the risk, Fang noted.

“All the personal devices out there, if you multiply them together, you really increase the surface areas of your enterprise, and that is potentially very desirable for bad actors,” she said. “The personal devices that you use to connect to your workplace may not be equipped with the best technology, and your home network may not be as secure as the corporate structure.”

Using virtual private networks (VPN) or virtual desktop infrastructure (VDI) can mitigate some of the accompanying risks, Fang said, but creates fresh challenges.

While VDI is very secure, it entails fine-tuned notice and consent procedures, since it allows companies to monitor activities of employees and contractors who may be working from anywhere in the world, rather than in the single jurisdiction where an office is based.

Reliance on personal devices also raises the question of if and when corporate information technology departments have access to them — to copy images if needed in lawsuits, for example. Another issue is ensuring the company can recover data on the device when an employee leaves.

Congress has so far been unable to agree on uniform data-privacy rules, despite high-profile cyberattacks at firms from credit bureau Equifax to Colonial Pipeline, the latter of which led to widespread disruptions in the U.S. fuel supply in the spring of 2021.

The differing rules can leave businesses trapped between the sweeping privacy protections conferred by Europe’s General Data Protection Regulation, for example, and the expectation of U.S. litigants to be granted access to electronically stored information through discovery in litigation.

At the same time, some states have responded to the lack of a federal privacy standard by tightening their own laws.

California’s Consumer Privacy Act, giving California residents broad rights to know more about how their personal information is processed, covers but isn’t limited to Internet, audio, electronic and even “olfactory” data.

Passed in 2018, the CCPA applies to any individual in the state for a non-temporary purpose or anyone domiciled there but out of the state for temporary reasons, terminology that could readily apply to remote workers whose employers might not even be aware of their location.

“Knowing where your people are can make a difference in determining whether CCPA applies,” Kornbacher explained. “It’s a new normal that we all have to get our heads wrapped around.”

Virginia passed its own data-protection law this year covering any information that can reasonably be linked to an identifiable person.

But the widespread use of video-conferencing tools, some of which let users display a virtual background to viewers instead of their actual surroundings, can make determining where workers are and what rules apply difficult. Employees may not be notifying their companies about their travel plans, and may be working from an unknown location.  That may make it even more complex for a company, due to the different protections that apply based on where the individual is situated.

Another challenge is that digital meetings require information such as IP addresses, locations and identities simply to connect participants, which is metadata that wouldn’t have been created by an in-person meeting or telephone call.  The videoconference creates a whole array of data that could be subject to data privacy laws.

Litigants and government agencies actively pursue metadata when scrutinizing corporate conduct, Heim added, because it tells its own story and can be powerful evidence in a case or investigation. Companies can help themselves by actively monitoring their metadata as well as limiting network access to outside parties such as vendors.

Kornbacher pointed out that in cases where a contractor requires broad access, companies should make sure they terminate that access once the contractor’s project or assignment is completed. Verifying the contractor’s security practices is a vital step, too — preferably with the firm’s technology department, not its sales agents, she said.

Companies should exercise care in their public statements about their cybersecurity practices. They should periodically review the commitments made on company websites, in public statements and in regulatory filings to ensure they comport with actual practices and are defensible in the event of a data breach.

“It used to be a running joke that everything was a securities violation,” Heim said. “Now, everything is a disclosure violation. The Securities and Exchange Commission has been creative in charging disclosure violations, arguing that you didn’t maintain adequate controls to identify this vulnerability.”

In sum, just as work-from-home arrangements may be accepted as the “new normal,” increased data-privacy risks that accompany these arrangements will also be here to stay.

This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.