Looking back, it has certainly been a wild ride in 2020. And, candidly, all of my predictions at the beginning of the year did not even come close to being accurate. Well, actually, one did: technology, cyber, and privacy are still on the rise and influencing businesses across a wide variety of industries. But, as we head into the final month of 2020, and look forward to hopefully a calmer and safer 2021, it is a good opportunity to take stock of where things stand, and what we can expect around the corner.
Looking back on 2020
2020 gave us lessons, in more ways than one. But, in the cyber and privacy sphere, there are some top impacts that we felt in 2020.
1. Businesses were not as prepared as they thought to spin up safe, secure, and functional remote environments.
A large emphasis for companies in the past few years has been embracing technology, and especially cloud-based technologies, to more efficiently and effectively run the business. And, while the trend towards SaaS-based options and cloud environments has been strong, we all learned how far our businesses really were from thriving in a truly virtual environment.
In March, there was a massive scramble to purchase hardware and software that would allow employees to easily work from home. And, for many companies, the considerations of privacy and security took a backseat to operations and just making it work. On top of the rush to provide the tools, many teams faced the challenges of how to collaborate and communicate in these distributed workforces, while many of us were also dealing with personal life challenges, as well.
However, now that businesses have a better handle on the day-to-day operations, and employees also have settled into a new normal, it is time to revisit those business continuity plans, those new tools and software that your business purchased, and ensure that security and privacy are built into your system.
Top of mind should be to ensure that the agreements in place with those vendors include security and privacy provisions, and the necessary contractual clauses required under laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Second, revisit the configurations to ensure that they align with your security and privacy policies. The speed with which many companies had to quickly pivot to remote environments did not leave a lot of time to address all of the security and privacy components of many of these services. That means that companies should be reviewing and reconfiguring, as necessary, those services to incorporate all the necessary security and privacy configurations.
2. Sadly, cyberattacks are now impacting the physical health of individuals.
There has long been predictions that the harms done in the digital world would result in physical harm. And 2020 gave us a prime example of how these predictions are now coming true. In September 2020, a woman seeking medical care in Germany died when she was turned away from a hospital. The hospital was unable to admit her into their hospital due to a cyberattack that locked them out of their systems.
As more and more of our business operations move to digital and online (some of which has been forced by the pandemic), our society is more vulnerable to cyberattacks impacting our physical world. Our critical infrastructure—such as electrical grids, hospitals, and banks—are prime targets, and increasingly vulnerable. And 2020 served to place a spotlight on those vulnerabilities, and how they creeped into our physical lives.
The key in moving forward is creating cyber guardians (a term promoted by Secure The Village) of all of us. Increasing the knowledge of all users—from elementary school children who sign on with Chromebooks, to sophisticated users in multinational corporations—we are all part of creating a secure and effective network. 2020 helped to highlight that and, I hope, promote a stronger global awareness of the benefits and risks of the digital world.
3. We, as system users, continue to be our own worst enemy in securing our systems.
For a number of years, security professionals have been sounding the alarm of cyber risks. And, yes, those risks can be complicated and sophisticated attacks on a system or a network. However, we, as the system users, with our human error, continue to be the biggest risk posed to our own security.
The 2020 Verizon Breach Report recognizes that phishing attacks are still one of the top attacks that entities face. Phishing attacks really boil down to us and our ability to withstand creative and effective ways for perpetrators to gain access to our systems. This is even more of an issue in 2020, when our attention has been completely taken over by the pandemic and a daily mental bombardment of news.
This ties back to my earlier point that education of all users, from the top of an organization all the way down, is key to truly creating a secure environment that addresses system vulnerabilities and data privacy. A key area to focus on in the coming months is training your employees and then testing them with table-top exercises on cybersecurity and privacy best practices. Do not assume that employees know and understand the risks and challenges; while we are increasingly surrounded by technology, that daily use does not necessarily translate into a more informed and secure user.
Areas to watch in 2021
Because of COVID-19—a dramatic shift in our attention to addressing, and surviving, a global pandemic—many cyber and privacy initiatives that we anticipated receiving attention in 2020 were, understandably, pushed off. But, my largest prediction for 2021: a renewed emphasis on security and privacy, from both a legislative and private sector perspective.
1. States will likely revisit conversations on the creation of more general consumer privacy legislation, following the California model.
Heading into 2020, many states were considering legislation that was significantly modeled after the CCPA. However, when the pandemic began to surge, these conversations halted to focus legislative attention on more pressing matters. And, while there were certain federal proposals directly related to COVID-19 privacy concerns (i.e., Public Health Emergency Privacy Act (PHEPA) and COVID-19 Consumer Data Protection Act (CCDPA)), most of the states remained relatively silent on the topic of a privacy law in 2020, with California being the exception in its passage of Ballot Initiative 24, the California Privacy Rights Act (CPRA).
If the global pandemic is able to come under control with a vaccine, state legislatures will likely return to their conversations regarding the consideration and adoption of general consumer privacy laws. In fact, we have already seen attention shifting back to this topic in New York, where Senator Kevin Thomas introduced a new privacy bill, the New York Privacy Act, in September 2020. This trend will likely only continue, with more and more states revisiting their 2019 conversations regarding consumer privacy and looking closely at the California model now that it has been in effect for a number of months.
2. International data transfers will be trickier in the coming year (and years).
The combination of an increasingly global economy with an acceleration in the creation of data within that economy is putting pressure on the regionalized structure of many cyber and privacy laws. This is highlighted by the laws, and restrictions, around international data transfers. The laws see borders, but the internet and data have no borders.
Within these tensions, in 2020, the European Court of Justice (ECJ) released its much anticipated decision, Schrems II, invalidating the EU-US Privacy Shield. The EU-US Privacy Shield, which replaced the U.S. Safe Harbor Provisions, was a mechanism for U.S. companies to lawfully transfer data from Europe to the United States. Its invalidation sent many companies scrambling to determine other lawful ways to continue to transfer data from the EU to the U.S.
In that same decision, the ECJ upheld the continued use of Standard Contractual Clauses as a mechanism to transfer data internationally. However, it recognized that in certain circumstances, the use of “supplemental measures” would be necessary to ensure that personal data was adequately protected in the receiving country.
This saga has created uncertainty, and additional layers of complication, in the continued transfer of personal data internationally. Many companies are considering options, such as keeping data in-country, if possible. But, the practical implications of this decision will be felt well into 2021, and likely beyond.
The European Data Protection Board (EDPB), who oversees the application of the GDPR within Europe, did release its initial Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. There recommendations lay out a number of factors to be taken into consideration for the continued international transfer of data. But companies will need to assess their current network infrastructures to determine how best to limit the risk in what, up until how, has been a free flow of data across the enterprise. And 2021 will be the year of mapping that entire environment, and acknowledging that while the internet has no borders, our laws do.
3. Biometrics will play an increasingly important role in the privacy conversation, especially in light of the COVID-19 pandemic.
In the past few years, there has been a recognition of the increasing risk in the collection and use of biometric data, such as facial recognition and fingerprints. But, at the same time, businesses are starting to use biometrics, especially in the employee context, to confirm identities and authenticate users.
In the U.S., Illinois is one of the primary jurisdictions focused on this issue, with the Illinois Biometric Information Privacy Act (BIPA). In 2020, the 7th Circuit continued to address key issues related to BIPA, including standing to bring claims and liability, especially of employers, in collecting and using biometric data.
This trend in focusing more on biometric data is only going to increase in 2021 as many businesses look to innovative monitoring and scanning technologies to address COVID-19 risks. For example, when fans attend sports games in the future, they may be required to submit to the use of facial recognition and body scanning technologies in order to come inside a stadium. The United States Department of Labor Occupational Safety and Health Administration (OSHA) provided revised guidance that expressly recommended that companies balance the need to inquire into the health of employees with employee privacy concerns. “Employers, especially small employers, should not be expected to undertake extensive medical inquiries, given employee privacy concerns and most employers' lack of expertise in this area.”
So, where does that leave us for 2021? Companies, for both employees and the public, need to be cautious consumers of the new technology on the market to address pandemic concerns. Yes, it is valid to provide a safe and secure workplace and business environment. However, those safety concerns need to be balanced with privacy concerns. When designing your company’s approach to bringing people back to the business, design that approach with privacy in mind. Key questions to ask are:
- Do I actually need this data?
- How long do I need to retain the data?
- Does this data need to remain identifiable? Or can it be anonymized?
Ultimately, designing solutions to the pandemic provides an opportunity for businesses to incorporate the concepts of privacy engineering and privacy by design and default into their processes. These are core data protection measures that can help address regulatory compliance concerns, while also minimizing risks to the organization.
Preparing for 2021
The digital world is heading into an explosive year, where both the private and public sectors will need to continue to collaborate to combat increasing cybersecurity concerns and to figure out a path forward for data privacy. As data continues to reign supreme in businesses across industries and the globe, those businesses need to embrace the need to understand their data, understand their legal and contractual obligations, and take proactive measures to address the collection and processing of data.
Data security and privacy should be top of mind strategic planning for 2021. Long gone are the days when this could be considered solely a technical problem. Data flows throughout all business units, and technology is used to support an increasing number of business functions. With the growing prominence of data protection and security laws, and the use of contractual provisions to shift obligations in security and privacy between companies, strategic decisions around security and privacy are pivotal to creating businesses that can withstand the challenges and threats that will come in 2021.
* * * * * *
Nothing contained in this article should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.