In the wake of stay-at-home orders stemming from the COVID-19 pandemic, companies have rushed to provide work-from-home options for many, if not all, of their employees. As exigency fades into the new normal, however, the California Attorney General and New York’s Department of Financial Services (NYDFS) – two key privacy and security regulators – have indicated that COVID-19 does not give businesses an exception from compliance and will not delay enforcement activity. As such, businesses cannot lose sight of their privacy and security compliance programs and should reassess these programs in light of changes that have occurred while transitioning to a work-from-home environment.
NYDFS Has Clearly Stated The Security Rules Still Apply
On April 13, 2020, NYDFS issued guidance to all regulated entities regarding cybersecurity awareness during the COVID-19 pandemic. The guidance recognizes that companies are facing new challenges stemming from the pandemic. However, it then notes that these challenges cause heightened cybersecurity risks in seven key areas: (1) maintaining secure connections for remote workers; (2) properly security company issued devices; (3) expanded bring your own device (BYOD) policies; (4) securing methods of remote work communications; (5) data loss prevention; (6) increased phishing and fraud; (7) risks stemming from third-party vendors.
Instead of relaxing any regulations so that businesses can have breathing room to address these challenges, NYDFS specifically reminds businesses that the regulations require them to “assess the risks” and “address them appropriately.”[1] Importantly, there is no change to the timing for reporting a cybersecurity event: they still “must be reported to DFS as promptly as possible and within 72 hours at the latest.”
Attorney General Becerra’s Silence Speaks Volumes
COVID-19 has not paused enforcement for the California Consumer Privacy Act (CCPA). Plaintiffs are bringing CCPA claims, Attorney General Becerra has issued revised regulations and accepted public comments, and AG Becerra has given no indication that the July 1, 2020 regulatory enforcement date will be delayed due to COVID-19.
Key Questions For Businesses In Light Of The New Normal
Given the clear signals that these regulations still apply, even in this work-from-home world, companies should take the time to ask themselves the following questions:
- Have we updated our risks assessments based on the new work-from-home normal and addressed any gaps?
NYDFS has given a laundry list of at least seven areas of increased risk stemming from COVID-19 and then expressly instructed businesses to assess these risks. Consider beginning with this list and then double check your work-from-home systems for any additional areas of increased risk particular to your business.
- Have we added new vendors or service providers as part of rolling out a work-from-home solution?
Companies suddenly forced to create a work-from-home solution have begun using new vendors or service providers as part of their processes. However, NYDFS’ guidance specifically calls out the need to still assess vendor security, and CCPA compliance involves understanding how data is shared with third parties and service providers. For any new vendors, you should consider how they fit into your existing CCPA compliance plans and whether any process changes are needed to accommodate new data flows in the work-from-home environment. You should also consider revisiting your vendor security policies to make sure all new vendors satisfy your requirements.
- Is our incident response plan still able to work in a 72-hour period?
The NYDFS guidance can be read as a warning that it will not give grace to businesses that fail to meet the 72-hour reporting deadline. However, incident response plans are likely predicated on assumptions that certain people would be in the office or able to quickly travel to certain locations. This may no longer be the case as offices are shuttered and public transportation has significantly reduced service in some areas. Thus, in a work-from-home world, it may simply take longer follow the steps in your incident response plan, particularly if certain systems or programs cannot be accessed remotely. Consider running a table-top exercise under work-from-home conditions to see whether you could still give notice to NYDFS or other regulators within the 72-hour window.
[1] The only relief NYDFS is giving businesses at this time is a six-week extension in deadline for filing a Certificate of Compliance for 2019.