How Data Privacy Should Fit Into Your Pandemic Plan
With the outbreak of COVID-19, organizations around the globe are facing disruptions unlike anything many of us have seen in our lifetimes.
Many organizations have had to build and activate their pandemic plans, and in many cases stand up remote workforces virtually overnight, sending potentially millions of Americans into telecommuting roles.
And while these pandemic plans keep organizations functioning, even when faced with “stay-at-home” state mandates, their recommended actions can create unique challenges for businesses that don’t traditionally deal with remote access to networks, data, and information.
Whether you’re granting remote access to your employees or you work with third-party vendors that access your data, now is an opportune time to review your business continuity processes to ensure you’re doing everything you can—and are required to—to keep your customer and employee data safe.
If you haven’t already, here are a few tips to consider regarding data protection when preparing your pandemic plan. These are also excellent practices that should be included in your business continuity management program overall.
Data Protection Recommendations
Balancing customer data protection and convenience is not easy, especially when you’re hard-pressed to give remote employees access to the systems, networks, and data they need to complete their job functions.
So, what are some simple steps you can take now to help ensure you’re meeting basic data privacy standards and not putting your organization at compliance or regulatory risk?
First, educate team members about how important it is to protect all sensitive data, not just for your customer and clients, but also fellow employees. This could include personally identifiable information, personal health information, financial records, and more.
Make sure they understand how important data protection is—not just as a steward of good business, but because of the potential devastating financial and reputational impacts a data breach could have on your organization.
Here are a few other recommendations:
Personally Identifiable Information (PII)
- Ensure protection of all personally identifiable information (PII) for all stakeholders
- Don’t collect more information than is necessary
- Ensure only those who need stakeholder PII have access (for example, phone numbers, addresses, emergency contact information, etc.)
- Limit data access to the minimum amount required for each relevant role
Personal Health Data
- In a health emergency, it may seem like a good idea to collect health information from employees through email, word documents, etc.; however, this is a direct violation of Health Insurance Portability and Accountability Act (HIPAA) rules and regulations.
- Follow your legal department’s guidance
- Partner with your company’s healthcare provider and local health agencies where appropriate
Cyber criminals will take advantage of a pandemic situation if they can.
Ensure your company always follows cybersecurity best practices, including best practices for employees and third-party vendors who may have access to company data including:
- Use multi-factor authentication wherever possible
- Help employees who will work from home create strong passwords on personal routers
- Make sure employees do not use public Wi-Fi
- Consider using a corporate VPN for employees who log into company data from remote locations
Good Cyber Hygiene
Whether your team members are working from home because of a global health crisis or it’s part of your routine operational practices, good cyber hygiene can save your organization from a lot of hassle, downtime, and potential fines and penalties.
And don’t forget about your third-party vendors. Outsourcing services to third-parties comes with data privacy risks you’ll want to be sure to mitigate. Not sure how or where to begin? Check out our free, on-demand webinar, “Third-Party Risk: How to Expand Business Continuity Practices Beyond Company Walls.”
Get business continuity insights delivered to your inbox.