The COVID-19 pandemic has forced companies to restructure many areas of operation, including their approach to cybersecurity and data privacy. The spotlight has been placed on healthcare data and how it can and should be used to combat the spread of the virus. As security and privacy professionals, our attention is honed in on the debate surrounding contact tracing and the collection of COVID-19 health data because it will set a precedent for data collection and impact future privacy laws.

In response to the global pandemic, a group of senators introduced the COVID-19 Consumer Data Protection Act, which would regulate the collection and use of personal data amid the current coronavirus crisis. Now, months after it was introduced, the COVID-19 Consumer Data Protection Act doesn’t stand alone as a piece of privacy legislation—it was followed by the Public Health Emergency Privacy Act and the Exposure Notification Privacy Act. Although each aims to tackle the issue of data privacy in a slightly different way, all three mark an important shift in perspectives and have the potential to reshape the United States’ standard for how to handle and share data during a national health crisis. 

Below are four aspects that security and privacy professionals need to consider to ensure the balance of privacy and safety in data regulations.

1. Recognize the Implications of Newly Introduced Privacy Legislation

The COVID-19 Consumer Data Protection Act kicked off a nationwide discussion around the significant privacy risks and repercussions of COVID-19 response technology (e.g. contact tracing apps). The proposed bill, along with other proposed privacy legislation, indicates the need for an in-depth awareness of how data is shared and protected. With that knowledge as a foundation, a standard model of data security can be established – one that holds organizations accountable for the highest level of data protection.

Currently, many organizations follow the National Institute of Standards and Technology (NIST) Privacy Framework, which helps organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy. The Framework was modeled after the NIST Cybersecurity Framework to provide guidance on managing privacy risk among different roles, establishing and improving privacy programs, and strengthening organizational accountability. Whether the Framework is used in all or some of those ways, it is ultimately designed to be flexible and to complement existing business operations. It provides a clear example of best practices and guidelines when it comes to data privacy and should be referenced when building future privacy legislation.

2. Understand Data Sharing Limits

The United States faces a significant challenge when it comes to protecting the data collected through contact tracing, one that the COVID-19 Consumer Data Protection Act aims to address. Gathering and sharing virus information – on age, comorbidity, location – is essential to effectively combat the virus. Without this information, tracking the spread of the virus and its effects is impossible. However, there are limits to what data needs to be shared and who should have access to it, especially when it comes to Personal Identifiable Information (PII).

Both manual or app-based contact tracing methods have their challenges. For manual contact tracing, it’s an issue of manpower. One report by John Hopkins states that an additional 100,000 employees would be needed to make manual contact tracing efforts effective across the United States. In short, it’s not the most practical solution.

When discussing app-based contact tracing, one must consider the individual’s agency over their own data. As outlined by the COVID-19 Data Protection Act, contact tracing technology requires voluntary participation. The effectiveness of contact tracing technology rests on this main point – if a critical mass of individuals don’t opt into these apps, they lose effectiveness. The key will be to find a balance between protecting a patient's health and maintaining their privacy—while also protecting the health of the larger population.

It’s important to note that when it comes to contact tracing technology, there is still a lot to be done in terms of putting security measures in place to prevent information from being mapped back to an individual. These include: anonymizing data upon collection, protecting individuals’ phones from access through contact tracing apps, and preventing the data (once collected) from being shared and used outside of its intended purpose.

3. Invest in Adaptable Security Solutions

With today’s environment rapidly evolving, the privacy and security industry has the responsibility to adapt to meet the demands of data sharing in a timely, effective and secure manner.  A challenging aspect of privacy legislation is ensuring that the policies enacted during this pandemic don’t outlast their necessity or work against existing privacy laws. For example, the COVID-19 Consumer Data Protection Act restricts data usage to within the declared COVID-19 public health emergency time period.

Although proposed legislation has time frame limits, it’s crucial that the security solutions implemented now are set up to combat security risks past the pandemic. As previously discussed, future legislation needs to work hand-in-hand with guidelines like the NIST framework in order for organizations to successfully and completely protect individuals’ privacy.

4. Prepare for Change

It’s easy to identify the benefits of healthcare data sharing for the purposes of handling a pandemic. The issue lies in balancing the benefits with potential detriments. The industry should prepare for the new challenges that contact tracing technology and its successors will present. If legislation like the COVID-19 Consumer Data Protection Act comes into effect, privacy and security professionals will need to educate themselves on the vulnerabilities of technologies introduced during the pandemic, as well as their responsibility to their customers in handling their data in the new environment.

The current circumstances of the pandemic demand a reaffirmation of the importance of data privacy, but also a rethinking of the ways we share data. Companies should evaluate their data storage methods and identify the ways their current structure may be affected by increased data sharing. By reassessing how, where, and what data is collected, companies can prepare for an uncertain future. Security and privacy professionals can also position their companies strategically by investing in security programs that address security needs as they evolve.

When it comes to proposed privacy legislation the stakes are high but the need is great and pressing. As a nation, we need to think carefully, and collectively arrive at a solution that strikes the important balance of protecting civil liberties and containing the spread of the virus.