The pandemic created some interesting challenges for security professionals, including an increase in assaults in retail spaces, more virtual data collection for investigations, and the necessity of remote interviewing for investigations. With all those challenges come potential privacy issues.

Security spoke with several seasoned security professionals in different sectors to find out the current challenges and impact of COVID-19 on investigations, along with privacy best practices.

Nurturing Healthy Internal Relationships

Because his team works with other departments on certain types of investigations, developing sound relationships within the organization is the backbone of the security program, says Michael A. Skoglund, Senior Vice President and Senior Director of Physical Security and Safety at Black Knight. “We partner on a regular basis with our information security office on any investigations of internal or external threats where there is either that potential overlap or where we may run in parallel,” Skoglund explains. The team also works with human resources on workplace violence investigations and partners with compliance and legal on policy or standards violations.

Building those internal relationships is key for Skoglund when it comes to approaching privacy issues as well. “We’re the subject matter experts in conducting those investigations that fall within corporate security,” he says. “However, we’re definitely not the subject matter experts when it comes to human resources, to legal, to compliance. That’s where you’ve got to have those strong relationships. They’re vital to ensuring privacy with all our investigations.”

Black Knight had a slight decrease in investigations during the second quarter of 2020, but there has been about a 60% increase since that time. Since there are minimal employees on campus for now — Skoglund is one of the very few who doesn’t work from home — there has been a shift away from typical incident investigations, such as tripped alarms. Instead, Skoglund reports an uptick in damaged property, suspicious persons and equipment-related incidents. He attributes the equipment issues to less on-site maintenance and the rest to empty campuses attracting nefarious activity.

Thanks to the pandemic, Skoglund says there have been more remote interviews for investigations. “While it’s convenient, it certainly presents unique challenges,” he says. The biggest one is the issue of collecting data remotely during these interviews while ensuring that privacy requirements are still being met.

The prioritization of investigations has also changed, mostly due to the shift to remote work. “Where we may normally be able to dispatch someone to a physical location as a piece of that continued investigation, we’ve now had to shift that to remote, so that’s created some different challenges,” Skoglund adds.

Then there’s the question of whether or not working from home will be permanent. Skoglund emphasizes how critical it is that security leaders assume this is the new normal. “At this point, we have to adapt immediately to ensure the success of security and business operations. And that's been a big message with my team, that we have to continue business as usual, understanding that a large percentage of the workforce will continue to be from home and we have unknown dates for return-to-campus populations,” he says.

In 2021, the loss prevention department of Associated Grocers of New England, Inc., moved under the umbrella of risk management. Because risk management also includes environmental health services/safety, “the nature and scope of our investigations have increased dramatically,” says Jim Gaudet, CPP, Loss Prevention Assistant Manager. The types of investigations the team pursues include workplace violence, theft, worker compensation claims and the company’s commercial drivers’ accidents and violations.

Investigations increased at the height of the pandemic, especially when everyone was wearing masks in stores, making suspect identification difficult. There was also an increase in equipment accidents and minor injuries during that time because the warehouse associates were working to make sure the 635+ New England stores were getting groceries. “Coupled with the challenges of recruitment, they were simply very tired,” Gaudet explains.

In privacy matters, Gaudet’s team has always employed a strict “need to know” basis for investigations. For instance, if an employee has protective orders issued, Gaudet’s team needs to know, but not everyone in that employee’s department does. “We take care to make sure that the ‘need to know’ list gets only the information needed for their job,” he says. This applies to the company’s substance abuse and testing policy too. “I may have access to results and data, but that is sensitive information that not even our security team sees.”

Balancing Protection and Privacy

As Chief of Police at Parkview Health in northeastern Indiana, Thomas Rhoades says they handle almost every kind of investigation that a municipal agency would, such as drug diversion, battery, theft and criminal mischief. “Our mission isn’t to reduce crime throughout our communities. It’s to create that safe and secure environment of care within our facilities for our patients and our coworkers,” he says. “That’s really our measuring stick when we look at what investigations we may or may not get involved in.”

Rhoades says there had been a decline in criminal activity and workplace violence incidents on Parkview campuses even before the pandemic started. He associates the decrease partly with the visitor restrictions put into place during the pandemic. Mostly, he chalks it up to incorporating the police department across the health system as they’ve expanded. He believes the visibility of police cars on campus and officers throughout the buildings have been deterrents.

Although the number of workplace violence incidents has decreased, Rhoades says the severity of the cases they do have seems to have increased. He thinks this is likely due to pandemic circumstances — people with heightened emotions, losing their jobs or loved ones, or unable to be there when a loved one passes away. “The need for our officers is greater than it ever has been. We try to balance the need to provide a safe and secure environment of care, but we also have to factor in what our families and our patients are going through and try to make the right decision with the right outcome in these situations. We do try to extend grace to our patients and their family members when we can do so,” Rhoades says.

Since there are minimal employees in person, there has been a shift away from the typical incident investigations, such as tripped alarms, to an uptick in damaged property, suspicious persons and equipment-related incidents.

Privacy is clearly a critical issue in the healthcare sector, especially under the Health Insurance Portability and Accountability Act (HIPAA). Rhoades says the balance between privacy and law enforcement is delicate and calls for officers who can make good decisions based on the information that’s available. “The need to protect and the expectations of privacy come in conflict with each other, so our officers really have to balance that,” he says.

Deciding on the most appropriate response for each situation can be difficult, Rhoades says. The main rule of thumb in this environment is to evaluate whether or not the person’s actions are jeopardizing the safety and security of others. If not, “we really don’t need to step into that policing role; we stay more in our public safety role. If we can get someone home and not have to resort to a law enforcement action, then we feel like that’s a win,” he says.

Best Practices

Here are a few best practices security leaders can use to keep their investigations’ programs thriving and their organizational value high:

1. Only collect the data necessary for the investigation. “Ensure questions and data collection are permitted by your organization, and only share information with those who have a true need to know,” advises Skoglund.
2. Let people know that they’re under surveillance with signage. “I’m a state magistrate and judge. Outside my courts, we make it crystal clear with signs that the premises are being monitored by audio and video,” says Kevin Madison, PCI, Consultant, Expert Witness and Consulting, LLC.
3. Keep sensitive files secure. Gaudet’s team doesn’t do company-wide data exports into their software system, and they limit access to a handful of employees. They also securely store health information separately from other employee files.
4. Establish relationships with key stakeholders within your organization to ensure that you’re approaching privacy issues correctly and to pinpoint how you can add value for them. “You have to be seen as a trusted partner within the organization,” Skoglund shares.
5. Monitor cameras, whether with a person or artificial intelligence. “If you have cameras up, they need to be working, they need to be adequate and they need to be monitored,” Madison says.
6. Use secure databases and reporting tools and secure the purging of specific data. “You want to ensure that the way you're storing information is just as protected as if you have to go in and purge or destroy information,” Skoglund says.
7. Don’t dismiss “old school” techniques. Gaudet says his team checks copiers and clears their desks of sensitive information before they leave. They also vacuum the office themselves, so the contract cleaners aren’t coming in. Their office doesn’t have a sidelight, ensuring that you have to actually be in the office to see camera views to protect privacy.