How The Pandemic Intensified GCs’ Privacy Focus
No one wants to fall prey to scammers and hackers because of a vulnerable home computer, but the need to keep your data private takes on a whole new wrinkle when you’re handling sensitive client information.
During the pandemic, as aspects of our professional and personal lives moved online, privacy concerns grew more acute.
A recent panel titled “How COVID-19 has Changed Data Privacy” examined these concerns and the efforts to address them. The panel was part of the Data Privacy Day, organized by the National Cyber Security Alliance, and attended by Paragon Legal.
Panelist Lindsey Schultz, privacy counsel at Visa, described her company’s thinking when reality began to sink in — employees would be working from home for a long time.
“We started looking at all these processes that [transfer] personal information,” she said. “Normally, we feel relatively protected because we’re doing certain things in the office.”
Of course, that changed. Call centers were a perfect example. “We were testing our VPN capacity and all of our protocols,” Schultz said.
The collection of employee health information while monitoring for the coronavirus was another sticky problem. Normally, such data wouldn’t be collected at all. “And so we did that balancing test to collect a minimal amount of information to protect our fellow employees, but not so much that [it would] make anyone uncomfortable.”
Visa is still doing that balancing act, Schultz said, now that employees can be vaccinated. The company also needs to consider a method for contact tracing when employees return to the office.
On the consumer side, Visa wanted to make sure people felt comfortable using their cards. To that end, the company “aggregated data to make sure that we could support better contactless payments and support moves to more digital spending in digital environments,” Schultz said.
An Alert Public
Perhaps because of increased digital activity, not to mention news stories about data breaches, the public is becoming “more aware of privacy issues and more educated about what those issues are,” according to panelist Brian Philbrook, lead privacy counsel at OneTrust, a platform for privacy, security, and governance programs.
He said that privacy officers have seen a significant uptick in data-subject requests:“Requests for deletion, requests for access to their data, to opt out, all of those different things. . . . I think people are starting to ask the right questions.”
The surge in online learning has also led to more requests and questions concerning data. People indifferent to their own data may become fiercely protective of their children.
Philbrook cited an article published by the International Association of Privacy Professionals (IAPP) about the civil liberties and privacy officer at the National Security Agency. Her child’s school asked for consent to record classes for operational purposes that struck her as overly broad, so she started a conversation about potential issues. This led to policy changes regarding the making and retention of the recordings.
“Obviously this was uncharted territory for the teachers, so they hadn’t even considered privacy implications,” Philbrook said. “And I think that’s kind of where we’re at now. People have gotten used to thinking about some of these things. . . . It’s an opportunity to hash things out, learn from them, and kind of grow with that.”
And while data privacy has been a concern for some time, it seems to be spreading throughout a given business. Philbrook said his company might hear from marketing, human resources, business development, research and development, “really across the board.”
His fellow panelist concurred: “One of the key things to come out of COVID-19 is that privacy is definitely winning,” said Melanie Ensign, founder and CEO of Discernible Inc., a communications consultancy dedicated to security, privacy, and risk issues.
She noted that companies need to be mindful of the fact that when they talk about consumer privacy, they are talking about safety, and consumers are not a monolithic group. A lot of companies struggle to do the most good for the most people without hurting the most vulnerable. Some people have been pushing back.
“We are seeing increased scrutiny and expectations from consumers when [they’re told] they need to compromise privacy in order to increase safety. There is a broader movement to call out ‘safety theatre,’” Ensign said.
An ‘Unhealthy’ Data Appetite
These days, she added, when a company or public entity asks people to compromise their privacy for the sake of safety, they want to know exactly how the data is going to accomplish that.
Institutions still have “a really unhealthy appetite for data,” Ensign said, without a clear case for how that data is going to be used and protected.
For example, during the pandemic governments have mandated that companies participate in contact-tracing programs.
“So those of us who sit in the middle of privacy and safety are faced with this decision,” Ensign said. “Do we go along with what the government is mandating from a public-safety perspective, even though we know it is compromising the privacy of every single one of our users? I found it very encouraging to see more and more privacy as well as safety professionals respectfully push back and try to engage with those government agencies to say, ‘We’ve got to find a middle ground.’”
Ensign described the worst case scenario — if all that data were shared with a well-intentioned government agency and the data were compromised, the company would take the hit to consumer trust because the company collected the data. She said the conversation must hinge on intellectual honesty regarding how and for what purpose the data is going to be used.
Many technologies put in place to track people, either online or in the physical world, don’t necessarily offer more safety, Ensign continued. “And there’s pressure in some industries to provide ‘safety theater’ rather than being honest about whether or not people are actually safer as a result of those privacy-invasive technologies.”
Christopher Harrell, a panelist and the chief technology officer of Yubico, a Swedish and American company that makes authentication and encryption devices and software, described these data grabs as a “knee-jerk reaction” to a dangerous situation.
“I think many countries have even declared states of emergency or words similar to that in order to create mandates or additional powers,” he said.
On the positive side, the situation has stirred examination of privacy in the context of human rights and led to “great writing recently about how COVID has these kinds of trade-offs,” Harrell said. Discussions often centered on the necessity of the gathering and storage of data and the need to ensure they are “only used for the purposes for which they’re collected.”
Harrell characterized a lot of this work as “done last minute,” and he thinks the technology side has yet to catch up with the policy side. In other words, while policy people have responded to growing public awareness of the importance of data privacy, the tools are not yet adequate to the task.
“And I hope we can catch up on that. And I think the consumers are definitely interested, but they’re also scared,” Harrell said.
“People are really tired of paper promises and privacy policies and similar documents,” Ensign said. “They are not convincing to consumers. So I think we’re going to see a lot more investment in technical integrity and development from government agencies the next time they try to take something up of this magnitude.”
Schultz reported that consumers are a lot more focused on Visa’s responsibilities “as a large company with such a large network” to empower them to safeguard themselves. Part of that has been asking to see the data collected about them.
As we ease out of the pandemic crisis, “this dichotomy of safety and privacy is going to be a continued conversation,” Philbrook said. While the European Union already has the “most comprehensive set of privacy laws in the world,” the United States has lagged. Good things have been happening on the state level, but Philbrook thinks the patchwork of laws “could eventually get unbearable to the point where a federal law is necessary.
“So I’m expecting that, and then I would expect much more litigation around the right to privacy and what the boundaries are — what that balance is — in today’s connected world.”