Astounding privacy risks for the U.S. workforce, related to the COVID-19 pandemic…
In September 2018, Business Integra published a post about the significant changes that had occurred in how and where Americans worked – over the previous 10-20 years. Little did we know that those big changes would soon be far more drastically accelerated just a year later, morphing into the seismic changes that have resulted from the 2019 COVID-19 pandemic.
This shift created an environment filled to the brim with opportunity for nimble problems solvers to answer the needs of humanity with new tech tools – and also, for new privacy issues and risks to arise that organizations and individuals need to navigate.
Where we are now
Now, it’s January 2023, and we’re approaching 3 years after the infamous spring of 2020, ‘when the world shut down’ due to mass spread of that dangerous illness. At this point in time, remote or hybrid work arrangements have affected all Americans at work and home, whether they work telework or not.
Corporate life will never be the same, for better or for worse.
Between 2019 and 2021, the number of people primarily working from home tripled from 5.7% (roughly 9 million people) to 17.9% (27.6 million people). US Census
60% want to continue to work from home all or most of the time. Pew Research Center
Our lives at home have felt the impacts as well, be it through emergency online education for all ages causing learning loss ripples; or the effects on the real estate market as people look to prioritize home offices but are less tied to the location they need to work from; or through the resulting mental health crisis that many are still working through.
As virtual work opportunities continue to expand, and in many industries even effectively become the norm, privacy implications for workers and the companies they support should not be ignored. Distinct, but intertwined with cybersecurity concerns, privacy, as defined in the Privacy Act of 1974, covers a gamut of possible issues.
Key risks made possible through a myriad of methods
In the 2018 article, we detailed privacy concerns that result from online collaboration tool trends that were emerging at the time. Additional privacy risks that have gained momentum since then, include, but are not limited to:
- The exfiltration of corporate data to personal devices
- Video calling capturing the interiors of non-corporate environments
- Recording proprietary conversations without permission or governance
- Overemployment as an Insider Threat
With workers increasingly able to work from anywhere, at any time, the merging of corporate and personal data is a real concern. For workers who only occasionally telework, using personal cell phones or personal computers to complete work activities may be more convenient than using corporately owned or controlled devices within a dedicated, protected, corporate environment.
To support user experience in our post-pandemic environment, technologies that allow users to seamlessly connect via voice and video have proliferated, becoming entirely mainstream, even among school-aged children. This is a solid example of human ingenuity, resilience, nimble development (and yes, capitalism), and there is much to be praised about the solutions developed.
However, as with any positive, of course, there’s a flip side. So, for the sake of this perspective, it’s fair to highlight the risk to both personal and company privacy related to this rapid development.
- Users are able to record conversations or share assets to personal devices without permission,
including proprietary information from conferences, webinars, etc.
- Remote workers are now entirely comfortable initiating calls from non-dedicated workspaces, during which the risk of capturing (and preserving, in the case of recording,) the images or voices of non-company individuals is present, including family members or others, of whom some may be minors or may be being monitored or recorded without their knowledge or consent
- More people than you’d think even go so far as to use tech to game the system. A troubling trend that has arisen because of remote work is “overemployment.” Overemployed remote workers hold two or more full-time jobs, keeping the overemployment secret from their employers. Since these employees often use a common tactic of outsourcing their work, the potential for Insider Threats is dramatic. These insider employees share passwords and give uncontrolled network access to their outsider counterparts. And to further heighten this risk, these outsiders can be anywhere in the world, including operating from countries that would violate security requirements. These incidents rose by 44% from 2020 – 2022, costing up to $15.38M per incident
In the U.S., new state privacy laws have or will take effect this year for at least 5 of the states including California, Virginia, Colorado, Connecticut, and Utah, with at least a dozen more states considering similar actions.Savvy companies keep apprised of new legislation, stats, trends, and the realistic likelihood of these issues impacting their data privacy and security. They proactively provide workers the necessary equipment to work safely from places other than their dedicated corporate workspace. Security controls that prevent access to company resources on non-corporate equipment must be put in place, company policies need to explicitly state what equipment is required to be used when teleworking, and they should require the use of secure Virtual Private Networks.
Many video conferencing technologies now provide “blurring” or alternative background options that obscure the individual’s location and others around them and may also include the ability to alert participants when any recording is being taken of a call. Corporate policies should also address whether meetings and calls are to be recorded, and how to notify individuals involved that their image or voice is being preserved, and for how long.
In response to the Insider Threats that are on the rise, leading to unapproved intellectual property disclosure and unauthorized foreign access to systems and data, BI has prioritized a focus area dedicated to preventing the astronomical costs incurred through the negligent behaviors associated with the Insider Threat.
“To serve our customers in cases where the troubling issue of overemployment is suspected, we have developed Insider Threat programs with the ability to actively deter, reduce risk, and minimize the damage of insider threats. We’ve created a risk-based framework, detection methods, and threat reporting assessments to mitigate these threats.”
– Eric Johnson, Senior Vice President, Engineering
The COVID-19 pandemic was something that affected us all. The risks that have arisen also affect us all. We were in it together then – and we’re still in it with you now, as you navigate the ripple effects on your organization’s data privacy.
Learn more: Connect with BI
About the Authors
Michelle Amick Prikhodko, Esq. CIPP/G is an experienced Privacy Professional and attorney with experience in data privacy, law, Certification and Accreditation/Security Authorization and Assessment, and compliance. She is a Certified Information Privacy Professional/Government (CIPP/G) and a licensed attorney in the state of Maryland, experienced with all aspects of privacy compliance. She has served as a Senior Privacy Specialist on Business Integra’s privacy support and compliance program for a key federal client, for nearly 8 years.
Breanna Wheeler is a brand storyteller who advocates for users through design, writes to inspire, values people and community, and intentionally chooses to support teams in tech who are dedicated to improving lives. She finds deep satisfaction in bringing design to the strategy table, leading teams to think differently and fostering an environment of entrepreneurial exploration and innovation. She has joined the BI team in November 2022, to serve as the Director of Communications and Brand.
Founded in 2001, BI is a Top Secret Cleared, award-winning global provider of information technology, cybersecurity, aeronautic engineering, scientific solutions, and mission support services. We are assessed at Capability Maturity Model Integration (CMMI)® Maturity Level 5 for both Services and Development. To support our customers’ mission success, we hold multiple ISO quality certifications and integrate industry best practices such as Lean Six Sigma and Project Management Institute’s Project Management Body of Knowledge.
Follow us on Twitter @BusinessIntegr4 and/or LinkedIn.