The Covid-19 outbreak does not excuse companies from taking measures to protect personal and confidential information.
Bloomberg recently reported that the U.S. Health and Human Services Department was hit by a cyber-attack aimed at slowing down the HHS computer systems during its response to the spread of Covid-19. Although no data was compromised, the hack involved a decimation of false information about how the department was responding to the outbreak, including false reports about a national quarantine.
This should serve as a reminder to businesses that, while the outbreak is a big challenge, other business risks, like cyber security are still very real and are possibly heightened by the outbreak.
“Businesses should continue to ensure that their computer systems are resistant to cyber threats and that employees’ cyber hygiene is prioritised. This is especially a risk for those businesses that are not used to remote working and relying on such technology, and whose inexperience may lead to them easily falling victim to a phishing attack,” say Priyanka Naidoo and Rosalind Lake from Norton Rose Fulbright, who penned a statement cautioning businesses from allowing the existence of Covid-19 and the extraordinary governmental measures to excuse parties from taking measures to protect personal and confidential information.
Even though POPIA is not yet in force (and therefore there is no need to account formally to the Information Regulator until it is), they say, companies have common law and possibly contractual obligations to secure information and must continue to protect their reputation in these challenging times.
This is especially so when access to personal health information could expose individuals to significant harm. Companies must include cyber risk as part of their Covid-19 response plan and make sure that remote-working employees know what to do in a cyber-emergency.
“Businesses should also ensure that they have appropriate measures in place to respond to a data breach should one occur. This is especially relevant to those businesses whose employees are working remotely. It can be challenging for forensic experts to implement mitigation steps when compromised devices and work stations may be off-site. Businesses are encouraged to speak to their IT teams and forensic experts to determine their response capabilities.”
