One size fits one

Under normal circumstances, employers aren't supposed to ask their employees for health information, but during the coronavirus pandemic, employers must gather vital information to keep their workforce safe. Newmeyer Dillion's coronavirus task force is making sure they do so while remaining compliant with the California Consumer Privacy Act.

"My rule of thumb ... is that even if you are collecting, you need to still keep it as private as you can," said head of cybersecurity and privacy law Jeff Dennis. "If we had an employee, for instance, in our firm who we know had coronavirus, I would counsel Paul [Tetzloff] as our managing partner that we need to alert the people that may have come in contact with this individual without ever putting their name out there. You can protect a person's privacy while still protecting your other employees if you handle it correctly."

Dennis said their team went back to all the clients they worked with on the privacy act to tell them to update their employee disclosures if they're going to ask about medical history. Beyond disclosures a company provides internally, Dennis also warned about the risk of cybersecurity and data privacy breaches with employees working at home.

"Under the CCPA, companies must protect consumer personal information using any reasonable security," Dennis said. "What 'reasonable security' means is a little bit amorphous right now, but it's very easy to see that with your workforce at home there are now potentially huge gaps, which open up in your cybersecurity framework."

The firm's Las Vegas managing partner, J. Nathan Owens, said the increased breach possibility comes when computers outside a company's network take on sensitive data, and the same computers are then used, for example, by kids doing their homework.

"The data on that desktop is now exposed outside of a [virtual private network] and that could create real problems, which then lead to a breach, which then require the company to immediately report to the government under whatever reporting obligations they have," Owens said. "In my mind, the businesses really need to make sure they're reminding their employees of some of these critical things that perhaps they aren't normally accustomed to dealing with."

Even following all the precautions, Dennis said it's important to have cyber insurance beyond commercial general liability coverage. Otherwise, it could end up sinking the business if something went horribly wrong.

"A standalone cyber policy is of the utmost importance, not only as your first line of protection against a breach because you need to have great data security in place to protect your data, but it is a great safety net just in case the worst happens," Dennis said. "You've got something to fall back on. Make sure that a significant cyber event doesn't put your company out of business."

Owens said his approach when working with clients has been to avoid "knee-jerk reactions." Though it's too late to add coverage to address the current situation, clients are sending the team insurance policies on a daily basis to evaluate the current coverage and what businesses must disclose to insurance providers and regulatory agencies should the need arise, he said.

"The reporting obligations are so important, not just from a CCPA standpoint, but from an insurance standpoint," Owens said. "There are going to be reporting obligations, and if businesses are thinking I'll deal with that later, they can be losing out on the opportunity to get coverage for business losses."

Avoiding breaches ultimately comes down to basics, such as training and IT preparation, Dennis said. He's advising clients to make sure employees use secure passwords, set them up with virtual private networks, update their computers' software and, most importantly, train their workforce to recognize possible breaches.

"You've got to step up your training game," Dennis said. "All companies need to make sure that they are training their people even if they've done it a dozen times before. It's even more important now because the statistics all show that cyber crime is going up dramatically."

Dennis said though these are all guidelines companies should be following to keep their cybersecurity up to snuff, ultimately every business has unique needs and different levels of risk when it comes to cybersecurity, which is something his team analyzes heavily when working with clients.

"One of the things that I think makes our practice unique is the amount of time that we really spend getting to know our clients and their business, so that we can shape a unique strategy and a unique approach to deal with their very specific needs," Dennis said. "This is a one size fits one, and if you're looking at it any other way you're missing the big picture."