On Tuesday, the Better Business Bureau (BBB) alerted employers about cybersecurity issues associated with COVID-19 contact-tracing solutions.
In a press release, the BBB said interest in COVID-19 monitoring is growing as employers grapple with appropriate measures to keep employees and customers safe and avoid workplace outbreaks.
The BBB said tracking and contact-tracing solutions are being considered and implemented throughout the country to help contain the spread of the coronavirus. High-tech solutions include smartphone applications that employees can download, which will track and store proximity data or use other means to determine location. If a user is diagnosed with COVID-19, data collected by the smartphone app can be used to trigger notifications to other employees and outsiders who have crossed paths within six feet with the infected person.
According to the BBB, while tracing apps are sophisticated and not all employers want or need such technology, businesses are being encouraged to find simple ways to monitor and track employee health and workplace exposure. For instance, some employers are mandating employees to use a no-touch digital thermometer and fill out a symptom questionnaire every day before entering the office. The resulting employee data may go to a central repository, typically accessed by a Human Resources representative. Small businesses or professional offices that are able to log information about individual customers may be expanding symptom monitoring to include customers as well.
As procedures and technology to track COVID-19 and trace contacts advance the BBB said privacy and security issues loom. It is the employer’s responsibility to understand how all employee data that is collected by any means will be protected, stored, used, and disposed of.
The BBB said it encourages employers to think about privacy and cybersecurity questions their employees may have, including:
- What information do employees receive upfront about tracking or contract-tracing?
- What information do employees receive in connection with a suspected exposure?
- How is the data stored securely and for how long?
- If using a mobile phone tracer app, what permissions does it need and why?
- Who has access to the collected data?
- How is the data used to inform community-wide health decisions?
While it is legal for employers to mandate their employees get tested for COVID-19 before returning to work, take daily temperatures, and participate in contact-tracing solutions, the BBB said companies need to tread carefully when documenting and storing personal health information. Legal experts warn that asking employees to disclose health information, especially if they are asymptomatic, could be challenged and open the company up to legal liability.
Other considerations agreed upon by BBB and consumer protection agencies include:
- Using anonymous, aggregate location data for public health purposes to sidestep many of the privacy concerns related to tracking individuals’ location. For example, if a consumer has granted you permission to use their location data, nothing would prohibit you from disclosing a heat map of average distances travelled for public health purposes.
- If you tell consumers you’re collecting, analyzing, using, or sharing information for emergency public health purposes, only use it for those purposes, and delete the data when the need is over. This idea of “purpose limitation” or “use limitation” has been a standard tenet of privacy norms over the years
- There are many engineering tools that can preserve consumer privacy while getting the data you need to combat the coronavirus. For instance, researchers have developed decentralized protocols that allow users to voluntarily share encrypted data directly with epidemiologists.
To be successful, the BBB said employers should educate their employees about any tracking and contact-tracing solutions they put in place, including how notifications look, what questions they will be asked, and how the information will be used. This is critical to not only assess data-privacy issues and concerns but to prevent employees from being conned by fake contact tracer scams that have recently been reported to BBB.
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.