Businesses and corporate legal departments may not have to dramatically inflate their privacy spend in order to account for the impact that COVID-19 has had on employee data, but chances are businesses won’t be able to reallocate that money to help soften the blow of diminished revenues either.
Case in point, an FTI Consulting report published earlier this week indicated that 97% of the 500 U.S. business leaders surveyed would be increasing their spend on data privacy over the next 12 months, with an average budget increase of 50%. But how organizations may or may not have to adjust that spending to address privacy challenges emerging around remote working and employee health information is unclear.
Tomu Johnson, of counsel at Parsons Behle & Latimer, said he has noticed an uptick in privacy-related concerns over the last two weeks. Issues related to Zoom security were of particular concern early in the pandemic as businesses shifted in earnest toward remote working. But with remote technologies remaining firmly in place even as states begin to lift shutdown measures, privacy-related concerns are unlikely to recede any time soon.
“Overall, I think privacy remains one of the top issues for in-house counsel. Despite limited legal budget, it seems companies are carving out money to address privacy,” Johnson said.
Issues underscoring the need for data privacy may become even more pronounced as companies begin implementing steps geared toward safely returning employees to the office. The U.S. Equal Employment Opportunity Commission, for example, issued updated guidance on pandemic preparedness in March, indicating that while a business may check an employee’s temperature to determine if they have a fever, that information is subject to confidentiality requirements under the Americans with Disabilities Act.
Compounding the tension around the way such information is handled may be other employees who feel they have a right to know if someone else from the office may be sick. Susanna McDonald, chief legal officer at the Association of Corporate Counsel, believes those concerns may play an element in some of the employee protection cases or suits arising from COVID-19.
For corporate legal departments and their companies, managing such risk could necessitate a tightrope walk between worker privacy and worker health. ”It’s a new game. That’s kind of uncharted territory,” McDonald said.
To help bridge the divide, she believes that companies may invest some of their privacy budget in technology-based solutions that can help to identify potentially ill employees and provide notifications to other workers without jeopardizing their identity. But if companies are spending money on tools like that one, will other aspects of privacy compliance take a hit in spending? McDonald speculated that some companies may opt to delay obtaining accreditations such as the EU’s Binding Corporate Rules certification, which is among the highest global standards for data privacy compliance.
“There is nothing off the table at those companies looking at where they are going to be spending their money and what they are not going to be spending their money on,” she said.
Those sorts of deliberations may hold especially true for new privacy regulations such as the California Consumer Protection Act (CCPA). Hilary Wandall, senior vice president of privacy intelligence and general counsel at TrustArc, said many of their clients are not changing their privacy spending and are continuing onward with projects as originally planned. However, since many businesses are still unsure what CCPA enforcement will look like when it begins in July, they may be hesitant to push too much money in the direction of compliance.
“There may be a little bit of a wait and see happening there,” Wandall said.