The  COVID-19 pandemic poses heightened cybersecurity and data privacy risks  for businesses. With the rapid deployment of remote-working solutions,  malicious actors already are attempting to exploit weaknesses due to  reduced IT staffing and the use of personal devices and insecure public  and home networks. Businesses also are experiencing an uptick in social  engineering schemes aimed at inducing employees to open  coronavirus-related messages infected with malware. Meanwhile, many  businesses are facing data privacy questions regarding the collection  and disclosure of personal information as they monitor the virus's  impact on their organizations.

Animated by these concerns, U.S.  and international authorities are taking action to guard against  possible disruptions to the nation's critical infrastructure and to help  businesses manage the cybersecurity and data privacy risks posed by the  pandemic.


U.S. and  international authorities are warning businesses of increased  cybersecurity threats from actors seeking to exploit the pandemic. They  also have provided guidance on mitigating cybersecurity risks and, in  some instances, imposed reporting obligations on regulated entities.  Examples include:

  • New York Department of Financial Services ("NYDFS"):     
    • On March 10, 2020, NYDFS released an industry letter requiring that "each regulated institution submit a response to DFS  describing the institution's plan of preparedness to manage the risk of  disruption to its services and operations … as soon as possible and in  no event later than thirty (30) days from the date of [the] letter."  Among the issues the plan must address is "[a]n assessment of potential  increased cyber-attacks and fraud." 
    • In a separate industry letter directed to regulated entities engaged in "Virtual Currency Business  Activity," NYDFS specifically underscored "the risk to Virtual Currency  businesses of increased instances of hacking, cybersecurity threats, and  similar events, as bad actors attempt to take advantage of a COVID-19  outbreak, and the possible resulting need for heightened security  measures, such as enhanced triggers for fraudulent trading or withdrawal  behavior."
    • NYDFS has extended the compliance deadline for annual statements certifying compliance  with the Cybersecurity Regulation (23 NYCRR 500) from April 15, 2020, to  June 1, 2020. However, this extension does not alter a company's  72-hour notification obligations of a cybersecurity event. 
  • Cybersecurity and Infrastructure Security Agency ("CISA"): On March 13, 2020, CISA issued an alert urging businesses to adopt a heightened state of cybersecurity as they  transition employees to remote working options. CISA recommended  alerting employees to increased coronavirus-related phishing attempts  and pointed IT professionals to a July 2016 guide to telework security issued by the National Institute of Standards and Technology. 
  • Federal Trade Commission ("FTC"): On March 18, 2020, the FTC issued cybersecurity tips for remote working during the coronavirus outbreak, which urge  individuals to follow their employer's security practices while home,  and provides advice for securing home networks, disposing of sensitive  data securely, and ensuring devices are protected with strong passwords.
  • North American Electric Reliability Corporation ("NERC"): On March 10, 2020, NERC issued an alert,  which required its registered entities to report by March 20, 2020, the  status of their emergency pandemic plans. NERC also recommended that  its registered entities "[a]nticipate and prepare for coronavirus-themed  opportunistic social engineering attacks," to "[t]ake steps to ensure  continued visibility and maintenance of cyber assets in the event of  staffing disruptions … [and to] [e]nsure information and communications  technology resources are appropriate to accommodate increased use of  remote work arrangements consistent with business continuity plans,  without compromising security."
  • Financial Industry Regulatory Authority ("FINRA"): On March 26, 2020, FINRA issued an alert on measures that firms and their associated persons should take to  address the increased vulnerability to cybersecurity attacks and to  protect customer and firm data. While FINRA stated that the alert "does  not create any new legal requirements or change any existing regulatory  obligations," the guidance provides practical measures to mitigate  cybersecurity risks, including by providing employees with secure  connections through virtual-private networks ("VPNs") or multifactor  authentication, and by recommending that associated persons review the  firm's file storage and back-up policies, particularly when accessing  files containing customer personally identifiable information on a  personal device.

Data Privacy

U.S.  and international authorities have issued COVID-19 specific guidance to  assist organizations as they navigate novel data privacy issues.

  • Department of Education ("DOE"): In March 2020, the DOE issued guidance on the Family Educational Rights and Privacy Act ("FERPA") in the form  of "frequently asked questions." The guidance reminds officials that  although FERPA generally requires consent before the disclosure of a  student's personally identifiable information ("PII"), the "health or  safety emergency" exception to prior consent may apply to certain  COVID-19-related scenarios. 
  • Department of Health and Human Services ("HHS"): Effective March 15, 2020, HHS waived  certain penalties and sanctions against covered hospitals for  noncompliance with certain provisions of the HIPAA Privacy Rule,  including the requirement to distribute a notice of privacy practices  and the patient's right to request privacy restrictions.
  • Equal Employment Opportunity Commission ("EEOC"): On March 19, 2020, the EEOC updated a public statement , which clarifies that during the  COVID-19 pandemic, employers may take certain measures that impact  employee privacy, provided that such actions are job-related and  consistent with business necessity. For example, an employer is  authorized to measure employees' body temperatures—an activity that is  typically considered a medical examination. 
  • International Data Protection Authorities:  A number of data protection authorities ("DPAs") in Europe, Latin  America, and the APAC region have provided guidance on issues arising  under applicable data privacy laws. For example, the European Data Protection Board  issued a formal statement on the processing of personal data in the  context of the COVID-19 outbreak, calling on data controllers and  processors to ensure the protection of the personal data of data  subjects while at the same time taking measures to prevent further  spread of the virus.