services: IT Security

On Wednesday, April 29, 2020, BPM Partner Sarah A. Lynn joined KCBS’s Stan Bunger to answer listener’s questions about data privacy, security and storage on an episode of Ask An Expert.

Listen to the radio recording on the KCBS Radio website.

Here is a transcript of the interview:

As we continue to navigate these unprecedented times, KCBS Radio is getting the answers to your questions about the coronavirus pandemic. Every morning at 9:20 a.m. Monday-Friday we're doing an "Ask An Expert" segment with a focus on a different aspect of this situation each day, sponsored by the San Francisco Police Department.

Today we’re looking at privacy and security concerns related to tracking the virus with Sarah Lynn, IT Security Advisor and Partner with BPM, a California-based accounting and consulting firm.

So this area has a lot of people, after the first flush, getting a little nervous. Let me just ask you kind of an entry level question here, which is, is information and health data gathered around something like a public health crisis as secure and as protected by law as our health records would have been three months ago?

Well that's a very interesting question. First and foremost, the HIPAA laws require the data to be held private by the medical offices, the hospitals, etc., and our California Privacy Act that went into effect in January also requires that personal information to be held private.

So those are the requirements by law to keep that data and information private. However, if you share that data outside your doctor’s office or outside the hospital even verbally, you might lose your reasonable expectation of privacy. So, you know, really be careful where you share data; even applications that you might want to fill out questionnaires that are asking you about your symptoms: be very careful that those applications or apps on your mobile phone or Facebook apps also already have agreements and privacy regulations in place. If they don't, don't use them.

And this came up in one of our employment Ask an Expert segments a couple of days ago so I'll repose it here. And that had to do with a questioner who said, if I need to take time off work because I have COVID-19, that gets me some government assistance. But does it also potentially expose me to a problem now that my employer knows I've been sick?

Well, we've had a lot of people that have asked that question. And the real answer is there should not be any HR ramifications for you taking off PTO, especially by law here in California, because you have COVID-19 symptoms or, in fact, that you have COVID-19. Neither one should have implications.

If you decide to take PTO and your employer has offered additional PTO for no particular reason – just because that's their culture right now, they want to extend additional PTO – then you can do that very privately. You don't have to tell anybody why you're taking the PTO, but then, in fact, you can take some PTO for just rest.

And there was another one that came up, I’ll drag that one back out too – and that had to do with health insurance. Is this going to be a problem for me in keeping or getting new health insurance if it's known that I have or had COVID-19?

Well, that's a question for a different type of expert. I can give you my two cents or my opinion on that. Under the health care act now, supposedly, that should not be a problem. But as the health care act changes or morph or as the insurance companies change or morph, I don't know that we know that answer in the future. But that would be great for an HR or a insurance expert to speak on further.

Okay, then we'll table that one for somebody else down the road.

So let's get into this area around what we hear a lot about these apps. We do know that Google and Apple are working on a software tool kit that will let app developers build these contact tracing apps, and that tool kit’s gonna be released on Friday. Every country in the world is either using or talking about using apps like this. From your perspective, what are the areas, the questions we should be asking about these?

Well first and foremost, you should be concerned if the application, no matter who makes it – Google, Microsoft or me – that if we make this application that we already comply with or have been certified or attested to comply with laws surrounding the California Privacy Act, the HIPAA Act, as well as some other privacies for other parts of the country or the world like GDPR.

If those applications don't readily show you that they are in fact certified or attested or comply with in some way these regulations, you have no way of knowing that anyone is concerned about your privacy data. And I personally would not use those apps until they are certified or are attested.

Is there a particular stamp of approval? You know, an Underwriters Laboratories stamp people could look for?

Yeah, sure. It is similar to the Better Business Bureau, Underwriters Laboratories, Good Housekeeping Seal of Approval. If you look at the bottom of a webpage, you'll usually see a button that says “Privacy” – it's sometimes very tiny, so you might have to look again – if you hit that button, you should get their privacy policy, you should get their privacy notification information, how they would notify you about the use of your privacy or the breach thereof and how they're already tested or certified. And sometimes there’ll be an auditor's seal on that page that says, “here we are, BPM – we certified this company for HIPAA, CCPA, GLBA” or other privacies per state.

This question has to do with who is in charge of this information. The questioner wants to know, if I do fill out or are using one of these contact tracing apps I've been hearing about, is it the government? Is it the software company? Is it me? Who owns that information?

The software company is likely the owner of the information if you choose to opt in to share all your information. So really be careful when you're signing up, what you're opting in to give them access to and to utilize. Some of these companies that are attested or certified should be telling you – or all of these companies should be telling you that you're opting in and what you're opting in for the use of.

So if my data is used, but my personal piece of that data is never known, that's great. So if Sarah Lynn’s name is never seen, my address is never seen, other factors like my medical condition associated with my name and address are never seen but the medical condition is associated with analytics, that's fine. But when it gets associated to Sarah Lynn and it's not held private, that's when it's not fine.

And what do you think? Just me asking you now in terms of where this sort of information is likely to be stored. Whose database? Whose repository? What sort of sunsetting of the information and that sort of thing.

Yeah, that's a good question, too, because it's also different per application. So some of the attestations and audits and certifications that we can provide for a company would certify that in fact, they are securing this information in their database, they’re securing this information by field, they're securing this information in transit – in other words between your phone and their database or between your PC and the database or between your Mac and their database. So in fact those certifications do ensure you to a certain degree that at some point in time they were all doing the right thing. There's never 100% guarantee. So be careful.

Do you mind if I throw a few questions at you that may not be specific to the COVID-19 data, but maybe more about data privacy and security in general that have popped into people's minds as we’re going through kind of a changed world?

Oh, please. I'm sort of tired of talking about COVID-19 anyway so that’s all good.

All right, well, this is sort of around the edge. This one came from parents saying I'm worried about those stories I hear about Zoom. My child's school is requiring her to do classes on Zoom. Is there anything I should be doing to safeguard privacy and security?

So that's a really good one. So first and foremost, Zoom has since their own discovery that they have had some issues, they have corrected some of the things that were out there.

The two things that people probably heard about, or maybe three things that people heard about were that part of the Zoom Network was going through China. And that's been rerouted now, so that can't happen. Unless you're in China, you can't get rerouted through China. So those of us in the U.S. are staying routed through the U.S. One of the other things that was heard, was that you can control – if you're the host of the zoom – requiring a password. And that was always there, but it wasn't forced. So now those of us that use Zoom and were the host – maybe I'm the teacher or I'm the principal or I’m the Girl Scout leader and I'm going to have a Zoom and I'm going to invite my students or my Girl Scouts to that – I'm going to be forced to now present them with a password so they have to have a password to get in. And that prevents number three that you heard about, which is kind of photo bombing the Zoom. Someone coming in, sneaking in forwarding the Zoom onto someone else.

What I would say is, Zoom has really done their part to make it more secure. And remember, Zoom had 10 million users six or eight weeks ago, and now it's well past 300 million users. So they've been, let's say they've been photo bombed themselves.

But if I'm that mom and I'm at home, first off when I get an invite for my girl scout or my child from the school, I want to know that that has a password. If it doesn't have a password required – it’s going to be on the invite – if it doesn't, I'm gonna reach back, email that host and say, “can you add a password to this, please, to make it more secure for everybody?” And that's one thing I would be doing.

And then the second thing is that I would be letting my child and myself know that I cannot, should not, be forwarding Zoom to anyone else.

Here's another one: I’m working from home now like everybody else. At the office I know they have IT and network technology and security. I'm not really sure about here. What happens if something gets screwed up and data gets stolen or lost? Is it my fault or the company’s?

Well, that's an excellent question too, and I think this is a question that everybody is trying to answer. So here's a couple of two cents opinions about that – and we're really trying to help a lot of companies right now with that question because before, if you were sitting in your office, you were secured by the physical office, the network in the office, the machine that you were on in the office, all had security measures in place and some places even had CCTV and things like that. So four or five different things are happening all at once.

Now you've extended that network to home. And you always did when you had remote workers that work from home one day or two days or half day or whatever, you always were extending that network. So companies did a pretty good job of encrypting laptops so that data couldn't physically be stolen, monitoring or locking down USBs so that data couldn't physically be stolen without being known or monitored and things like that. But what didn't happen to many users that worked from home is they weren't provided any additional instruction about how to secure their own network at home. Now some of them may have signed off on a tele-work agreement that says, “I will secure my network at home.” But do they know how to do that? So there's lots of instructions on the internet about how to secure your network at home, depending on what type of router switch – AT&T, Comcast, Netgear, Cisco – that you have. There's lots of good advice on how to secure your network at home.

The thing that I would say is an immediate, easy thing – and it's not as secure as it should be but it's a short-term, easy fix – is if you have the ability to not be on WiFi when you work from home. In other words, plug an old fashioned ethernet cable into the back of the router and plug it into your laptop. Do that because that's one thing that's easy and requires no configuration change and you could do it at home and you could make yourself more secure just by not using WiFi. If that's not possible and you have two or three channels for WiFi, pop open another channel and put yourself on the one channel by yourself with the WiFi. At least that segregates you. And if you have the opportunity to make that channel have a different SID than the other, or password than the other channels, do it. And then you've done something and you can let your employer know “I have done extra security measures, what do you suggest, Mr. or Ms. Employer?” And they should be able to tell you.

Now some employers have provided a one hit wonder device that goes home and you plug your laptop into it and it provides extra security. And I do think that in the next few weeks you'll see a lot of employers providing much more instruction.

On the second part of your question, I believe, is, how liable am I if something happens at home? And I believe that if you follow all the instructions that your employer has provided and if you provide reasonable care – like take some of the advice that I might have just given and tell your employer what you've done – I believe you will have done as much as could reasonably be expected in a non-work environment.

Learn more about BPM’s IT Security Advisory team and contact Sarah A. Lynn today to find out how we can help your organization maintain security and compliance in today’s digital age.