What is the issue?

In response to the COVID-19 pandemic, governments have introduced measures around bio-surveillance, censorship and misinformation that could have significant impacts on privacy rights. Among recent initiatives, governments have passed laws relating to around the tracking of people’s movements, communications and health data, leveraging telecommunications, camera footage, transport bookings, financial data, social media, facial recognition and temperature checkpoints.

Privacy rights and cyber security risks under the COVID-19 magnifying glass

  • Governments are adopting measures that can lead to suppression of privacy rights through mass bio-surveillance activities.
  • Businesses are stepping in to support efforts by governments and public health authorities attempting to control the impact of the virus.
  • The number of cyber attacks has increased exponentially since the start of the pandemic.

In some cases, governments have deployed artificial intelligence to enable mass surveillance1 and social control2, often without proper oversight, regulation or checks and balances.

Governments are setting up these systems, but private businesses are providing the tools. In this context, businesses may be aiding governments in measures that violate civil and political rights. Businesses may also be adversely impacting people’s human rights without the involvement of governments. Therefore, it is incumbent on businesses to think carefully about their obligations under international human rights law.

Privacy rights and cyber security-related business challenges have been amplified by the COVID pandemic, raising concerns for institutional investors. This briefing provides guidance to support investors in developing a better understanding of the scope of risks and their potential impacts on portfolio companies. The table below sets out examples.

AreaPotential risks

Privacy rights

  • Workplace surveillance
  • Exploitation of privacy data
  • Misuse of contact tracing apps
  • Discrimination of infected people
  • Limited access to internet and technology
  • Enforcement of unnecessary and disproportionate regulation
  • Existing regulation that does not anticipate the changes seen in data collection during the COVID-19 crisis

Cyber security

  • Data breaches
  • Operational disruption
  • Digital infrastructure vulnerabilities due to increase of remote working
  • New regulations on cyber security and privacy
  • Increasing government dependence on public-private partnerships without proper oversight

Key near term investor actions

Stewardship

Below is a list of questions for investors to consider for their stewardship activities that will help set expectations for investee companies around privacy rights and cyber governance issues.3 The list is not exhaustive and should be adapted depending on the business sector and company location.

Considerations around privacy rights

  • Has the company identified clear social benefits for services provided to governments during the pandemic? If the company is profiting from the situation created by the pandemic, it should ensure it does not lock public authorities into exclusive long-term contracts and that the services are provided only for the necessary period of time.
  • Has the company identified its legal responsibility in terms of protecting end-user’s privacy rights?
  • Has the company carried out due diligence of its products or services to assess privacy rights risks, including providing third party access to users’ sensitive information?
  • Will the company delete the data collected through tracing apps after the crisis? How will this be ensured?
  • Will surveillance measures be rolled back at the end of the pandemic?
  • Has the company identified whether parts of the population are being excluded as a result of technological choices? Will those without a smart mobile phone be left out?
  • Can the company guarantee that all the data collected is relevant to the required purposes and is not more than necessary?
  • Is the company being transparent about the type of data gathered, who it will share the data with, on what basis, and for what purposes?
  • Has the company made sure there are no other solutions available that are less data-exploitative?
  • Are the activities of the company in the development of the technology lawful – respecting human rights frameworks and data privacy principles?

Considerations around cyber security

  • What is the governance structure underpinning cyber security and can the company demonstrate its effectiveness?
  • Does the board have expertise on cyber security?
  • How does the company address gaps in skills and experience relating to cyber security?
  • What are the company’s strategic and compliance priorities regarding cyber security?
  • Has the company carried out due diligence to identify key concerns around cyber security within the value chain?
  • What cyber security metrics are reported to the board, and how are these linked to wider incentives and benchmarking across the company?
  • How has board reporting on cyber security enhanced cyber security plans and strategy?
  • What has been learnt from cyber security breaches and how has the company modified mechanisms to reflect these experiences?
  • How is the company strengthening organisational capacity as part of its cyber security strategy?

Examples of corporate good practice

Company

RiskRecon | Sector: Financial | HQ: US

RiskRecon, a risk management provider, is offering free cyber security rating assessments to the end of 2020 to small business and healthcare providers in Canada and the US, in partnership with the Health Information Sharing and Analysis Centre. The initiative aims to support companies exposed to the increase in cyber risks caused by the pandemic. The assessments help businesses identify and address potential vulnerabilities in their systems, providing recommendations to strengthen cyber security structures.

Source: https://blog.riskrecon.com/free-cybersecurity-assessments

Government

National Cyber Security Centre | UK

The National Cyber Security Centre in the UK has provided guidance to help business manage the technological challenges presented by COVID-19. Extensive and detailed orientations covered areas such as video conference services, scam emails and service providers, aiming to help organisations improve their IT services and support.

Source: https://www.ncsc.gov.uk/guidance/moving-business-from-physical-to-digital

Tools, guidance and further resources

Podcasts and webinars

Guidance documents and resources