Earlier this year, organizations worldwide had to quickly figure out how to function with their entire staff working remotely and now the focus is shifting to how, or even it, we can safely re-open or return to “normal” operations. With these more urgent priorities and the focus on business continuity, many organizations were forced to take a risk-based approach towards compliance. Information security and compliance will continue to be a challenge, and in many ways, has become more important as data and information is being accessed and shared everywhere EXCEPT inside the standard office infrastructure.
How have compliance requirements been impacted? Have any been loosened or delayed in light of the current circumstances? Below is an updated status of some of the common compliance regulations:
The Payment Card Industry Security Standards Council (PCI SSC) has been providing updates.
- The PCI SSC has issued no official comments regarding compliance programs or potential delays in merchant compliance, as this responsibility falls to the individual acquiring banks. Entities have been encouraged to contact their payment brand or acquirer to determine any compliance impact regarding partial or incomplete assessments and expectations associated with remote assessments.
- The SSC has released official guidance to help entities and assessors with the overall assessment process and identified activities that can be performed remotely.
- For those merchants due for re-assessment prior to October 30, 2020, the PCI SSC has granted a 6-month extension on their reassessment date for those with P2PE solutions. Note that the extension must be requested and approved; you cannot take the extension without one being officially granted. The date for PIN Transaction Security Point-of-Interaction (PTS POI) version 3 devices has been moved from the original expiry date of April 30, 2020 to April 30, 2021.
- All organizations accepting payment cards must maintain compliance with all DSS requirements. Be careful to evaluate merchants moving to remote locations and ensure payment processing methods remain compliant.
- Helpful guidance on the increased threat of online skimming attacks, COVID-19 online scams, and maintaining POS device security and cleanliness was shared on the SSC website.
- In an effort to retain engagement, all 2020 Community Meetings were moved online and instructor-led training courses were cancelled through the end of August.
The US Department of Education issued an FAQ regarding the Family Educational Rights and Privacy Act to assist school officials in protecting student privacy in the context of COVID-19.
- Under the FERPA health or safety emergency exception, an educational agency or institution is responsible for making a determination whether to disclose PII from education records. If they determine there is an articulable and significant threat to the health or safety of the student or another individual and that certain parties need the PII from education records to protect the health or safety of the student or another individual, it may disclose that information to such parties without consent.
- Information can also be disclosed to public health department officials under FERPA’s health or safety emergency exception.
- Unless a specific exception applies, educational institutions and agencies should prepare consent forms for parents and eligible students to sign to allow for the potential sharing of information if they create, or intend to create, a tracking or monitoring system to identify an outbreak before an emergency is recognized.
- Nothing in FERPA prevents schools from telling parents and students that a specific teacher or other school official has COVID-19 because FERPA applies to students’ education records, not records on school officials. However, there may be State laws that apply in these situations.
Another relevant document to refer to is the 2019 “Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) to Student Health Records”. This guidance helps explain that the HIPAA Privacy Rule does not apply to education records that are protected by FERPA.
COVID-19 has clearly imposed massive challenges on health care providers and there have been numerous questions on the ability of entities to share information in order to assist in a public health emergency.
- HIPAA allows disclosures under certain circumstances, such as where disclosures are necessary to prevent a serious and imminent threat, are consistent with applicable law, and covered entities’ standards or codes of conduct.
- In March 2020, the U.S. Department of Health and Human Services (HHS) issued guidance waiving compliance with certain HIPAA privacy and security regulations, making it easier for essential health care providers to obtain protected health information and deliver necessary care and services to those in need during the COVID-19 pandemic. As long as health care providers are acting in good faith, the HHS Office of Civil Rights (OCR) will exercise its discretion and will not impose penalties for noncompliance. Among those waived sanctions include:
- The ability to disclose, without patient authorization, protected health information to a public health authority such as the CDC or a state or local health department, and to those at risk of contracting or spreading a disease. Providers must take reasonable effort to limit the information to the “minimum necessary” to achieve the reporting process.
- The ability to provide telehealth services through any non-public facing remote audio or video communications technologies available to communicate with patients.
- The requirement to obtain a patient’s agreement to speak with family members or friends.
- The requirement to honor a patient’s request to opt out of the facility directory.
- The requirement to distribute a notice of privacy practices.
- The patient’s right to request privacy restrictions.
- The patient’s right to request confidential communications.
- In April 2020, the OCR announced it would not penalize health care providers and their business associates for good faith uses and disclosures of PHI by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency.
- Even with this relaxed enforcement, HIPAA’s privacy protections are certainly not obsolete and all covered entities should continue to maintain robust privacy and compliance programs. It is even more important now to reinforce training and policy with staff, so they are not tempted to access patient information without authorization or share information with outside parties. Business associates also remain liable with the Security Rule’s requirements to implement safeguards to maintain the confidentiality, integrity, and availability of electronic PHI.
- Just prior to the COVID-19 pandemic, the Office of Federal Student Aid (FSA) at the US Department of Education had released a notice explaining how the FSA would handle
compliance enforcement related to the Safeguards Rule audit finding during the FY19 federal single audit process.
- In March 2020, the Office of Management and Budget (OMB) released a memorandum extending the reporting deadline for any audits with a fiscal year-end date on or before June 30, 2020, by 6 months.
- GDPR is one of the strictest privacy regulations, but does still allow national governments to act in the public interest with qualifications for minimal data and limited purpose. As little personal data as necessary should be used and for a specific, narrow purpose only (e.g. in the case of COVID-19, to limit the spread and protect employees’ health). Any data being shared must also be protected against cyber risk and against unauthorized sharing.
- The pandemic has definitely increased the need to balance between protecting public health and protecting personal privacy. Mechanisms like contract-tracing and self-reporting apps have been under scrutiny to ensure the individual’s personal data is protected. There is still debate around whether or not the measurement of body temperature prior to allowing someone entry to work falls under GDPR, and national tracking systems have been permitted as long as they are aligned with GDPR principles (voluntary and consensual or fully anonymized).
- Data Protection Authorities (DPAs) from France, Germany, Ireland, and the U.K. have spoken out and said they plan to uphold enforcement actions, and intend to hold organizations accountable when GDPR standards are not met, regardless of the COVID-19 crisis.
One other issue that comes into play with all of the above requirements involves your organizational policies and procedures. Policy management before may have been primarily found in paper files and binders, or spread about on different websites and intranet sites. This shift to remote work has revealed the need to provide policies and resources in central, easy to access locations, so all staff can easily find the information they need.
Security and privacy compliance programs will continue to evolve as organizations adapt to the changing environments that result from COVID-19. Continue to evaluate the changes and processes you implemented over these past several months to ensure you are not placing your organization or staff in a non-compliant position. Please don’t hesitate to reach out to us with any questions.
Additional guidance from our Offensive Security team below:
[Hobby]: Work as we know it has probably changed forever. While organizations are reexamining working conditions and adjusting everything from workforce deployment to office hours, the traditional threats to those organizations remain and cyber threats in particular are increasing. We do not know how long the COVID-19 “interim” period will last or what the new “normal” will look like, but we do know that we must continue to ensure that our risks are assessed, monitored, and managed. We’ve been developing our risk and compliance programs for years; now is the time to use them.