By Allison Grande

Law360 (August 21, 2020, 7:58 PM EDT) -- In this edition of Coronavirus Q&A, Fox Rothschild LLP's privacy and data security practice co-chair discusses one of the most valuable ways that attorneys can help clients dealing with pandemic-fueled data collection and hacking issues and reveals what data security adjustments law firms have been making to fortify their systems as lawyers continue to work from their kitchen tables. 

Mark McCreary, a partner who from 2015 until the beginning of this year served as the firm's first chief privacy officer, helps clients in a wide range of industries get up to speed with a global patchwork of privacy laws and regulations, as well as assists them with navigating an increasingly sophisticated cyberthreat landscape and responding to data breaches. 

McCreary — who is based in the firm's Philadelphia office, from which he has recently resumed working about twice a week after having been at home since March — shared his thoughts as part of a series of interviews Law360 is doing with lawyers to discuss the ways the COVID-19 pandemic has affected businesses and created new legal questions and challenges.

This interview has been edited for length and clarity.

How has the COVID-19 pandemic shaken up the privacy and cybersecurity issues that your clients are facing and the work that you and your colleagues are doing for them?

When everything started shutting down back in March, existing projects that were going on, like ones focused on complying with laws like the California Consumer Privacy Act, almost ground to a halt. People were trying to get their legs underneath them and figure out how to work remotely and dealing with more of the emergent issues immediately. I had one client that was very excited to do a CCPA compliance project, but the employee that was handling it left and went to another place, and they have a hiring freeze, so they haven't been able to replace that person.

What immediately popped up, and has continued to be a top source of work even as project work has started to come back, is dealing with privacy issues, including those related to any sort of surveillance that's going on of employees to make sure they're actually working remotely. There's a lot of policy work to be put in place to explain to employees, a reminder or a disclosure, that we can read your email, it's company email, and that the internet traffic on your computer is something that's the property of the company, it's not private to you. A lot of companies found they weren't making those disclosures.

And as another subset of that that, in the past month and a half as things have started to reopen, there's really been a focus on data collection from employees. You have your employees do a daily survey before they come into the office to say they don't have any symptoms, they haven't traveled anywhere, they haven't been around anybody that's been diagnosed. But what do employers do with that data? Do they collect it, do they write down the exact temperature that someone reported? There's a lot of analysis that goes into that and a lot of privacy issues that come up.

But all of that has been completely eclipsed by the amount of work that's being done on the data security side. Many companies were and still are scrambling to put in multifactor authentication and there's been a lot of efforts to really focus on security. There's a lot of legal work that's involved in that. It's not just get a vendor and you're good. At the very least, you're reviewing the vendor agreements, but there are also a lot of questions that go into what are those policies and procedures actually going to do. It went from a point where for years we would tell clients, "You really need to focus on data security," to just hyper-drive.

It's been a crash course for a lot of clients, and one of the most valuable things that we found that we could give to our clients when they're going through this is our experience of other clients having gone through it over the years, or the experience of my law firm having gone through this over the years. Being able to walk them through that, it seems to resonate better to have that information come from lawyers than from IT people.

How have the data security risks facing companies changed, and how are lawyers and their clients responding to this new threat environment?

The number of scams and amount of effort that criminals are putting into trying to rip off companies while they're vulnerable and working remotely is monumental. I've never seen anything like it. It's been anything from simple phishing schemes to very sophisticated wire scams that are even now involving telephones. Normally it would all be through email, but hackers are mixing in telephone because these phones are ringing through to cellphones, often they're going to voicemail and employees are communicating back by email because who wants to pick up the phone now. It just makes everything a little bit less secure and a little bit easier for the criminals. 

Initially, with most clients, there was a little bit of a reluctance to invest in data security. It was more, "I'll purchase a bigger data line so that we can make sure people can work remotely," to now where they really are paying attention. They read the same news we do, that the number of data breaches are up 40%. They react to that, and they're starting to open up those checkbooks a lot more than they were initially. And from a transactional point of view, we've reviewed more vendor agreements that are security-related in the past five months than we probably have in the past three years. I kind of wish I would have started an IT security company before this happened, because they're in high demand right now.

Lawyers have an important role to play as well. Lawyers think differently, so that's a valuable opinion to have in there when you're thinking about business decisions. It's almost like getting a second opinion from a doctor. My CIO says that we need to do this to protect data, but it's going to cost us $300,000 over three years. What do you think we should do? Those questions come up, we have those conversations with clients, and it becomes a collaboration between the executives of the company, the IT staff of the company and their counsel. And when it comes together like that, everybody has a lot higher comfort level with the decision, and it's a real value for clients.

As the firm's former chief privacy officer, what risks are law firms in particular facing in this current environment, and what have and should law firms be doing to tackle these issues?

For law firms, it just becomes more crucial for them to actually address the issues that weren't addressed before. Typically, lawyers want to feel like lawyers, so they want to be back in the office. So it's really important in doing that to understand what new data is being collected and that it's done properly. And it's important for lawyers to have some sort of task force to deal with these issues and to address them, because if you have just one person making decisions about this without input from people like a chief privacy officer or a chief information security office, it's just a recipe for disaster. That's the number one piece of advice that I give to law firms and just regular businesses, is that you've got to have a group that meets daily to talk about these things, because you're always going to have issues come up. And you want to make sure this group is collaborating with other companies that have these COVID or back-to-work task forces and are going through the same thing as well, because there's no reason why any company has to figure this out on its own.

And from a data security perspective, I've advised law firms that have now put more restrictions in place. Where before they didn't block third-party file share sites like Dropbox, they're now blocking those. With the law firms I've represented, all of them have now gotten to a point of blocking USB drives to make sure that data doesn't come off the computer. We see people reconfiguring their Citrix and their remote desktop service solutions, so that files cannot be downloaded from there to personal computers. And a couple law firms I've talked to, they weren't doing virtual private networks. They were doing it some other less secure way, and a lot of them switched to VPNs, because if you do that, you have a lot less to worry about as far as the data, because you control the device and you control the connection.

But it's challenging. I've seen people have conversations in their kitchen with other family members around while they're talking to a client. It really does take a new way of thinking about things and realizing that you're not in the security and the privacy of your office. You're in a whole different environment.

What's the privacy and cybersecurity outlook for companies and law firms for the next few months, as more businesses and schools reopen and more restrictions begin to be lifted?

Looking at what's happening now, with people being remote or going into the office maybe two days a week, they're transporting laptops, they're working a lot off their iPhones and their iPads. If I were seeing that and interested in hacking, now is when I would get into the business of being a hacker, because it's not going to get any different. We've had many tech companies say they're not going back to the office and businesses decide that most of their workforce can actually work remotely.. So those issues aren't going to change.

One of the negative side effects of all this is that as much as companies were starting to do training of their employees and really getting security in front of them as much as they could, when people are remote, it's that much harder. And if I'm if I'm stuck working from my kitchen because my partner's working in the office, and I have a 5-year-old that's running around, and I'm distracted and I start making mistakes, it's always been the problem that employees are the weakest link, they're the ones that do the dumb stuff. And now that we have people distracted in different environments and with everything else going on, it's only going to amplify.

And on the privacy side, part of the problem is you're having personal information being collected by the organizations that have historically been the worst at protecting data. School districts are a really good example. And it's easy to say they have budgetary restraints so they have outdated technology and can't buy what they want, and that's absolutely true. But it's only going to get worse. I don't think we're going to see a lot of budget increases for schools in the near future, but we are going to see a lot more data collection, and that data is still going to go into the same systems that otherwise were not secure.

Then there's restaurants, you're going to see information collected by them that wasn't collected before, and what are they going to do with all that. And if you start having music venues open back up, and they see that 45 people didn't pass the temperature check and they know the names of those people, what are they going to do with that information. It's just going to be a lot different.

For companies that have the money and understand how important it is to take security seriously, those dollars will continue to flow. But there's also a big risk right now of companies popping up that are promising security solutions or COVID tracing solutions that are brand new at this. And historically with new companies, data security is at the bottom of the list. It's really more important that they put their money into research and development and advertising and then they'll fix the other problems when they have time and money, and that concerns me.

It's also really going to be interesting to see what happens with the legal industry itself. There's a lot of concerns right now about a lot more work being taken in-house. In many areas of the law you can do that, but with privacy, there's a reason why there are privacy lawyers who focus on these issues 24/7. Especially when it comes to the privacy world, it's rare if I meet an in-house counsel that's really a privacy professional, and it's hard for in-house counsel who are labor and employment or real estate lawyers to figure out all these different privacy laws laws and considerations. 

Check out Law360's previous installments of Coronavirus Q&A.

--Editing by Rebecca Flanagan.

For a reprint of this article, please contact reprints@law360.com.