Taking steps to ensure proper cyber security in this time of uncertainty and a remote workforce is more crucial now than ever. With outside actors, both friend and foe, becoming more aggressive in seeking data access, a reactive approach will fall well short. This is especially so with the news that the Federal Government is now using “anonymized,” aggregate, cellphone location data to track people’s movement during the COVID-19 pandemic.

Using Cellphone Location Data in the Fight Against Coronavirus

The Wall Street Journal reported on March 28, 2020 that the Centers for Disease Control and Prevention (“CDC”), as well as local governments, are using cellphone location data obtained from mobile advertisers to track movement, all in a stated effort to help curb the continued spread of the coronavirus. According to The Wall Street Journal, the CDC received “anonymized” data for people in areas of “geographic interest,” with an aim of creating a portal that includes geolocation information from approximately 500 cities across America. Additionally, The Washington Post reports that the Federal Government is also discussing a plan to receive similar anonymized data from tech companies such as Facebook and Google.

The apparent goal, according to The Wall Street Journal, is to understand how the coronavirus is being spread, and determine how well people are complying with orders to stay at home. The road to that goal, however, may only be paved with good intentions. While anonymous data used in the aggregate may be legally permissible, the panoply of potential legal issues that data presents is substantial. One primary concern is that, at this time, there appears to be little-to-no confirmation on what information is being removed to make sure the data used is actually anonymous. It is also unclear on how the data will be handled by the government, or for what other purposes the data may be used.

Use of such “anonymized” location data also may only be the beginning. With that lack of clarity, the need for proper cyber hygiene is brought to the forefront, notably for those employers in California subject to the California Consumer Privacy Act of 2018. As so much of the workforce across the country is now working remotely, both employers and employees must take proper steps to ensure their clients’ information remains secure. This is especially so since undoubtedly a significant portion of that remote work is being done on personal mobile devices (e.g. that brand new iPhone you may be using to read this), and in apps, from which third-parties are collecting data.

What Should You Do?

Ensure that you have in place reasonable network security measures, especially as to accessing sensitive information remotely and on mobile devices. Important, as well, is the fostering of a company culture aware of cyber risks, and consistently practicing good cyber hygiene. Even simple protocols for accessing and using sensitive information can go a long way. Ongoing training will play a critical role in creating a culture of cyber security. Engrain that culture now, so it pays dividends later.

Our Data Privacy & Security Task Force attorneys are available for consultation by emailing NDCovid19Response@ndlf.com or contacting our office at 949-854-7000.