The COVID-19 outbreak creates the perfect storm for a new proliferation of cyber crime. With an unprecedented number of employees suddenly working remotely, cybersecurity and data privacy programs are being pushed to their limits. An extraordinary number of people are confined to their homes accessing the internet for both work and entertainment. Psychologically, many are anxious about COVID-19 and want to do something to help. For cyber criminals, this is the opportunity of a lifetime.

Opportunity of a Lifetime for Cyber Scams

Scammers are creating fake websites and apps in an attempt to exploit the public's demand for updated information about the spread of COVID-19. For example, the popular Johns Hopkins COVID-19 website has generated a cottage industry of imposters linking to malware.

The FTC (Federal Trade Commission) is tracking the alarming increase in cyber fraud. The FTC has issued alerts documenting numerous recent scams involving fraudulent offers of health, medical, and household supplies. Operating under the guidance of a fake charity is another favorite tactic used to defraud well-meaning people during the ongoing emergency.

On March 20, the FBI released an alert documenting a rise in fraud schemes related to the COVID-19 crisis. The alert identified three trends.

• Fake CDC Emails

Scammers have been sending out fake emails purporting to be from the Centers for Disease Control and Prevention (CDC). These emails contain links that infect the user's computes with malware. As discussed above, fake websites and apps are also being reported.

• Phishing Emails

Phishing attacks attempt to trick users into sharing their personal information by impersonating a trusted source. Phishing attacks have become increasingly sophisticated and can result in millions of dollars in losses. Phishing attacks are one of the most common attack vectors utilized by hackers and cyber criminals.

The FBI reports COVID-19 phishing attacks often claim to be related to:

• Charitable contributions
• General financial relief
• Airline carrier refunds
• Fake cures and vaccines
• Fake testing kits

Phishing attacks may come as an email or a text message to your phone. They often involve the logo of a trusted source like the World Health Organization. They may claim to offer you a government benefit or seek a charitable donation.

• Counterfeit Treatments and Equipment

Counterfeit versions of in-demand goods such as sanitizing products, personal protective equipment (PPE), including N95 respirator masks, goggles, full face shields, protective gowns and gloves have become another popular scam.

The FBI suggests taking the following precautions:

• Do not open attachments or click links within emails from senders you don't recognize.
• Do not provide your username, password, date of birth, Social Security number, financial data, or other personal information in response to an email or robocall.
• Always verify the web address of legitimate websites and manually type them into your browser.
• Check for misspellings or wrong domains within a link (for example, an address that should end in a ".gov" ends in .com" instead).

• Data Privacy During the COVID-19 Outbreak

Technology and social media giants have made headlines for their recent proposals outlining how authorities could use their user's data to enforce "social distancing." These proposals suggest sharing user's cell phone location data with the government.

China has already implemented measures during their COVID-19 lockdown that might be viewed as innovative, Orwellian, or a combination of both. These include surveillance of public places using thermal scanners, facial recognition, artificial intelligence and developing a system of QR codes reflecting the user's health information on their mobile phones. It remains to be seen when or if these measures will be fully repealed.

It's worth considering how the "new normal" of remote work in the United States relates to recent developments in data privacy laws across North America and Europe.

• COVID-19 Emergency May Narrow Application of GDPR

The EU General Data Protection Regulation (GDPR) provides a legal basis to allow employers and public health authorities to process personal data without obtaining the consent of individuals if an epidemic or pandemic is ongoing. This legal basis relates to personal data processing in the public interest, to protect an individual's vital interests or to comply with another legal obligation.

On March 19, the European Data Protection Board (EDPB) published a new statement regarding processing personal data in the context of the COVID-19 outbreak. The EDPB said that the COVID-19 emergency is a legal condition which may legitimize restrictions on individual freedoms, provided that these restrictions are proportionate and limited to the duration of the emergency.

Andrea Jelinek, chair of the European Data Protection Board (EDPB), said: "Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data."

• No Delay in CCPA Enforcement for COVID-19

In North America, the California Attorney General recently announced enforcement of the California Consumer Privacy Act (CCPA) will not be delayed due to COVID-19. The CCPA went into effect on Jan. 1, and the enforcement period remains set to begin on July 1. The CCPA establishes new consumer rights relating to the access to, deletion of, and sharing of personal information collected by businesses.

A number of industry groups had requested a delay in enforcement due to the emergency. The response from the attorney general makes it clear this request will not be granted.

"Right now, we're committed to enforcing the law upon finalizing the rules or July 1, whichever comes first," an adviser to California Attorney General Xavier Becerra said. "We're all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers' privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency."

Conclusion

It bears repeating that employees should remain vigilant and implement remote working best practices while "social distancing." Avoiding public networks, strengthening passwords, using virtual private networks secured by authentication and reviewing the terms of cyber insurance policies are all good ideas even during normal operating conditions.

The COVID-19 outbreak will have long-lasting legal implications that extend far beyond public health or the emergency powers of government. The pandemic is also proving itself as an historic event for cyber crime, data privacy and cybersecurity. Businesses and employees should continue to monitor the latest legal developments and implement best practices to mitigate the elevated risks.

Patrick McKnight is an associate in the Klehr Harrison Harvey Branzburg litigation practice group and member of the firm's COVID-19 task force.