As the United States and other countries gradually ease stay-at-home orders and mandatory lockdowns, data-driven technologies have become increasingly discussed as a potential strategy for tracing and mitigating the further spread of the COVID-19 virus. While these emerging technologies can serve a variety of pandemic response purposes, one use is to automate contact tracing through mobile applications, wearable devices, and other tracking technologies to complement other efforts to safely reopen the economy.

The use of digital contact tracing solutions within business enterprises raises a variety of privacy, cybersecurity, and employment law issues organizations cannot afford to overlook. This White Paper provides a practical, high-level overview of the digital technologies proposed for contact tracing in the private sector, identifies potential cybersecurity, privacy, and employment law concerns that may arise in connection with deploying these technologies, and summarizes some of the legislative proposals to address these concerns.

DIGITAL CONTACT-TRACING TECHNOLOGIES

Technology Overview: How Does It Work?

At a high level, digital contact-tracing technologies automate the process of manually identifying and informing individuals who have come into contact with others testing positive for the COVID-19 virus. The goal of contact tracing is to suppress transmission of the virus by getting ahead of its spread. To this end, digital contact-tracing technologies can promote rapid identification of the individuals who must self-isolate and seek priority testing after coming into contact with a positively diagnosed person during the incubation period.

While much attention has been devoted to contact-tracing technologies developed by major technology companies for use by public health authorities, companies are developing their own solutions and repurposing existing technologies for use in the private sector. These solutions generally rely on mobile applications installed on smart phones, wearable technologies, or other tracking mechanisms, such as Bluetooth beacons.

Digital contact-tracing solutions vary and are rapidly evolving. Current contact-tracing technologies generally rely on the collection of either proximity data or more precise geolocation data, or a combination of both. Contact-tracing solutions available for use in the private sector also may link proximity or geolocation data with other categories of personally identifiable information such as names and contact information, identification numbers (e.g., employee ID), data related to a COVID-19 diagnosis or symptoms, and information about third parties with whom the individual has come into contact. Understanding the nature of the data collected by a particular device is critical to assessing the legal issues that will arise when deploying a given technology.

Proximity Data. Proximity data generally refers to information that identifies the distance between two individuals and the duration of their interaction, as opposed to the individual's precise location in space and time. Bluetooth signals are a popular technology for measuring proximity. Using this technology:

  • Person A downloads a mobile application or uses a wearable device, each of which can broadcast a unique identifier via Bluetooth on a rolling basis. Other compatible applications or devices in close proximity detect this identifier.
  • When devices approach one another, the technology estimates the distance using the Bluetooth signal strength. If the technology measures a distance of approximately six feet or less for a sufficient period of time (as determined by either the administrator of the technology or its manufacturer), the devices record the interaction.
  • If Person A learns she is infected with COVID-19 and uploads her diagnosis or otherwise communicates it to her employer, other individuals who came into contact with her for a sufficient period of time (according to the technology's risk calculation algorithm) can be notified so they can take appropriate self-isolation and testing measures. If the employer uses Bluetooth beacons on premises that interface with a mobile application or wearable device, proximity data also can be used to identify areas that require disinfection.

Geolocation Data. Geolocation data generally refers to information capable of determining the physical location of an individual at a specific point in time using location data generated, for example, by a global positioning system ("GPS"), WiFi, or cellular site location information ("CSLI") stored by telecommunication operators. Technologies that rely on "geolocation data" can:

  • Create "heat maps" to visually track the spread of COVID19 in a particular area and to communicate zones of elevated infection in the population;
  • Log an individual's location data in order to notify other individuals who test positive of encounters they may have had while contagious or aid contact-tracing efforts by reminding the individual of his or her location history and potential encounters with others; or
  • Measure proximity between individuals and notify those who come into contact with infected individuals of a potential exposure.

Depending on the design, technologies being deployed in the private sector may grant the company centralized access to detailed logs of employee interactions within the organization and even health information about personnel using the technologies.

Digital contact tracing is new and developing and may prove an imperfect solution to automating contact-tracing efforts. For example, to the extent it relies on users to self-report diagnoses, that may yield either over-reporting (e.g., individuals indicate they have COVID-19 based on symptoms even without testing) or under-reporting (e.g., individuals fail to update their status on a digital contact application).

How Companies Are Using Contact-Tracing Technology

Companies are rapidly ramping up use of contact-tracing solutions for a variety of business purposes. Some uses of this technology in the private sector include:

Employers. Mobile applications and wearable devices can aid employers' internal contact-tracing efforts and help verify that employees abide by social distancing guidelines in the workplace. Some employers are requiring employees to wear and activate such devices. If an employee reports symptoms or a positive diagnosis, companies using this technology can identify and inform other employees who may have been exposed and, depending on the data collected, identify physical locations in the workplace that may require disinfection and cleaning. In addition, employers can potentially use data from contacttracing applications to quickly identify locations or contexts in which appropriate social distancing is not being observed.

Universities and Schools. Much like employers, universities and schools are contemplating using contact-tracing applications to inform students and staff if they have been exposed to an individual who has tested positive and to monitor adherence to social distancing guidelines. We have written about specific considerations for education institutions in light of the COVID-19 pandemic in our White Paper, "A Guide to Navigating the COVID-19 Crisis for Institutions of Higher Education."

Cooperation with Public Health Authorities. Private-sector companies have also considered requiring employees, students, or customers to use a contact-tracing technology managed or mediated by a federal, state, or local public health authority as a means of contributing to community control of COVID-19. Indeed, some companies developing contacttracing solutions for internal use are considering ways to leverage the technology to collaborate with external public health sources. In the European Union, France and Italy have already released their own contact-tracing applications, while Germany and the United Kingdom are about to do so.

CYBERSECURITY, DATA PRIVACY, AND EMPLOYMENT LAW RISKS

Before deploying a contact-tracing solution, companies should carefully evaluate the security features of the technology; understand the types of data that will be collected; and consider where, how, and by whom that data will be stored, accessed, used, and disclosed and how long the data will be retained. Using that information, companies can assess the cybersecurity and legal risks, develop appropriate policies and procedures, and properly train stakeholders.

Cybersecurity

Digital contact tracing presents potential security risks. Applications, devices, and centralized databases may collect sensitive information (e.g., an individual's COVID-19 health status and geolocation data) and may be vulnerable to malicious attacks from bad actors looking to exfiltrate such information. U.S. law enforcement and national security officials are issuing increasingly stark warnings about a surge of attempted cyber intrusions and other malicious cyber activity seeking to exploit weaknesses due to, for example, reduced IT staffing or use of insecure networks.

A data security incident could give rise to a variety of harms. Companies suffering a significant data security incident may incur large incident response and remediation expenses and face an array of legal challenges, including regulatory investigations and litigation. Their reputations and relationships with employees and business partners also may be negatively impacted.

To see the full article click here

Originally published July 1, 2020.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.