As the number of folks working from home has skyrocketed during the pandemic, the effects of being more digitally connected have been both good and bad. Reports of suspected attacks by cybercriminals to the Federal Bureau of Investigation’s Cyber Division (known as the “IC3” or Internet Crime Complaint Center) are up 400% from pre-pandemic reports.1
The targets for attacks are not only large global companies, but are also governmental authorities, small businesses, non-profits, healthcare organizations and even individuals. According to a report issued by Baracuda.com, nearly half of all businesses expect a significant data breach or cybersecurity incident due to some sort of remote workforce strategy. Some of the most trusted brands like Honda, Garmin and Canon first reported “technical difficulties” and later confirmed they had experienced a cyber attack.2
In addition to the destructive ransomware attacks, phishing or social engineering attacks targeting individuals have grown more believable and effective. Cyber experts report that in the United States alone scams like phishing and social engineering attacks against individuals range from 20,000 to 30,000 daily.
Click infographic to enlarge.
Practical Issue 1: Verifying Right Party Contacts (RPCs)
Now more than ever our customers are reading the news about privacy, cybercrime, scams, and other fraudulent schemes to be wary of. Taking time to do a refresher with your consumer-facing employees may be helpful focusing on properly self-identifying on calls and actively listening when verifying to assure they have reached the right party. Consider some role-playing or other live (if virtual) interactive opportunities to reinforce the privacy message.
Both the Fair Debt Collection Practice Act (“FDCPA”) and the Health Insurance Portability and Accountability Act of 1996 (and accompanying regulations – “HIPAA”) contain prohibitions against third party disclosure. Taking extra steps to trust but verify that a caller or called party is who he or she represents himself/herself to be makes good sense given the increase in fraud and cybercrime.
Practical Issue 2: Too Much Information (or Protecting TMI)
Concerns are running high about what to believe in the news about the coronavirus – when you may be exposed to it, when you should self-quarantine, when you should be tested, and how rampant the virus may be in your community. Double check any policies or procedures you have in your office with the materials that have been frequently updated by the Department of Labor, Centers for Disease Control & Prevention, and other federal organizations.3
As more circumstances come to light these agencies offer bulletins, frequently asked questions and other materials to help businesses (and individuals) interpret what information can and should be shared in an employment context and how to best protect the safety of employees in their workplace.
Practical Issue 3: Privacy Regulations for Medical and Healthcare Organizations
Practical Issue 4: Privacy Concerns for Front-Line Agents
Among the top privacy concerns that may impact front line agents are:
1) a caller (malicious) impersonating the customer to try and get confidential information or commit some form of financial fraud;
2) money laundering situations in which a third party “overpays” and then demands a refund of all or a portion of the funds supplied (but the original payment may be flawed in some manner);
3) a malicious caller who “socially engineers” and pretends to be the customer, a federal agency, a court, a consumer advocacy group, or even an attorney general and demands immediate information that is sensitive or proprietary (which information would later be used to perpetrate some form of fraud).
Practical Issue 5: Remote Workforce Concerns in Healthcare Collections
Depending upon the manner in which collections are conducted, among the top issues being addressed with a remote workforce are the methods by which consumer payments are taken (is it contactless from the agent’s/consumer’s perspective?) or that consumers may share non-public information with the collection agency. Secure portals and “curbside” contactless payment options that allow a front line agent to speak with a customer who has his/her own secure way to submit payment information or self-service debt substantiation are among the solutions agencies are considering to handle this challenge.
Agencies that have retained their key telephony and computing resources in secure environments and to which agents log in/out securely (but with no paper or other electronic information actually stored in agents’ homes – and subject to the same control factors) may have no greater privacy/data security risks than if agents were working on premises with similar set ups.
Practical Issue 6: Consequences of Violating Privacy and HIPAA Regulations
Nothing has changed here since enforcement of HIPAA began in 2003 (although in 2009 the fines and penalties increased when the law changed). There are both civil and criminal penalties for violating HIPAA.
The consequences are shaped to fit the gravity of the abuse, misuse or theft of patients’ non-public information known under HIPAA as “protected health information” or “PHI.” While there is not a private cause of action for violating HIPAA, in recent years we have seen many creative plaintiffs’ attorneys bringing actions with privacy sounding claims. For example, if a third party has allegedly gotten a call about a collection matter a plaintiff’s attorney may insert a claim in a lawsuit stating the consumer has suffered a “breach of privacy” or an “intrusion into seclusion.”
PDCflow's HIPAA and PCI compliant FLOW Technology allows agents to collect payments without the risk of a data breach – even when working remotely. To learn how to FLOW Technology can improve your remote work compliance and security, download our how-to guide.
Download the FLOW Technology How-To
Footnotes:
1. [See, http://thehill.com/policy/cybersecurity/493198-fbi-sees-spile-in-cyber-crime-reports-during-coronavirus-pandemic; https://www.ic3.gov/default.aspx; for information generally on breaches and security incidents during the pandemic, see, https://www.cnbc.com/2020/07/29/cybercrime-ramps-up-amid-coronavirus-chaos-costing-companies-billions.html 1]↩
2. [https://www.prnewswire.com/news-releases/top-cyber-security-experts-report-4-000-cyber-attacks-a-day-since-covid-19-pandemic-301110157.html]↩
3. [See, https://www.cdc.gov/ , https://www.dol.gov/agencies/eta/coronavirus ,]↩
- ABOUT THE AUTHOR -
Leslie Bender,
Leslie Bender, IFCCE, CIPP/US, CCCO, CCCA, is an articulate corporate executive with over 30 years of experience handling compliance, regulatory, transactional and legal matters for hospitals and financial services companies. Recognized as a national expert on HIPAA and other information privacy and security laws, she was one of the first privacy officers internationally accredited as a Certified Information Privacy Professional.