COVID-19: THE UNDERMINED STATE OF DATA PROTECTION GLOBALLY
Updated: Jul 29
[Authored by Aman Gupta, a 3rd year BBA LL.B (Hons.) student at Chanakya National Law University, Patna]
“All this fuss just takes one wrong click”
The World Health Organization (WHO) on March 11, 2020, has declared novel coronavirus (COVID-19) a global pandemic. Tensions escalated among almost each and every sector demanding serious efforts to curtail the spread of this menace. As per the World Economic Forum, the COVID-19 pandemic will cost the economy at least $1 trillion. The world is going through an indeterminate period of lockdown. The global leaders are striving hard to adopt plans and policies for a better future as well as medical geniuses, research universities, and laboratories are running experiments to develop an antidote to the virus. Amidst all this toil, a window of opportunity strikes the hackers making it vulnerable for the businesses and global organizations to conduct their operations. Cyber-crime and Cyber-security go hand-in-hand. The advent of technology is a boon as well as a curse, and the hackers stand upon well on the latter part. Data Security has been a long term challenge to the government and the economy as well, across the globe. The situation of COVID-19 has created its own urgency and where the whole world is busy coping with the medical and economic challenges, our data is being jeopardized and is on the verge of compromise. Therefore, a significant concern arises whether our data is safe during this pandemic?
Recently during the pandemic, the Czech city of Brno was the first that was exposed to cyber-attack where University Hospital Brno was hit by a ransomware attack that disrupted operations significantly. It forced in interruption of surgical treatment and sharing medical data between the departments. Ransomware is the most common form of cyber-attack which put the data of the entities at stake. It is a mechanism where phishing emails are sent which touches the conscience of a person through the contents of the email and lures such person to access it either by clicking an infected link or downloading an attachment which is the part of the respective email and as soon as the person does so, it triggers the malware and it hacks the data of the system and within seconds the data is under the control of hackers. In most cases, the dead-end of cyber-attack is to demand ransom but there shall be cases where destruction of data is the sole motive or data might be put on sale on websites such as Darknet, etc. at cheap costs undermining the whole conception of privacy. This puts data privacy as well as data security at stake.
Cyber-threats vary greatly, and the healthcare sector is especially vulnerable to cybercrime. In the year 2018, there were at least 363 data breaches worldwide which drastically affected the health institutions bagging with a compromise of 10 million documents. Hacking the data of public health institutions puts psychological pressure over the healthcare personnel as well as the governments to kneel before such attacks. The ransomware hacks the system of hospital thereby gaining control of the medical data of patients as well as restricting access to the machines and tools used to perform tests and operations of the patients. Especially, during the COVID-19 pandemic, such a loss that handicaps the testing of COVID-19 suspects, interrupts their further treatment, is a nightmare to the health institution and runs a major risk. The immediate solution that turns out is to kneel down to the demands of the culprits. Data theft at desperate times like these shatters the motivation of the personnel to work and is a blot to morality and humanity.
International Organizations involved in regulating the plans and policies to tackle the pandemic are also prone to such threats. Recently, the WHO has reported a five-fold increase in cyber-attacks on its servers. Around 450 active email addresses and passwords were leaked online targeting those who were involved working on novel coronavirus. During this pandemic where each and every thought gets attracted towards a solution to this menace of COVID-19, these hackers extracts out the advantage of such a mentality. They develop a domain that appears to guide and bestow certain approaches to tackle with the situation. The current psychology of mind would most probably deny even a blink of suspicion and thus people get preyed. It can hack any system may it be a desktop, laptop, or a mobile phone where all the saved contents of the device as well as uploaded passwords and documents can get compromised. This calls for best practices to carry on responsible data-collection and global standards while data processing.
At this stage of the pandemic, where the whole world is involved in fighting the virus, self-pro-activeness is a key to safety, physically as well as virtually. Controlled processing of data and pre-caution while dealing with data transfer shall be mandatory. The lesser the data is collected and processed, the lesser it is exposed to its exploitation therefore when data is collected even from the affected people, a principle of proportionality shall apply i.e. proportional to the seriousness of the public threat and must be scientifically justified. More and more manual storing of data shall be encouraged. Data backups shall be created at multiple places to avoid loss at the user’s end. A secured encrypted network shall be used. Therefore, complete precaution with respect to internet usage and data involvement is significant.
The collecting and processing of personal data under the garb of a health emergency is a malicious practice. The government official or the state actors shall respect the privacy of the people without losing public trust. None of the methods of data collection should be arbitrary and discriminatory but shall follow the global standards. This situation invokes the data protection laws of the respective country. Recently, the European Data Protection Board released a statement on the processing of personal data in the context of the COVID-19 outbreak. The health authorities through the channel of government may invoke data protection laws to process data even without the consent of general people. Article 9 of the European Union General Data Protection Regulation (GDPR) allows the processing of personal data to tackle serious health issues for reasons of public interest. Therefore, data processing shall be proportional to the requirement of data for public emergencies. The principle of proportionality might help in eradicating espionage by the state or state-sponsored cybercrime actors during the pandemic thereby restricting the offense of data thefts.
The Road Ahead
Post COVID-19 scenario, unprecedented changes are destined to occur. Reviving of the economy would take time. Meanwhile, things shall go on and challenges shall be faced, and cyber-security and data protection would emerge as one of such stringent challenge to work on. Consideration of the Data Protection laws across the globe shall become a priority so that the world stands ready to tackle such threats with greater ease. The greater mass of people are still unaware of the virtual threats to which they are surrounded and an awareness drive or a #hashtag movement could prove to be the need of the hour to make our data safe in this pandemic.