Contact tracing considerations for organizations

By Sumit Bansal, Managing Director, Sophos, Asean

Contact tracing is a key pillar in the efforts of many countries to manage the COVID-19 pandemic, along with mass testing and patient treatment.

As more workplaces reopen in the Philippines, we’ve seen increased interest in contact tracing initiatives, as fears linger due to the current number of COVID-19 cases in the country. If an organization is informed that an employee, customer, or visitor to their facilities has tested positive to COVID-19, having accurate data on who has come into contact with these individuals helps to stop the spread of the virus as it allows these people to be tested and to self-isolate immediately

While contact tracing is helpful in stemming the spread of the virus, smaller organizations with limited resources may feel intimidated by the thought they need advanced technology backed up by a lot of work to be effective.

IDC MarketScape names Sophos a leader in mobile threat management

Sophos discovers Emotet malware back in action after brief hiatus

Are apps the way to go?

Many countries around the world have implemented smartphone apps for contact tracing. However, these apps really only offer exposure notification, not actual contact tracing.

True contact tracing involves identifying where exposure and transmission may have occurred by understanding the patterns of recent movements, by those who have been confirmed positive for COVID-19.

Most apps currently deployed only let you know if you were in proximity to another app user who has been confirmed to have the virus. These apps rely on Bluetooth radio technology to estimate the distance between different people’s devices, particularly in wide, open spaces. If you were confirmed to have been infected, public health authorities can use data from the app to notify other uses of the app that they were within two meters (~6 feet) of you for at least 15 minutes

Unfortunately, as Bluetooth radio waves travel quite efficiently through barriers and can’t identify those who were wearing masks, face shields, and other personal protective equipment, they might give widespread false positive notifications. Aside from causing undue alarm, this may also make the process inaccurate and inefficient. Lastly, but just as importantly, even with Apple and Google offering support for contact tracing, many people in markets like the Philippines do not have smartphones, so we can expect cases to fall through the cracks untracked.

Define the approach before the app

Although these apps aren’t totally useless, as the information they provide can still help shape public health responses, we can’t solely rely on them to provide the data required for effective contact tracing. Organizations are therefore conducting their own contact tracing efforts, which requires embracing the right approach to protecting the data they collect.

The Philippines’ National Privacy Commission (NPC) is on the right track with the guidelines it recently issued for organizations defining their contact tracing approach. While it highlights the primacy of public health considerations, it also urges the public to be mindful of the provisions of the Data Privacy Act of 2012 (DPA), which remain in effect.

The NPC encourages organizations to only collect what is necessary for the sole purpose of contact tracing. It also encourages companies to post easy-to-understand privacy notices, either on a highly visible area or on the initial pages of digital platforms, before personal data is collected.

The government agency also states that organizations need adequate security measures to protect personal data against any accidental or unlawful access or disclosure. The collected data should only be retained for the period allowed by current government mandates, after which, it should be disposed of in a way that prevents unauthorized access or disclosure.

As these are unprecedented times, understandably, many organizations are still figuring out what compliance with these guidelines looks like. However, we are already seeing room for improvement. While tech-powered options may not always be possible, businesses cannot simply place log-books at the entrance of their facilities and ask customers and visitors to input their full names, addresses, and contact details as they come in. Not only does this turn the sign-in area into a high-contact surface, but it also exposes visitors’ personal information to fellow visitors and random passersby. Instead, organizations should explore physical or digital collection forms that do not expose others’ personal data, then store them in secure systems or locations. This information should not be entrusted to a third-party or stored offsite. Employees should also be given the necessary training in data collection, protection, and privacy.

Protecting private data amid public health concerns

Even, or perhaps, especially in these times, organizations are encouraged to devote the same care and attention they do to their visitors and customers’ digital safety as they do to their physical safety. Unfortunately, cyber-criminals have no qualms about exploiting the pandemic to victimize innocent people.

In fact, as of May this year, SophosLabs has already identified over 1,885 malicious domains using “corona” or “covid” in their names.

We’re also seeing an increase in emails with attached malware installers disguised as information on the pandemic, suspicious sites peddling medicines and equipment, and spam callers looking to trick people into sending money electronically or giving access to financial records. Such attacks can cause real harm to people’s already-vulnerable lives and livelihoods. In light of what we’re all facing right now, protecting our visitors’ and customers’ personal information is something we need to take even more seriously, not only out of compliance with global and local cybersecurity and data privacy standards but out of our sense of responsibility and compassion for the people we serve and work with.