The COVID-19 pandemic engulfing the world is already something for the history books. The resulting economic, social and political upheaval is, to put it mildly, unprecedented. Since the pandemic and its effects are on a scale not previously experienced in the modern era, organizations may be forgiven for not being immediately prepared for the shock of sudden social distancing policies. But will this be so if another pandemic similar in scale breaks out in the future? In other words, has COVID-19 put companies and other organizations on notice that they need to be prepared for the next pandemic?
In short, yes. Organizations can no longer claim that they were unprepared for a pandemic because it hasn’t happened in modern history. There’s a specific reason why this matters: legal liability. To put it as simply as possible, if an organization should have been prepared for something, but wasn’t, and someone is harmed as a result – physically, financially, or otherwise – that company could be facing a lawsuit. Data breach lawsuits are an excellent example of this. In nearly all these cases, the company that suffered the data breach was unprepared in some way, whether it was deficient technical security measures, inadequate access controls, or some other security shortcoming. The lawsuits claimed that such defects made the defendant company negligent, and that this negligence was the source of the plaintiffs’ injuries.
Negligence is, of course, a legal term of art; it occurs when one party owes a duty to another party, and breaches that duty (typically through some careless action or inaction), thereby causing harm to that second party. In the data breach cases, the companies owed a duty to their customers to safeguard their data, and, according to the plaintiffs, the companies breached their respective duties by not maintaining their data security and privacy safeguards up to industry standards, allowing malicious third parties to steal customer data. The key takeaway is that companies were negligent because they failed to conform to industry standards.
In the context of pandemics, while there may not have been widely recognized pandemic “industry standards” before COVID-19 hit, there assuredly will be once the current pandemic has diminished. However, organizations should not wait for such standards to officially emerge, as the process leading to formal publication can often be a long one, and it’s likely that courts may expect companies will have learned their lessons from the first pandemic to better prepare for the next – and not give them a free pass simply because there aren’t industry standards for pandemic preparedness promulgated by any regulator or other authority.
As such, organizations should look to their own experiences and those of their industry peers during the COVID-19 pandemic to best improve their processes, policies, and procedures for the next pandemic. It’s difficult to predict the kinds of lawsuits that could emerge from an organization’s actions or failure to act during a pandemic. But, it is clear that thorough preparedness works to minimize an organization’s legal liability in most circumstances.