In 1973, the US Supreme Court reached a 7-2 decision that the Due Process Clause of the 14th Amendment’s fundamental right to privacy protects a pregnant person’s right to an abortion. On 24 June 2022, the Court reversed that ruling by a vote of 6-3.
In a move that shocked the country, this information was leaked ahead of the official decision by an anonymous source. Following the leak and subsequent decision earlier this year, many US state and local laws will take or have already taken effect restricting access to abortions and other reproductive healthcare activities. This extends beyond state lines, too—citizens are traveling to states where abortion is still available, creating legal and privacy concerns for the doctors performing these procedures and anyone else involved. For example, in some cases, people are being denied prescriptions, cancer patients are being refused treatments, and even those with arthritis and ulcers are being denied prescriptions linked to miscarriages by doctors and pharmacists fearing their own legal ramifications linked to state abortion laws criminalizing reproductive healthcare activities. Healthcare workers and their families providing reproductive healthcare are being threatened and harassed, and more. This may prove to become even more difficult if a new bill introduced to the Senate banning abortions nationwide after 15-weeks advances.
Tracking and surveillance have been around for several years; however, since the recent Dobbs decision, there has been a noticeable increase in these activities regarding not only women’s healthcare, but data privacy and security issues that affect people of all genders. And post-Dobbs, whether it has been through apps, social media, or data related to phone or use, smartphone surveillance has been utilized to target those who may be seeking abortions during clinic visits. These sorts of activities have been justified by those using them as “mobile digital advertising,” since most US federal laws do not strictly prohibit such advertising strategies.
The use of “mobile geo-fencing” as a method of doing such targeting of women of childbearing age has quickly become pervasive. A few days before I presented an ISACA webinar on this topic I went to my hair shop for a bang trim, and while sitting in the barber chair I received an unsolicited message on my phone containing obvious reproductive health misinformation from one of the groups identified as using this tactic. I had never gotten a message like that before or after; it fits the profile of the groups sending such messages to locations where young women are often located. Even employers who provide apps that feature pregnancy tracking as part of their wellness benefits have been caught accessing the data from those apps, revealing intimate details of their employees’ personal lives.
ISACA is an apolitical organization. My goal in writing this is to objectively and factually look at the ways that the healthcare, data privacy and security issues that have emerged since this recent ruling have impacted and will continue to impact both businesses and individuals in the United States.
Actions Following the Dobbs Decision
After the Dobbs decision was leaked, data brokers started selling data about women who had visited clinics. There are many organizations, such as marketing and research firms, that depend on gathering as much data as possible and selling that data for large profits. Personal health and location data are being used to find and criminally charge those seeking abortions and the people who are helping them. There are increasing instances of coworkers, neighbors, friends and family turning each other in. In at least one case, a warrant was even issued to obtain Facebook messages from a teenager who had sought an abortion.
Organizations based in states where options for reproductive health have been restricted have found that such restrictions can actively hurt companies’ growth and abilities to keep employees. In response, many businesses have included travel benefits and healthcare procedure costs for employees to access abortions and other reproductive care services, and even restricted prescription drugs they need, elsewhere. Additionally, other organizations have formed in the time since the decision—some to monitor women’s health activities and some to aid those seeking abortions.
Such actions prompt workers to ask, “What would my employer do if they were asked to turn over my personal data?” This question should spur an important discussion with HR, legal departments, and privacy and security areas about their protocols for addressing such situations, should they arise. Creating a centralized role to communicate with all outside entities requesting personal data, and including security and privacy requirements for contracted third parties, for example, can streamline and support consistency in handling these kinds of situations. Other questions to ask include, “When was the last time relevant policies were updated?” and “What are the terms of use, privacy notices and security policies of the programs and apps the company utilizes?”
This discussion also emphasizes the importance of having an established process for data collection, limiting collection to only the minimum data necessary to complete tasks and goals, and then deleting that data as soon they are no longer necessary to have. It is also crucial to know where these data are stored, because if enterprises do not know the data they have or where it is located, they cannot protect it. These best practices are strong starting points for businesses to ensure that they are mitigating risks and meeting associated compliance requirements, while also providing benefits their employees find valuable, and, in some locations, necessary.
About the author: Rebecca Herold is the CEO of Privacy & Security Brainiacs. She originally shared this information in an ISACA webinar titled, “Post-Dobbs Privacy & Compliance.”
