As I write this week's letter, some good news hit the headlines: Hiring in the U.S. was robust in July. Unemployment is down and the labor market is steadily recovering. People are going to restaurants, taking summer trips and spending money. 

Yet, this is layered on shaky ground as the COVID-19 delta variant spreads across the nation. A quick look at The New York Times shows new cases and deaths are up. The U.S. Centers for Disease Control and Prevention issued new masking guidance in response to the delta variant, which calls for vaccinated people to wear masks indoors in "areas of substantial or high transmission." There's even some proof of "breakthrough" cases where fully vaccinated people get infected with this variant, though the numbers appear low. 

What does all this mean, exactly? Well, if you look at this map, there's a good chance you reside in a high transmission area. Of course, no one wants to repeat the dreaded lockdown scenario and bring the economy back down to spring 2020 depths, but there's no doubt this new variant is potent. 

This conundrum means many businesses now require proof of vaccination. Axios continues to compile a list of all the major companies requiring vaccination as more employees return to office. And yes, according to the Equal Employment Opportunity Commission, it is legal for companies to issue such a requirement. 

For many organizations, trust has been the deciding factor in determining whether one is vaccinated or not. Though people could fib as to whether they're vaccinated, we should all know at this point COVID-19 does not lie. 

In New York City, Mayor Bill de Blasio announced individuals participating in indoor activities at restaurants, gyms, movie theaters and performances will soon be required to demonstrate proof of vaccination.

But here's the rub: How? For New York, there's at least three ways: show your paper vaccination card, use the Excelsior Pass or the NYC Covid Safe application. The New York Times does a good job presenting many of the issues embedded in a vaccine passport regime and for the sake of brevity, I won't go into all of them here. 

Mayor de Blasio characterized the passports optimistically, saying it's "simple — just show it and you’re in." But that's hardly the case. For our purposes as privacy and data protection professionals, vaccine passports present a slew of authentication, data security, secondary use and surveillance issues. 

Consider, for example, authentication. The Excelsior Pass references the state's vaccine registry. In order to find a person’s record, it checks his or her name, date of birth, ZIP code and county of vaccination against the registry so if there's even one typo in there, a person will not be authenticated. Others have demonstrated how they can fake their identity in the NYC Covid Safe app. 

Then there's mission creep. Widespread requirements for vaccine passports could be a slippery slope. The New York Civil Liberties Union, for one, believes the passport regime could usher in a new era of digital surveillance that tracks people's locations and health status. As the NYCLU's Allie Bohm asks: “How do we make sure that in 20 years we’re not saying, ‘Well, there was COVID, so now I’ve got this passport on my phone that is also my driver’s license and also has every health record I’ve ever had and every time I go into a store I have to swipe it?’”

Plus, we're talking about countless small businesses needing to operationalize a passport requirement. There certainly will be more vendors crowding into this space to offer products and solutions. Will they incorporate privacy and security by design? Let's hope so. 

This all goes to say we collectively continue to have obstacles to navigate in this pandemic. We need the economy and our population to get healthy, but in order to accomplish this, privacy and data security will play a significant role.