The swift proliferation of Zoom and similar teleworking tools, due to the enforced work-at-home environment, has brought a number of security headaches with it. In addition to security, there are also other areas of risk to think through and manage. Below is a list of some of those areas, and recommended steps to mitigate associated risks.
Security
Confirm with your IT department that you have enabled appropriate security features. Choices include the following:
- Password-protect meetings, and keep the password private.
- Enable the “private meeting” setting.
- Use a “waiting room” that allows the host to check in the participants.
- Disable screen sharing for participants.
- Mute non-speakers and consider disabling private chat.
- Do not allow participants to change their usernames.
- Prohibit shared host credentials.
- Know the limits and exclusions of your cyber insurance coverage.
Also consider an enterprise subscription product rather than a consumer-grade download: such paid products often contain security features (and contractual remedies) not available via free apps.
Confidentiality
In addition to making the right security choices technologically, there are other steps to take to be sure you do not disseminate confidential information. Some items to consider:
- Instruct the host and any presenter to clear sensitive information, disable reminders, and close sensitive applications from their screens before sharing their screens.
- Instruct participants not to screenshot or record any part of the meeting (including the audio).
- If the meeting is about a particularly sensitive or confidential topic, consider requiring a confidentiality acknowledgement/agreement just as you would for a similar in-person meeting.
- Do not use consumer-grade shared drive applications or websites (Dropbox, Google Docs, etc.) to post or share sensitive material.
- If the meeting concerns attorney-client privileged matters, consider stating so at the beginning of the meeting, and remind participants not to create separate notes or electronic conversations (chat, Slack, text, etc.) regarding the proceedings.
- Ensure that internal (employee) policies are up to date with security and confidentiality practices required of employees who use teleconferencing technologies.
Privacy: General
- Remember that any teleconferencing tool collects personal data within the meaning of data privacy laws (including the GDPR and the CCPA).
- Be sure that you know what the application collects automatically, whether you have choices about configuring it to collect less information, and that all information collected is covered by your organization’s IT rules including those regarding data storage, use, access, and longevity.
- Consider taking down or deleting recorded meetings after a pre-determined period of time.
- Do not distribute recordings to participants; instead, use a centrally managed (and secure) link for access.
- Also be sure to update your privacy policy and employee notices to account for your use of teleconferencing tools, the security risks they present, and the information they collect.
Privacy: Suitability for All Persons and Information
Some topics or persons may be subject to special privacy protections. Most businesses should not plan to use Zoom or similar tools for any of the following unless they first perform a thorough privacy legal analysis with counsel and their technology professionals:
- Personal health information: Zoom and other teleconferencing tools may not be HIPAA compliant.
- Minors: Any personal information, including name, about children under 13 (residents of US) or under 16 (EU). Minors are protected by stiffer privacy laws than the general population.
- Sensitive personal information: some kinds of personal data are highly regulated in non-US jurisdictions, including the EU.
- This type of information can include political affiliation, medical conditions, religious beliefs, gender identity and sexual identification, biometric information, and genetic information.
- Note that calls placed from people’s homes may inadvertently provide this kind of information (because of posters, art, photos, or other background material) and consider addressing this kind of disclosure via your privacy policy, employee notices, and a reminder to participants that they are responsible for their chosen surroundings.
Notice of Recording/Consent
Recording a call without the consent of the participant can be a wiretapping violation depending on the locations involved.
- Announce at the beginning of the call that you will be recording it.
- Consider notifying participants in advance (e.g., via the invitation) that the call will be recorded and that participation constitutes consent to record.
- When you “press the button,” announce that you are beginning the recording.
Persistence of Digital Records
Like email, a digital recording is forever. Remind participants of this as necessary to curb any exuberant or inadvisable discussions.
Local Rules
Some schools, governments, and other institutions do not permit use of Zoom and other tools. Be sure you are compliant with any such restrictions.