Editor’s note: This commentary was written by Arnall Golden Gregory LLP attorneys Kevin Coy and Montserrat Miller and is published as a part of the firm’s annual sponsorship of Global Atlanta.
By now, the COVID-19 pandemic has forced most organizations to adjust their operating practices to continue operations, meetings, classes and services remotely as mush as possible.
But even haste to get things done while physically separated, companies using Zoom and other popular videoconferencing and technology platforms should take a moment to carefully consider their privacy and data security practices.
In anticipation of increased consumer and regulatory scrutiny, providers of such services should also pause to audit themselves on this front.
The New York Attorney General’s Office reinforced the continued importance of vigilance on both sides in a March 30 letter requesting more insight into Zoom’s practices. The request followed reports that third parties had joined meetings being conducted using Zoom and disrupted the meetings, in some cases posting pornographic and anti-Semitic content visible to virtual attendees. Other state attorneys general subsequently also have opened inquiries.
Such disruptions have been dubbed “Zoom-bombing.” The FBI’s Boston Field Office and the Anti-Defamation League, among others, have published guidance about how to combat Zoom-bombing, from limiting the sharing of meeting links to ensuring sessions are password-protected.
The long-term fallout remains to be seen. The New York attorney general request also followed a March 26 report by MotherBoard questioning data sharing between Zoom and Facebook. The report indicated that a Zoom mobile application sent data to Facebook whenever a Zoom user opened the application.
Zoom subsequently announced that the application, which supported use of Facebook as a means of signing in, included code that sent Facebook information about the user’s device but not information about individual users.
The Zoom case is a cautionary tale providing a useful reminder to both users and providers to shore up their privacy and data-security safeguards, both to enhance the user experience and perceptions and to protect against the risk of legal action.
Companies providing online services should consider the following:
- Ensure that your organization’s privacy policies accurately reflect the privacy practices of your organization and your service(s);
- Ensure that your services include appropriate data security safeguards;
- If your organization’s services are seeing significantly increased demand due to the pandemic or your organization is launching new services, ensure that data security safeguards and controls are working properly in light of the increased demand;
- Ensure that each service addresses any specific safeguards that may be required by law for your customer or client base (g, HIPAA, FERPA, CCPA, GDPR).
Organizations using online services, such as video-conferencing, should:
- Take care in selecting which service to use, considering whether the service is free to the user or fee based, understanding that an organization may have more security features available for paid services;
- Ensure your workforce is dealing with the actual provider of services and not a cyber-criminal by having protocols in place related to emails, attachments and fraudulent domain names; as well as regularly applying updates provided by your service provider;
- Conduct due diligence to confirm that the service provider has taken steps to comply with any privacy laws that may be applicable to your organization (g, HIPAA, FERPA, CCPA, GDPR); and
- Provide on-going training and instructions to your workforce in connection the use of technology, including video-conferencing and other collaboration tools. This is especially helpful since for many, they are working remotely for the first time as a result of the pandemic.
- For example, training on a service’s features and settings, including using unique meeting codes or IDs for video-conferences, requiring a meeting password, limiting screen sharing to the host only, not allowing participants to record calls, and locking a meeting once it has started.