COVID-19 Client Primer | Maximizing Teleconferencing Privacy

Shook, Hardy & Bacon L.L.P.
Contact

Shook, Hardy & Bacon L.L.P.

ANALYSIS

Maximizing Teleconferencing Privacy

With much of the nation under orders that limit employees’ ability to go into the office, organizations around the world are increasingly moving entire businesses online with the help of teleconferencing tools. With a discrete number of vendors providing services to accommodate the sudden need to work from home, malicious third parties are likely to be on the lookout to exploit vulnerabilities in the tools that organizations are flocking to use.

For example, attackers recently infiltrated a public virtual “happy hour” by hijacking the screen displayed to participants and presented explicit and racist material. A group of malicious users took turns presenting graphic material to the other attendees—much to the dismay and helplessness of the meeting hosts—and the hosts were forced to end the meeting early to stop the onslaught of unsavory content.

Aside from malicious attackers, questions regarding a teleconferencing tool’s collection and use of data have bubbled up. Zoom has recently become the focus of regulatory enforcement actions, a putative class action and publicity as a result of concerns relating to their privacy and data security practices and policies.

In light of these risks, companies should take this time to closely assess the teleconferencing tools they use. The assessment should be three-fold, at minimum:

  1. Read the privacy policy of your teleconferencing vendor;
  2. Enforce security controls to ensure safe use of teleconferencing tools; and
  3. Advise employees on best practices and security risks when teleconferencing.

Read the Privacy Policy of Teleconferencing Vendors

While the need for work-from-home tools is important during the COVID-19 pandemic, organizations should take a look at the privacy policy of their current teleconferencing vendor and understand any potential risks. Organizations should pay particular attention to the following in a privacy policy:

  • Information being collected by the teleconferencing vendor, such as:
    • Attendee information (e.g., name, mailing address, employer, email address, job title, device information, payment information); and
    • Meeting information (e.g., list of attendees, video recordings of the meetings, transcriptions of meetings, data about how the application is being used); and
  • How that information is being used, such as:
    • Third parties with which the information is shared (e.g., social media, advertising companies);
    • Purpose of sharing (e.g., for sale, advertising or other business purposes); and
    • Data retention (e.g., how long and where the collected data is stored).

Using these data points, organizations can design and implement an informed and decisive plan.

Enforce Security Controls

Organizations should tailor their plan to block or restrict certain teleconferencing features. For example, organizations that anticipate frequently using teleconferencing to discuss sensitive information may enforce more stringent controls than those that do not. Likewise, with an understanding of the types of information being collected by a teleconferencing vendor, organizations can formulate plans to restrict or anonymize data being sent to teleconferencing applications and their affiliates.

Organizations should consider enacting the following controls:

  • Disable file transfer ability – Prevent malicious users from sending malware through the teleconferencing tool by disabling all file-transfer ability.
  • Restrict screen sharing – By giving screen-sharing abilities only to hosts, participants such as malicious users are unable to hijack a meeting and present offensive content.
  • Restrict how participants join – Administrators can opt to disable allowing participants to join a meeting before a host joins and prevent a malicious user from taking charge before the meeting has even started.
  • Enable password-protected meetings – Prevent malicious users from joining a meeting by requiring participants to input a password (in addition to a meeting ID) as an extra layer of protection.
  • Disable recording of meetings – Avoid confidentiality issues by disabling recording or transcription of a meeting. Likewise, disabling storage of chat conversations during a meeting maintains better privacy controls.
  • Keep software up-to-date – By updating both the teleconferencing application and operating system software regularly, security issues may be fixed by the manufacturer.

While implementation of all of these controls in all circumstances may not always be appropriate, employees should at least be trained and knowledgeable on these controls and understand when and how to use them.

Advise Employees on Best Practices

Employees are sure to be inundated with teleconferencing requests—from both inside and outside of the organizations that they work for. While security controls provide a first line of defense, employees should be advised on how to maximize privacy while using teleconferencing tools, such as:

  • Assume all data is recorded – Employees should be aware there is a chance information from the meeting could be hacked and publicly disseminated (as we have already seen Zoom “outtakes” on social media).
  • Use trusted methods to transmit sensitive information – Instead of trying to send files that contain sensitive information through the teleconferencing application, employees should follow their organization’s protocol for handling such information (e.g., encrypted, secure file transfer website or application).
  • Restrict what is shared – Before a meeting, hosts who plan to share their entire screens should clear their desktop of all documents and applications that will not be shared. Likewise, participants and hosts should understand that their surroundings (e.g., room, documents on a desk or table, other people in the room) will be presented during a video call and consider whether to adjust their surroundings or use an option to obfuscate their background (e.g., blur or replace background features). This approach minimizes the chance that sensitive information could be displayed to participants.
  • Avoid public teleconferencing meetings – Large public teleconferencing meetings provide the opportunity for malicious users to hijack the meeting. This risk can be minimized by preventing participants from joining before the host and only give hosts screen-sharing capabilities.
  • Ask if a meeting is being recorded – Employees should ask whether a meeting is being recorded. Some teleconferencing tools provide an indication of whether a meeting is being recorded to all participants, but that is not the case for all tools. Likewise, employees should be instructed on whether to consent to recording of meetings with third parties.
  • Cover webcam when not in use – Hackers may commandeer webcams even when a teleconferencing tool is not being used. By physically covering up a webcam when not in use, employees can ensure video recording is not taking place. Likewise, when employees are not actively speaking during a meeting, they should mute or disable their webcam and microphone until they do.

Again, common sense should dictate which of these considerations should be prioritized by an organization. Nevertheless, employees must understand all the risks of teleconferencing while working remotely and the ways to minimize those risks. By encouraging employees to change their mindset regarding teleconferencing tools, organizations can use these tools to enhance their business while still maintaining privacy controls.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Shook, Hardy & Bacon L.L.P. | Attorney Advertising

Written by:

Shook, Hardy & Bacon L.L.P.
Contact
more
less

Shook, Hardy & Bacon L.L.P. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide