Summary
As the Covid-19 Pandemic forces more employees than ever before to work from home (“WFH”), businesses face new and different data privacy and security risks. This change is not lost on U.S. regulators, but it does not mean that businesses will get a pass on data privacy and security issues potentially caused by the shift in working conditions. In an effort to help businesses navigate these new circumstances, BCLP has prepared a series of articles on addressing data privacy and security issues in a WFH environment.
During our initial article on adapting to the WFH environment, we noted that companies should be mindful of guidance from their regulators to avoid the “I told you so” moment. On April 16, the Federal Trade Commission (“FTC”) issued guidance on the use of videoconferencing1 in response to very public privacy and security issues related to the surge in videoconference use. Companies are now, arguably, on notice of what the FTC expects from them with regard to videoconferencing. Here are the most salient points from that FTC guidance:
- Lockdown Who Can Attend. Each type of videoconferencing software comes with its own suite of tools to prevent unwanted guests. Your team should be familiar with these tools and should use them to ensure that only invited guests join your videoconferences. Ideally, companies should select a videoconference solution and then push out policies and procedures to employees so that everyone understands how to use the chosen solution securely and safely.
- Be Aware of the Video. Make sure employees understand what’s expected of them on videoconferences. Everyone has seen at least one funny meme of someone doing inappropriate things on a video conference without realizing they are on camera, much to the subject’s embarrassment. To avoid those issues, remind employees when conferences are using video. A quick reminder at the top of a call can help avoid embarrassing issues.
- Plan for Recordings. Determine whether recording of videoconference is something that your company needs. If so, how extensively is it needed? Have a policy on the use of recordings and let your employees know what that policy is. Always let participants know at the beginning of the videoconference if it is being recorded so as to not run afoul of laws requiring all-party consent (if no one objects to the recorded, consent is implied).
- Know the Software’s Privacy Policy. Whatever software you choose to use, you should be familiar with its privacy policy, and you should make certain that its privacy practices are compatible with your company’s purposes, including whether any of the data related to your call will be utilized by the company for its own purposes or shared with third parties. If you don’t know what information the software is collecting, you shouldn’t be using it for any conferences that involve sensitive information.
- Update the Software. As with any software, you should always keep your software patched and fully up to date. Having the latest version of the software helps to ensure that your team can take advantage of any changes made by the developer in response to user feedback on safety and security.
- Develop a Robust Videoconferencing Policy. All of the foregoing should feed into a robust policy concerning videoconferencing. Such a policy should address both the technical and non-technical items discussed above and should be shared with employees as the policy develops over time.
This article is part of a multi-part series published by BCLP to help companies understand and cope with data security and privacy issues impacted by the Covid-19 Pandemic. You can find more information on specific data privacy and security issues in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1.
[View source.]
