22
N EW HAM PSH I R E B USI N ESS R EVI EW
●
N H B R.C O M
THE LAW
Videoconferencing: How to ensure privacy and security Beware of the risks – like ‘Zoombombing’ – and measures you can take to prevent them
Videoconferencing is a critical component of our new normal. Society is using it in record numbers to connect with family and friends, engage in remote education, sustain our businesses, participate in social gatherNASHUA REGION ings and for a multitude of other purposes. Like any technology, if not properly managed, videoconferencing poses risks to the privacy and the security of our personal information. Businesses and individuals using the technology should be aware of those RING, HOSPITALS, PERSONAL FINANCE, ENERGY risks, andBANKING, implement appropriate safeguard F, FLOTSAM, LAW, OPINIONS, THE LATEST, to mitigate or prevent them. ABOUT TOWN
without proper controls, the link can be used by anyone to access the conference, and sometimes links are publicized on the websites and social media, particularly if meetings are public. Hackers acquire links to videoconferences to steal personal information (like names, emails and contact information), and valuable confidential business information available as a part of those meetings. They also can disrupt meetings by overwhelming attendees with offensive content (typically pornography or hateful images), causing the meeting ON, HEALTHCARE, TOURISM, NEWS, CHARITABLE GIVING, MOREto ONLINE terminate. Predators and thieves also coce, CALENDAR, LAST WORD vertly penetrate videoconferences to gather Access and security controls information about children engaging in “Zoombombing” is the newest neologism remote education or connecting with friends, to enter our lexicons, and the most common and to acquire detailed video information insecurity. The term derives from a prominent useful for burglary. the videoconferencing application Zoom, These dangers are exacerbated if hackwhich exploded from about 10 million to 200 ers have installed malware on computers or million users practically overnight. mobile devices that permit them to control of To participate in a Zoom or other video the cameras and microphones. conference (like Skype, GoToMeeting, Google Most videoconferencing applications have Hangouts/Meet, Microsoft Teams, Slack, controls that can be configured to mitigate Cisco WebEx, etc.), the meeting organizer such dangers. For starters, all conference typically emails a link to attendees. However, transmissions should be encrypted. More-
over, organizers can require attendees to enter passwords to access meetings, and can restrict or eliminate the ability of participants to share content. Conferences also can be established with virtual waiting rooms, permitting organizers to admit only intended participants, or as webinars rather than meetings, restricting the ability of attendees to distribute content or interact with each other.
Notice, consent and secure retention Videoconference applications commonly either automatically record or permit recording of the content. Given the vast quantities of sensitive information exchanged using this technology, such recording raises significant privacy and security issues. Privacy laws require meeting organizers to notify participants and (in some situations) obtain consent to collect, use and disclose the personal information acquired about participants. State and federal wiretap laws likewise require consent to record and store certain audio and electronic communications.
Workplace Solutions for New Hampshire Employers
Organizers can require attendees to enter passwords and place restrictions on interactions to avoid hacking disruptions. As a result, meeting organizers should integrate appropriate notice into all videoconferences, technologically require express consent from participants whenever private meetings are recorded, and obtain at least implied consent from attendees of recorded webinars. Recorded videoconferences also should be securely stored, and the applications permit a variety of retention methods, such as on a cloud, device hard drive or server. Meeting organizers should ensure that the retention method selected is secure, including encryption of the recordings and such hard drives, and use of strong passwords and multi-factor authentication to access such clouds and networks. Additionally, organizers should technologically limit or prevent meeting participants from making their own recordings.
Due diligence and agreements
There is simply no substitute for good judgment and getting things right the first time. That’s where Drummond Woodsum attorneys Mark Broth, Matt Upton and Anna Cole can help. A group of highly specialized attorneys focused on providing human resource professionals with the guidance they need in dealing with personnel matters. We practice law differently. Since 1965.
dwmlaw.com | 800.727.1941 Portsmouth, Manchester, Lebanon, NH
Most videoconference providers disclose on their websites the privacy and security controls inherent in their applications, and provide instructions about how to configure such controls. Before using these applications, businesses and individuals should do due diligence to ensure that the controls are sufficient for their particular uses of the technology, and enable them to comply with the privacy and security laws that apply to them as well as the individuals who may participate in videoconferences. Some videoconference providers also will sign agreements with users that are designed to comply with privacy and security laws, including domestic laws like HIPAA, the Child Online Privacy Protection Act and the California Consumer Protection Act, as well as foreign laws like the European Union General Data Privacy Regulation. The coronavirus crisis presents a multiplicity of challenges and risks. As society increasingly adopts technologies like videoconference to facilitate our new normal, we all must implement appropriate measures to ensure that the use of these technologies does not endanger the privacy or security of our families, friends, businesses, customers and each other. Attorney Cam Shilling chairs McLane Middleton’s Information Privacy and Security Practice Group.
