Zoom-Bombing, Data Sharing, and Working Remotely: Don’t Forget about Privacy and Data Security During the COVID-19 Pandemic
The COVID-19 Pandemic is forcing organizations to adjust their operating practices to continue operations, meetings, classes, and services remotely insofar as possible. Organizations using these types of technologies, as well as those providing them, should carefully consider their privacy and data security practices when both offering and using these technologies.
The continued importance of privacy and data security during the pandemic was recently reinforced by the New York Attorney General’s Office (NY AG) which, on March 30th, sent a letter to Zoom, the popular video and telecommunications provider, requesting information about the company’s privacy and data security practices, according to The New York Times. The request followed reports that third parties had joined meetings being conducted using Zoom and disrupted the meetings, including in some cases with pornographic and anti-Semitic content. Such disruptions have been dubbed “Zoom-bombing.” The FBI’s Boston Field Office and the Anti-Defamation League, among others, have published guidance about how to combat Zoom-bombing.
These developments are a useful reminder to both users and providers of online services being utilized more regularly during the pandemic to conduct meetings, facilitate telecommuting, or otherwise carry on business, of the importance of privacy and data security protections. Videoconferencing in particular is seeing increased use, and Zoom is a popular choice.
Considerations for service providers of online services, such as video conferencing:
- Ensure that your organization’s privacy policies accurately reflect the privacy practices of your organization and your service(s);
- Ensure that your services include appropriate data security safeguards;
- If your organization’s services are seeing significantly increased demand due to the pandemic or your organization is launching new services, ensure that data security safeguards and controls are working properly in light of the increased demand;
- Ensure that each service addresses any specific safeguards that may be required by law for your customer or client base (g, HIPAA, FERPA, CCPA, GDPR).
Considerations for organizations using online services, such as video-conferencing:
- Take care in selecting which service to use, considering whether the service is free to the user or fee based, understanding that an organization may have more security features available for paid services;
- Ensure your workforce is dealing with the actual provider of services and not a cyber-criminal by having protocols in place related to emails, attachments and fraudulent domain names; as well as regularly applying updates provided by your service provider;
- Conduct due diligence to confirm that the service provider has taken steps to comply with any privacy laws that may be applicable to your organization (g, HIPAA, FERPA, CCPA, GDPR); and
- Provide on-going training and instructions to your workforce in connection the use of technology, including video-conferencing and other collaboration tools. This is especially helpful since for many, they are working remotely for the first time as a result of the pandemic.
- For example, training on a service’s features and settings, including using unique meeting codes or IDs for video-conferences, requiring a meeting password, limiting screen sharing to the host only, not allowing participants to record calls, and locking a meeting once it has started.
If you have questions about your organization’s privacy policies or privacy-related practices please contact Kevin Coy at firstname.lastname@example.org or Montserrat C. Miller at email@example.com.
- Kevin L. Coy