Zoom-Bombing, Data Sharing, and Working Remotely: Don’t Forget about Privacy and Data Security During the COVID-19 Pandemic

The COVID-19 Pandemic is forcing organizations to adjust their operating practices to continue operations, meetings, classes, and services remotely insofar as possible.  Organizations using these types of technologies, as well as those providing them, should carefully consider their privacy and data security practices when both offering and using these technologies.

The continued importance of privacy and data security during the pandemic was recently reinforced by the New York Attorney General’s Office (NY AG) which, on March 30th, sent a letter to Zoom, the popular video and telecommunications provider, requesting information about the company’s privacy and data security practices, according to The New York Times.  The request followed reports that third parties had joined meetings being conducted using Zoom and disrupted the meetings, including in some cases with pornographic and anti-Semitic content.  Such disruptions have been dubbed “Zoom-bombing.”  The FBI’s Boston Field Office and the Anti-Defamation League, among others, have published guidance about how to combat Zoom-bombing.

The NY AG request also followed a report by MotherBoard on March 26th, questioning data sharing between Zoom and Facebook. The report indicated that a Zoom mobile application sent data to Facebook whenever a Zoom user opened the application.  Zoom subsequently announced that the application, which supported use of Facebook as a means of signing into Zoom, included code that sent Facebook information about the user’s device (but not information about individual users).  Zoom indicated that this code had been removed, and updated its privacy policy on March 30th in an effort to clarify its practices.  A putative class action was filed against Zoom in the Northern District of California on March 30th, in connection with the sharing of information with Facebook.

These developments are a useful reminder to both users and providers of online services being utilized more regularly during the pandemic to conduct meetings, facilitate telecommuting, or otherwise carry on business, of the importance of privacy and data security protections. Videoconferencing in particular is seeing increased use, and Zoom is a popular choice.

Considerations for service providers of online services, such as video conferencing:

  • Ensure that your organization’s privacy policies accurately reflect the privacy practices of your organization and your service(s);
  • Ensure that your services include appropriate data security safeguards;
  • If your organization’s services are seeing significantly increased demand due to the pandemic or your organization is launching new services, ensure that data security safeguards and controls are working properly in light of the increased demand;
  • Ensure that third-party codes or plug-ins used by your organization’s website or mobile application only provide information to third parties that you intend to provide (and that these disclosures are reflected in your privacy policy); and
  • Ensure that each service addresses any specific safeguards that may be required by law for your customer or client base (g, HIPAA, FERPA, CCPA, GDPR).

Considerations for organizations using online services, such as video-conferencing:

  • Take care in selecting which service to use, considering whether the service is free to the user or fee based, understanding that an organization may have more security features available for paid services;
  • Review the online service’s privacy policy to understand their privacy practices and impact on the collection and use of both your organization’s and workforce’s data;
  • Ensure your workforce is dealing with the actual provider of services and not a cyber-criminal by having protocols in place related to emails, attachments and fraudulent domain names; as well as regularly applying updates provided by your service provider;
  • Conduct due diligence to confirm that the service provider has taken steps to comply with any privacy laws that may be applicable to your organization (g, HIPAA, FERPA, CCPA, GDPR); and
  • Provide on-going training and instructions to your workforce in connection the use of technology, including video-conferencing and other collaboration tools. This is especially helpful since for many, they are working remotely for the first time as a result of the pandemic.
    • For example, training on a service’s features and settings, including using unique meeting codes or IDs for video-conferences, requiring a meeting password, limiting screen sharing to the host only, not allowing participants to record calls, and locking a meeting once it has started.

If you have questions about your organization’s privacy policies or privacy-related practices please contact Kevin Coy at kevin.coy@agg.com or Montserrat C. Miller at montserrat.miller@agg.com.

Service Specialties