Editor’s Note: Given the recent increase in remote working driven by the outbreak of the coronavirus disease 2019 (COVID-19), many legal professionals are now integrating tools into their business communications workflow that they may have never used before or may have never used in environments requiring the legal defensibility of communications. One of these tools is the Zoom teleconferencing platform. Provided below is a series of extracts from information notes, articles, and lawsuits that may be beneficial for consideration by data and legal discovery professionals and providers as they evaluate the use of Zoom in support of the conduct of eDiscovery.
New Information from Original Post Highlighted in Light Green
Full information note from the Data Protection Commission (DPC) Ireland
Data Protection Tip for Video Conferencing
In light of the recent increase in remote working, necessitated by COVID-19 mitigation measures, as well as the increased numbers keeping in touch online with friends and family, the number of people video-conferencing and video-calling has increased dramatically. This has also resulted in people using apps and services which they might not have used before, or are now using for different reasons – i.e. using an app they usually use for personal purposes now for work purposes or vice versa.
Concerns have been raised about how to use these technologies to keep in touch with colleagues and loved ones in a way that is safe and secure, and ensures an adequate standard of data protection.
Here are some tips to help both individuals and organizations (such as employers who might introduce new or increased video-conferencing arrangements for employees) use these services in a safe manner.
Tips for Individuals
- Make sure that the device you use for video-calling has the necessary updates, such as operating system updates (like iOS or Android) and software/antivirus updates (and make sure it has antivirus/online security software in the first place).
- Try to use services that you know and trust, have done some research on, and/or have been vetted and suggested by your employer, etc., for video-conferencing or video-calling.
- Take some time to read over the service’s privacy or data protection policy to be sure who your personal data is being shared with, where it will be stored or processed, and what purposes it will be used for, amongst other information.
- Think twice about what permissions for data or sensors you are being asked for: Do you really need to share your location or your list of contacts for instance? What will that data be used for?
- If the data protection or privacy information is inadequate or too much information or access to your device is being sought, you should be wary of sharing personal data with this service, and may want to take further steps, or consider another service.
- Ensure your device is used in a safe location, for example, keep an eye on what (or who) can be seen from your camera, and be sure to log out, mute, or turn off video, as appropriate, when you leave or take a break.
- Consider the data protection and privacy rights of others before you post or share a picture or video of a video-call that contains their image, voice, and/or contact details.
- Have a read of our general tips on staying safe online during a pandemic
Tips for Organizations
- Employees should be using your contracted service providers for work-related communications. Ensure you are happy with the privacy and security features of the services you ask them to use. Ad-hoc use of apps or services by individuals should not be encouraged.
- Try to ensure that employees use work accounts, email addresses, phone numbers, etc., where possible, for work-related video-conferencing, to avoid the unnecessary collection of their personal contact or social media details.
- Make sure that clear, understandable, and up-to-date organizational policies and guidelines are provided to those using video-conferencing, so they know what rules to follow and steps to take to minimize data protection risks. This should include information on the controls the services provide and that are available to them to protect their security, data, and communications.
- Implement, and/or advise employees to implement, appropriate security controls such as access controls (such as multi-factor authentication and strong unique passwords) and limit use and data sharing to what is necessary.
- Where video-conferencing services need to be used for organizational reasons, have a consistent policy regarding which services are used and how, and offer through VPN or remote network access where possible.
- Avoid sharing of company data, document locations or hyperlinks in any shared ‘chat’ facility that may be public as these may be processed by the service or device in unsafe ways.
- Read our guidance on Protecting Personal Data When Working Remotely and our guidance on data security and make sure the points contained within are made clear to employees.
Full information note from the Data Protection Commission (DPC) Ireland
Protecting Personal Data When Working Remotely
- Take extra care that devices, such as USBs, phones, laptops, or tablets, are not lost or misplaced,
- Make sure that any device has the necessary updates, such as operating system updates (like iOS or Android) and software/antivirus updates.
- Ensure your computer, laptop, or device, is used in a safe location, for example where you can keep sight of it and minimize who else can view the screen, particularly if working with sensitive personal data.
- Lock your device if you do have to leave it unattended for any reason.
- Make sure your devices are turned off, locked, or stored carefully when not in use.
- Use effective access controls (such as multi-factor authentication and strong passwords) and, where available, encryption to restrict access to the device, and to reduce the risk if a device is stolen or misplaced.
- When a device is lost or stolen, you should take steps immediately to ensure a remote memory wipe, where possible.
- Follow any applicable policies in your organization around the use of email.
- Use work email accounts rather than personal ones for work-related emails involving personal data. If you have to use personal email make sure contents and attachments are encrypted and avoid using personal or confidential data in subject lines.
- Before sending an email, ensure you’re sending it to the correct recipient, particularly for emails involving large amounts of personal data or sensitive personal data.
Cloud and Network Access
- Where possible only use your organization’s trusted networks or cloud services, and complying with any organizational rules and procedures about Cloud or network access, login, and data sharing.
- If you are working without cloud or network access, ensure any locally stored data is adequately backed up in a secure manner.
- It’s important to remember that data protection applies to not only electronically stored or processed data, but also personal data in manual form (such as paper records) where it is, or is intended to be, part of a filing system.
- Where you are working remotely with paper records, take steps to ensure the security and confidentiality of these records, such as by keeping them locked in a filing cabinet or drawer when not in use, disposing of them securely (e.g., shredding) when no longer needed, and making sure they are not left somewhere where they could be misplaced or stolen.
- If you’re dealing with records that contain special categories of personal data (e.g., health data) you should take extra care to ensure their security and confidentiality, and only remove such records from a secure location where it is strictly necessary to carry out your work.
- Where possible, you should keep a written record of which records and files have been taken home, in order to maintain good data access and governance practices.
An extract from an article by Nick Statt via The Verge
Google Bans Its Employees from Using Zo0m Over Security Concerns
Google is issuing a ban on the use of the Zoom teleconferencing platform for employees. The company is citing security concerns with the app that have arisen since Zoom became one of the most popular services for free video chatting during the COVID-19 pandemic. The news was first reported by BuzzFeed News earlier today [April 8, 2020].
Google emailed employees last week about the ban, telling workers who had the Zoom app installed on their Google-provided machines that the software would soon no longer function. It is worth noting that Google offers its own enterprise Zoom competitor called Meet as part of its G Suite offering.
Other issues have included exposed Zoom recordings, undisclosed data sharing with Facebook, exposed LinkedIn profiles, and a “malware-like” installer for macOS. The company now faces a full-blown privacy and security backlash. Zoom has responded by racing to plug holes and beef up its consumer and corporate protections to stave off stiff competition from Microsoft Teams and Skype, Google’s G Suite apps, and other more traditional teleconferencing providers. Zoom said earlier this month that it would pause new features for 90 days to focus on privacy and security.
An extract from an article by Matthew Finnegan via Computerworld
Zoom Hit By Investor Lawsuit As Security, Privacy Concerns Mount
The challenges facing Zoom continue to mount, as the company now faces an investor lawsuit and more organizations ban the use of the video meeting app due to privacy and security concerns. The company also upped efforts to improve its security and privacy practices by hiring Facebook’s former CSO as a consultant.
Zoom has seen a surge in use in recent weeks as self-isolation in response to the pandemic ramps up the demand for video software. As its popularity has boomed – both for business and personal use – and the company’s stock price rocketed, Zoom has come under pressure on a number of fronts.
On Tuesday [April 7, 2020], shareholder Michael Drieu filed suit in a California federal court, alleging that Zoom “significantly overstated” the degree to which its platform is encrypted, failing to disclose these “deficiencies” to shareholders.
Zoom admitted on April 1 to a “discrepancy” in its definition of end-to-end encryption from the commonly accepted definition. Drieu claims he and other shareholders have suffered “significant losses and damages” due to a drop in Zoom’s share price after the admission.
An extract from a class-action lawsuit filed against Zoom Video Communications
Cullen v. Zoom Video Communications, Inc.
US District Court for the Northern District of California, March 30, 2020
Zoom, however, has failed to properly safeguard the personal information of the increasing millions of users of its software application (“Zoom App”) and video conferencing platform. Upon installing or upon each opening of the Zoom App, Zoom collects the personal information of its users and discloses, without adequate notice or authorization, this personal information to third parties, including Facebook, Inc. (“Facebook”), invading the privacy of millions of users.Zoom-Complaint-Case 5-20-cv-02155 Document 1 Filed 033020
An extract from a class-action lawsuit filed against Zoom Video Communications
Drieu v. Zoom Video Communications, Inc. et al
US District Court for the Northern District of California, April 7, 2020
The truth about the deficiencies in Zoom’s software encryption began to come to light as early as July 2019. However, due in large part to the Company’s obfuscation, it was not until the COVID-19 pandemic in March and April of 2020, with businesses and other organizations increasingly relying on Zoom’s video communication software to facilitate remote work activity as governments increasingly implemented shelter-in-place orders, that the truth was more fully laid bare in a series of corrective disclosures. As it became clear through a series of news reports and admissions by the Company that Zoom had significantly overstated the degree to which its video communication software was encrypted, and organizations consequently prohibited its employees from utilizing Zoom for work activities, the Company’s stock price plummeted, damaging investors.Zoom-Complaint-Case 3-20-cv-02353 Document 1 Filed 040720
An extract from an article by Oded Gal via the Zoom Blog
The Facts Around Zoom and Encryption Meetings/Webinars
In light of recent interest in our encryption practices, we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption. Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption. While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it. This blog is intended to rectify that discrepancy and clarify exactly how we encrypt the content that moves across our network.
The goal of our encryption design is to provide the maximum amount of privacy possible while supporting the diverse needs of our client base.
To be clear, in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.
An extract from an article by Maria Crimi Speth of Jaburg Wilk
How Private is Zoom Videoconferencing?
Many of us find ourselves attending meetings by video conference, such as Zoom. You might even be having confidential interactions with your clients, medical providers, or legal providers. If you are wondering how secure those interactions are, we analyzed Zoom’s security, legal, and privacy policies (which were updated on March 18, 2020) to help you stay informed without having to read all the fine print.
We want to emphasize that:
- Zoom does not sell our users’ data.
- Zoom has never sold user data in the past and has no intention of selling users’ data going forward.
- Zoom does not monitor your meetings or its contents.
- Zoom complies with all applicable privacy laws, rules, and regulations in the jurisdictions within which it operates, including the GDPR and the CCPA.
An extract from an article by Amanda Fennell of Relativity
How to Maximize Cybersecurity While Working Remotely [Updated]
You may also be hearing a lot of news about security and privacy concerns surrounding the use of Zoom, a popular video conferencing software. At Relativity, we use Zoom on a daily basis. We are vigilant about ensuring we are using the most current version of the application, as well as applying additional security controls that help protect our customers, employees, and company from cyber threats.
Please take a look at this article on the Relativity Community site for more information on this subject, including advice on how to use this application more securely.
An extract from an article posted on the Relativity Community Site
Calder7’s Tips for Working Securely with Zoom
As for end-users? There are a number of ways you can protect yourself as you use Zoom to connect with peers, collaborate with colleagues, and catch up with clients. Because we use Zoom every day, Calder7 has put together a document on how to do just that and shared it across Relativity. We’ve decided to make it available to our community as well, to help support you as you adapt to this new world right along with us.
Get your copy here, and feel free to share with your colleagues to ensure greater protection across your team. You can find more tips for maximizing cybersecurity while you work remotely on The Relativity Blog.
An extract from a press release by ComplianceDS
Compliance Proudly Offers Distributed Review, a Remote Document Review Service with Strong Focus on Security
With a national database of qualified and experienced candidates, Compliance boasts resources in every corner of the US, allowing them to find and assemble the best candidates for eDiscovery review projects. Legal professionals are vetted through an in-person and/or Zoom video conference interview, then screened via background check (which includes bar checks, reference checks, previous employment, education verification, and, as applicable, criminal background investigation). All candidates have prior review experience and their daily interactions are monitored through Compliance’s management and productivity portal, along with detailed reporting.
An extract from an article by Christopher Buontempo and Cynthia Larose via Mintz
Zoom Lessons Learned: Vendor Privacy and Security Risks During COVID-19
The rush to engage vendors during the COVID-19 pandemic should not be at the expense of privacy and security. Whether your company is currently evaluating vendors, or has already rolled out remote working technology solutions, now is the time to think about these issues.
An extract from an article by Wynter Deagle, Anne-Marie Dao, and Yarazel Mejorado via Bloomberg Law
INSIGHT: To Zoom or Not to Zoom-Privacy and Cybersecurity Challenges
With the numerous privacy concerns being raised, businesses should carefully weigh the risks and benefits of using Zoom conferencing over other platforms such as WebEx or Skype. Businesses continuing to use Zoom should revise or implement privacy protocols that address proper use of video conferencing software and include provisions designed to mitigate some of the associated privacy risks.
- The Race to the Starting Line? Recent Secure Remote Review Announcements
- Cyber Actors and Criminals: Two Cybersecurity Updates from the FBI
Have a Request?
If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.
ComplexDiscovery is an online publication that highlights cyber, data, and legal discovery insight and intelligence ranging from original research to aggregated news for use by cybersecurity, information governance, and eDiscovery professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding cyber, data, and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.
ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of cyber, data, and legal discovery organizations. Focused primarily on supporting the ComplexDiscovery publication, the company is registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world. The company operates virtually worldwide to deliver marketing consulting and services.