“Put footstep of courage into stirrup of patience1”
In response to COVID-19, businesses across the world are now closed, and hundreds of millions of professionals are operating remotely from home. We all need to be alert to the additional risks this presents for confidentiality, data processing, and cyber security, and show patience before we click.
We must all be conscious of personal data privacy in a GDPR world. Those working in the financial markets need to be mindful not to disclose any inside information. Solicitors are duty-bound to keep the affairs of current and former clients confidential (paragraph 6.3 of the SRA Code of Conduct for Solicitors). Barristers have a similar duty under Core Duty 6, and Rule C15, of the Bar Standards Board Handbook.
Last week a lawyer acting in a high profile trial was videoed by a fellow passenger speaking on a train about the case. A Sunday newspaper online showed the videoed conversation and BBC radio reported the incident. Although many of us will be making fewer train rides than normal over the coming weeks, as we acclimatise to working from home, we still need to consider who else may be listening and what we click on before we bring “it” into our homes.
If we live with housemates, we should make confidential calls out of earshot (this is also relevant for politeness’ sake – not everyone wants to hear the sound of your housemate’s favourite TV box set or piano practice over their settlement negotiations, online mediation or court hearing).
We also need to remain vigilant over suspicious emails and adverts: the National Cyber Security Centre (NCSC) reported a 400 percent increase in coronavirus related fraud reports in March. And we must be cautious if storing confidential information on personal devices, and downloading new software onto those devices.
When conducting confidential meetings using new video conferencing software, we should take steps to ensure that the discussion itself, and users’ devices, remain secure. Microsoft's video and audio chat service, Skype, has witnessed a surge in daily users. The other tools, Cisco’s Webex Meetings and Zoom have also reported record usage of their services over the last two months. Even the Prime Minister has used Zoom for cabinet meetings2.
Video conferencing tools open a lens into our business life and homes. Given how central these video conferencing tool providers have become to doing business and running the country since the lockdown, we cannot overlook their, or indeed our, compliance with EU and UK data protection law. All of the video conference providers need to be scrutinised to ensure that they are appropriate for your intended use and minimise the risk of a hack or confidentiality loss.
There have already been concerns expressed about the lack of transparency and clarity in the videoconferencing provider privacy policies. Whilst many of these criticisms could equally be levied against other businesses whose privacy policies are still not yet GDPR compliant, the calls for transparency are even greater for videoconferencing platforms as the rate of adoption has soared over a very short space of time.
A key concern in terms of transparency with these providers is what data is being shared with whom. The lack of transparency in some of the policies over whether these providers are acting as data controllers or data processors, and how much liability could potentially flow up to those selecting to use these platforms (who could be deemed data controllers and therefore potentially liable for any unlawful processing by the data processor) could be a potential area of dispute in the future.
Zoom has come under particular scrutiny in recent weeks. There have been reports of Zoom’s screen-sharing function being hacked in order to interrupt group calls (so-called “Zoombombing”)3, a lack of transparency over the company sharing user data with Facebook (Zoom has now reportedly ceased sharing that data)4, alleged inaccuracies on the company’s website regarding its encryption methods for video calls5, and a flaw in the Zoom chat feature which could allow hackers to obtain Windows login details6. This week, additional concerns were raised over bugs in Zoom’s software for Apple Mac devices, which allegedly allow hackers to inject malicious code into the Zoom installer feature and run malware or spyware, plus a further bug which allows Zoom’s computer access rights to be hijacked, including use of the webcam and microphone7.
Most recently, the CEO of Zoom issued a detailed public apology, which acknowledged a number of issues arising from the sudden and unprecedented increase in users:
Usage of Zoom has ballooned overnight… To put this growth in context, as of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million. In March this year, we reached more than 200 million daily meeting participants, both free and paid. We have been working around the clock to ensure that all of our users – new and old, large and small – can stay in touch and operational.
…However, we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.
First, some background: our platform was built primarily for enterprise customers – large institutions with full IT support. These range from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare organizations, and telemedicine practices. Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment.
However, we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.
These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones. We appreciate the scrutiny and questions we have been getting – about how the service works, about our infrastructure and capacity, and about our privacy and security policies. These are the questions that will make Zoom better, both as a company and for all its users.
We take them extremely seriously. We are looking into each and every one of them and addressing them as expeditiously as we can. We are committed to learning from them and doing better in the future.
But before I lay out how we intend to improve, I want to share what we have done so far…
Eric S. Yuan
Founder and CEO, Zoom8
So what are we to do? There are many video conference providers out there. Brown Rudnick currently uses a platform which we have road tested and which has high security suitable for the highly sensitive nature of our clients’ matters. The platform has a helpful security feature which allows the host to lock a meeting at any point to prevent others from joining and to put participants in the “waiting room” while others in the meeting confer. Other secure online platforms we have considered include Microsoft Teams (this is a collaboration tool designed to improve internal communications, so is less useful for conferences with people outside of the company network) and Skype for Business (a useful function of this for larger meetings is that parties can be shown grouped by their allegiance).
Deciding which online platform to use for highly sensitive discussions is fraught with difficulties and judgment calls. Liaising with your firm's IT experts to weigh the pros and cons of each online platform is key. Many courts have used Skype for Business, Webex and Zoom to conduct remote hearings9. But no system or software is completely immune to cyber-attack. What we can do is (1) recognise that users, i.e. the human factor, are a crucial element of any organisation’s information vulnerability, and (2) take steps to mitigate that risk. Here are a few tips we have collated:
from The Guardian
- Check whether the software allows end-to-end encryption. This type of encryption means only the users themselves get to see the content of the transmission. Other types of encryption (for example, transport encryption, which is the same as is used for https websites) allows the service provider to access the content. This is a particular risk for privileged or sensitive information because it may mean that data is accessed or stored in a different jurisdiction (with different rules on privacy and legal privilege) from where the users are located, or mean that state authorities or regulators could request access.
- Check which parts of your call can be encrypted and how users can access or store this information – can users record the meeting? Is the video, audio, and chat encrypted? What about any files that are transferred? For video calls outside your firm, it may be helpful to agree protocols in advance such as no recording, photographs of screens or taking of screenshots. It might be more secure to share files via an online data room or platform like OneDrive rather than screen sharing.
- Restrict access to your calls by internet domain, so that only users with your company’s email addresses can join the call, or to specific users only (rather than sending an open link that could be accessed more widely).
- Set a meeting password requiring users to enter the password in order to join, guard such passwords and change them often.
- If appropriate, limit the ability for screen sharing to the host. If you are sharing your screen, take care not to share confidential and privileged material by accident (for example, papers on your desk or the files on your bookshelf). You may be able to share only the application needed, rather than the whole desktop.
- The wise know what they don’t know so discuss all and any security concerns with your organisation’s IT team. If in doubt, don’t click. Fact find first.
The U.S. Federal Trade Commission and the U.S. National Institute of Standards and Technology have both recently issued more general guidance on secure remote working, which can be found here and here.
The U.K. National Cyber Security Centre also has a range of guidance on its website, including on mitigating malware and ransomware attacks.
1 From explorer Ernest Shackleton’s diary in November 1915 while on the ice after abandoning his ship crushed by ice.
8 To read Mr Yuan’s statement in full go to: https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/
The views expressed herein are solely the views of the authors and do not represent the views of Brown Rudnick LLP, those parties represented by the authors, or those parties represented by Brown Rudnick LLP. Specific legal advice depends on the facts of each situation and may vary from situation to situation. Information contained in this article is not intended to constitute legal advice by the authors or the lawyers at Brown Rudnick LLP, and it does not establish a lawyer-client relationship.