Privacy and Cyber Risks Come Into Focus Amid Video Conference Boom
As video conference platforms experience a surge in usage, its bull's-eye is also growing for hackers, regulators and plaintiff attorneys.
April 03, 2020 at 11:00 AM
5 minute read
A month ago, using any video conference platform for work was likely only a convenience. Now, as businesses shut down offices and turn to remote work, legal professionals are finding that such technology has become a necessity.
But with the greater usage, some have found having confidential, highly sensitive discussions through a screen difficult.
"When you are in your office and you can shut your door and speak with a client confidentially on a landline, you feel more secure," said Baker Botts special counsel Cynthia Cole.
The cybersecurity and privacy concerns with these video platforms are not wholly unfounded.
Video conference software company Zoom was specifically called out for multiple alleged security and privacy missteps in the past week alone. The FBI's Boston office, for instance, cautioned Zoom users of meetings being hijacked. New York Attorney General Letitia James is also scrutinizing Zoom's security practices amid its sudden increased usage, according to The New York Times.
Zoom is likewise in the plaintiffs bar's crosshairs. On Monday, two class action suits were filed against Zoom in the U.S. District Court for the Northern District of California. The suits allege unauthorized sharing of user analytics with Facebook and inadequate security measures violate the California Consumer Privacy Act. Notably, in the Cullen v. Zoom filing, plaintiffs firm Wexler Wallace alleged Zoom's claims that users' privacy and personal information are inviolable were false because "defendant's wholly inadequate program design and security measures have resulted, and will continue to result, in unauthorized disclosure of its users' personal information to third parties, including Facebook."
Still, video conference platforms aren't inherently riskier than other internet-connected software, some lawyers said.
"I think there is always going to be cyber risks related to platforms given cyber criminals are always looking for vulnerabilities," said Bradley Arant Boult Cummings cybersecurity and privacy partner Erin Illman. "As long as there are cyber criminals looking for vulnerabilities, including in video conferencing platforms, there will always be that risk."
However, Baker Botts' Cole argued as more people video conference from homes that store internet-connected devices, more data is being collected, creating a trail of personal data that complicates data security.
An internet-connected device, such as a smart speaker, "could be potentially matching voices from different tools or matching information from different input sources and creating profiles or doing other sorts of activities that may or may not be related to marketing or something else," she explained. "That has a use for hackers or people that want to exploit that information. It invites additional interest for people who would want to take all that and sell it or exploit it."
To mitigate those cyber risks, law firms that are using video conference software must thoroughly vet the platform's cybersecurity certifications and confirm that conversations aren't accessible by third parties.
"They should make sure they are passing through encrypted channels and make sure it's truly end-to-end," said Venable managing director of cybersecurity services Ari Schwartz. "I think [as] some providers talk about the security of what they're providing, you need to have a technical expert to see if it's truly encrypted end-to-end."
Additionally, sometimes video conference platforms contain nondefault privacy controls users must be taught to activate, said Rutan & Tucker partner Michael Hellbusch. "Let's go beyond the default if the company isn't providing security by default," he said.
For law firms that want to build their own video conference app, privacy by design and privileged access are crucial, Bradley Arant's Illman noted. Still, while privacy is essential, Hellbusch also said a firm's custom-built video conference platform should be operational on various clients' systems.
Aside from cybersecurity challenges, when leveraging custom or propriety video conference software, the platform can also run up against a complex regulatory environment.
All video conference companies' privacy policies and their actual data collection and sharing practices are regulated by the Federal Trade Commission Act and every states' false advertising law, said Buchanan Ingersoll & Rooney shareholder and cybersecurity and data privacy group co-chairwoman Sue Friedberg.
The CCPA, as highlighted by this week's pair of lawsuits, would also apply to video conference platforms, Friedberg said, noting that the CCPA extends protections to IP addresses and other broad data that wasn't protected before in the U.S.
Without proper disclosure regarding the sharing of such data, video conference companies risk CCPA penalties, Baker Botts' Cole said.
But the privacy risks don't stop there. Along with the CCPA, the Family Educational Rights and Privacy Act, Children's Online Privacy Protection Act and NY SHIELD Act would apply to a video conference platform because of the personal data they collect, Cole said.
"I think video conferencing platforms should be looking at the strictest laws out there and complying with those because they will be under increased scrutiny because they are being so heavily relied on to keep the economy going. It puts them in a great position financially and under more scrutiny."
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250