Judges and attorneys from Houston participate in a video conference, organized by 127th District Judge R.K. Sandill, using Zoom, which is the system the Texas judiciary will use for court hearings in the coronavirus pandemic. Judges and attorneys from Houston participate in a video conference, organized by 127th District Judge R.K. Sandill, using Zoom, which is the system the Texas judiciary will use for court hearings in the coronavirus pandemic.

A month ago, using any video conference platform for work was likely only a convenience. Now, as businesses shut down offices and turn to remote work, legal professionals are finding that such technology has become a necessity.

But with the greater usage, some have found having confidential, highly sensitive discussions through a screen difficult.

"When you are in your office and you can shut your door and speak with a client confidentially on a landline, you feel more secure," said Baker Botts special counsel Cynthia Cole.

The cybersecurity and privacy concerns with these video platforms are not wholly unfounded.

Video conference software company Zoom was specifically called out for multiple alleged security and privacy missteps in the past week alone. The FBI's Boston office, for instance, cautioned Zoom users of meetings being hijacked. New York Attorney General Letitia James is also scrutinizing Zoom's security practices amid its sudden increased usage, according to The New York Times.

Zoom is likewise in the plaintiffs bar's crosshairs. On Monday, two class action suits were filed against Zoom in the U.S. District Court for the Northern District of California. The suits allege unauthorized sharing of user analytics with Facebook and inadequate security measures violate the California Consumer Privacy Act. Notably, in the Cullen v. Zoom filing, plaintiffs firm Wexler Wallace alleged Zoom's claims that users' privacy and personal information are inviolable were false because "defendant's wholly inadequate program design and security measures have resulted, and will continue to result, in unauthorized disclosure of its users' personal information to third parties, including Facebook."

Still, video conference platforms aren't inherently riskier than other internet-connected software, some lawyers said.

"I think there is always going to be cyber risks related to platforms given cyber criminals are always looking for vulnerabilities," said Bradley Arant Boult Cummings cybersecurity and privacy partner Erin Illman. "As long as there are cyber criminals looking for vulnerabilities, including in video conferencing platforms, there will always be that risk."

However, Baker Botts' Cole argued as more people video conference from homes that store internet-connected devices, more data is being collected, creating a trail of personal data that complicates data security.

An internet-connected device, such as a smart speaker, "could be potentially matching voices from different tools or matching information from different input sources and creating profiles or doing other sorts of activities that may or may not be related to marketing or something else," she explained. "That has a use for hackers or people that want to exploit that information. It invites additional interest for people who would want to take all that and sell it or exploit it."

To mitigate those cyber risks, law firms that are using video conference software must thoroughly vet the platform's cybersecurity certifications and confirm that conversations aren't accessible by third parties.

"They should make sure they are passing through encrypted channels and make sure it's truly end-to-end," said Venable managing director of cybersecurity services Ari Schwartz. "I think [as] some providers talk about the security of what they're providing, you need to have a technical expert to see if it's truly encrypted end-to-end."

Additionally, sometimes video conference platforms contain nondefault privacy controls users must be taught to activate, said Rutan & Tucker partner Michael Hellbusch. "Let's go beyond the default if the company isn't providing security by default," he said.

For law firms that want to build their own video conference app, privacy by design and privileged access are crucial, Bradley Arant's Illman noted. Still, while privacy is essential, Hellbusch also said a firm's custom-built video conference platform should be operational on various clients' systems.

Aside from cybersecurity challenges, when leveraging custom or propriety video conference software, the platform can also run up against a complex regulatory environment.

All video conference companies' privacy policies and their actual data collection and sharing practices are regulated by the Federal Trade Commission Act and every states' false advertising law, said Buchanan Ingersoll & Rooney shareholder and cybersecurity and data privacy group co-chairwoman Sue Friedberg.

The CCPA, as highlighted by this week's pair of lawsuits, would also apply to video conference platforms, Friedberg said, noting that the CCPA extends protections to IP addresses and other broad data that wasn't protected before in the U.S.

Without proper disclosure regarding the sharing of such data, video conference companies risk CCPA penalties, Baker Botts' Cole said.

But the privacy risks don't stop there. Along with the CCPA, the Family Educational Rights and Privacy Act, Children's Online Privacy Protection Act and NY SHIELD Act would apply to a video conference platform because of the personal data they collect, Cole said.

"I think video conferencing platforms should be looking at the strictest laws out there and complying with those because they will be under increased scrutiny because they are being so heavily relied on to keep the economy going. It puts them in a great position financially and under more scrutiny."