Zoom video conferencing call via computer. Credit: Girts Ragelis/Shutterstock.com.

 

Our new normal has made most of us regular users of video online meeting software. Just a few months ago, this technology was a novelty that we resorted to when travel plans went awry. Now it has gained a foothold in our business lives that makes it almost as common as a phone call. Zoom, just one of the companies that provides video conferencing, went from 10 million daily users in December to 200 million in March.

Most of these programs allow easy recording and sharing of the videos, creating an innovative tool for bringing others in on the conversation. But this function also raises a host of potential confidentiality, discovery and security issues.

Before you embrace the recording feature, consider how to manage the risks associated with it.

Is It Worth the Risk?

As often happens with new technology, our risk management best practices are still catching up. This is particularly true with the ability to record video conferences. Many of these software programs tout easy recording and sharing of those meetings as one of the benefits, but that feature also carries security and legal risks.

Strip a video recording down to its basic form and it is a digital document, no more or less secure than any other document or "electronically stored information" on an office server. We have all read news reports of major companies, the government and even the military being hacked. To date, corporate data breaches usually have targeted credit card and financial account information. But just imagine if the legal, personnel or business strategy matters you normally discuss behind closed conference room doors were in a video floating around on the web.

The Washington Post reported on April 3, 2020, that thousands of recorded Zoom meetings had been made viewable on the open internet, including therapy sessions, financial meetings, telehealth calls and elementary school classes that exposed the faces and other details about children. The hosts of these meetings may not used all the security protections available to them, but this breach still should send a wake up call to businesses and law firms. Hackers now have a new and inviting target—and they will work overtime to exploit it. Some matters may just be too sensitive to risk discussion in an online video forum. For most remote communications, the most secure and confidential method remains the telephone.

Discovery could be painful. You should be concerned about legal adversaries gaining access to meeting recordings as part of discovery in litigation. The sweeping e-discovery requests we see in lawsuits can include video meetings as easily as they do documents and emails. When we write a memo or an email, most of us are cautious in the views we express or the language we use, knowing that a digital footprint never disappears and could show up in discovery, or at the very least, on the computer screen of someone we never intended to read it.

Live meetings are a different animal. The spontaneity and feeling of almost being in the room make for creative and less guarded conversation, which is maybe the definition of a something you don't want popping up in discovery.

While having an attorney participate in the video chat may lend attorney-client privilege to a meeting, don't take that for granted. There are exceptions to this rule, and you can expect an adversary to push hard to convince a judge to remove the cloak of privilege. And if there is no attorney-client privilege, you can be sure your meeting will have little chance of remaining off limits in discovery.

Limiting risks with best practices. We suggest that any company or law firm using video conferencing start by setting up a policy for users and criteria for what calls are subject to recording. Lawyers should have the last word on this policy, but your IT and data security experts also should have a seat at the table.

Select the right program. The first decision is to decide what software to use. Convenience and features are important, but security should drive the decision. Don't use any program that does not have end-to-end encryption, which requires a key to open it that is known only to the users. Look for a program that enables the host to limit recording by others. Innovation in this area moves quickly and there may be other encryption and security features your in-house data experts will recommend. Charge them with identifying the most secure program available. And make it policy that there is no freelancing by users who prefer to use other software.

Consent should be transparent. Both from a legal and ethical standpoint, no meeting participant should be recorded without consent. If a meeting organizer plans to record, affirmative consent should be given by all participants. Don't rely on terms-of-service type micro-print, and make sure everyone understands. Depending on the software, the host may be the only person who can record through the program, but anyone can record the conversation using the recording feature on their cell phone. If that is a concern, the disclaimer at the beginning of the meeting should include an agreement that nobody but the host is allowed to record.

Consent to record laws vary by state, but we don't recommend you ever rely on a one-party consent policy or otherwise record without notification because participants deserve to know if they are being recorded. If you have a special situation that requires secret recording, be sure you are familiar with the laws of every state where there is a participant on the call.

Use a uniform disclaimer approved by an attorney: Here is an example:

"IMPORTANT NOTICE: Please note that this {Name of Meeting Software} service allows audio and other information sent during the session to be recorded, which may be discoverable in a legal matter. By joining this session, you automatically consent to such recordings. If you do not consent to being recorded, discuss your concerns with the host or do not join the session. Rules regarding the recording of communications differ from jurisdiction to jurisdiction. Please check the rules on this topic in your respective jurisdiction."

This can be added to the meeting invitation and it's not a bad idea for the host to remind everyone at the beginning of the meeting that it is being recorded.

Have a retention policy. Just like with other digital records, you should have a policy for how video conferences will be maintained, preserved or destroyed in accordance with policies governing the storage of other electronic files. Your retention policy will allow you to destroy videos after a suitable period of time and thus remove them from the reach of discovery.

Video conferencing is a powerful tool that will help businesses and law firms make the best of this period when on-site meetings are not feasible. Just be sure this technology is working for you, and not setting you up for exposure to other problems.

 

Gina M. Vitiello is a shareholder in the Atlanta office of Chamberlain Hrdlicka. Contact her at 404.588.3426 or [email protected].