Who's Watching? Hidden Dangers to Trade Secrets From Video Conferencing
It behooves businesses to take care to protect their trade secrets during video conferencing. Here, we address some potential risks to trade secrets from video conferencing—including hidden ones—and offer some potential measures to limit them.
May 21, 2020 at 05:30 PM
9 minute read
Video conferencing has been available for years but given its new popularity in these COVID-19 times, e.g., Zoom conferences have gone through the roof. "Zoom reached more than 200 million daily users [in March 2020], up from 10 million in December…" "Thousands of Zoom video calls left exposed on open Web," The Washington Post, April 3. It behooves businesses to take care to protect their trade secrets during video conferencing. Here, we address some potential risks to trade secrets from video conferencing—including hidden ones—and offer some potential measures to limit them.
Fundamental Concern: Access by Unauthorized Persons to Trade Secrets Disclosed During Video Conferences.
There have been recent reports of unauthorized access to video conferences. Thus, where trade secrets are going to be disclosed during a video conference, businesses should confirm that the video conference is secure. See Forbes ("If you are using a video conferencing platform for anything sensitive … security should be your first thought…").
Businesses should admonish their employees to:
- Use the video conference application's security features (e.g., password protect the video conference; lock the meeting; do not share publicly the meeting details [e.g., the meeting ID and password]).
- "Kick out" participants that are not invited to the video conference that they are hosting. If they are not hosting the video conference, contact the host to request that the unauthorized participant be kicked out.
- Understand how the private break-out session feature works before sharing information there. Otherwise, other participants to the main video conference may inadvertently be given unintended access to the "private" room and, thus, confidential information.
- Know with whom they are chatting when they use the written chat feature. Otherwise, they may find what they thought was a private chat with certain participants was, instead, a chat with all participants and they mistakenly disclosed confidential information to unintended recipients. Be aware that the recording feature on some video conference applications records the entire session including private chats. See Forbes (private chats may be recorded when the video conference session is recorded locally.).
- Master the "share screen" function so that they do not mistakenly share a screen with confidential information on it. Close everything on their computers that they will not be sharing during the video conference (e.g., it is much safer to share only the PowerPoint application rather than the entire desktop). Leaving even the email application open is not a good idea.The email preview message feature may inadvertently share confidential information during a shared screen session. Do not just minimize the email application, close it completely.
- Be mindful not to inadvertently circumvent secured access to video conferences (e.g., by having video conferences in the presence of others when working from home due to the COVID-19 pandemic).
- Turn off home assistant devices (such as Google Home and Alexa) during any video conference during which confidential information may be discussed since such devices are constantly listening to what is said in their environment.
- Understand the definition of end-to-end encryption as it is provided by the video- conference provider. Although participants that use the native application may have the benefit of encryption, participants that use "out of scope" systems may not (cellular connections, landlines and legacy video teleconferencing systems).
Businesses should also provide tip sheets to their employees so that they are aware of best practices from a security standpoint.
In addition, businesses should consider establishing mandates to avoid having to rely on the cooperation of the employees who participate in video conferences (e.g., set up the video conference settings so that use of passwords is required). IT security or information technology departments should review back-end settings and enforce secure configurations. Businesses should also be mindful to implement software updates for the video conferencing applications that they are using since security improvements may be folded into updates.
Other Concerns That May Not Be Obvious—the "Record" Feature.
Many video conference applications enable the host to record the video conference and to control whether participants can record the video conference. According to Zoom, it notifies participants when a host chooses to record a meeting, and provides a safe and secure way for hosts to store recordings and Zoom meetings are only recorded at the host's choice either locally on the host's machine or in the Zoom cloud. To the extent that a business' confidential information may be shared during a video conference, the business should exercise careful control over recordings and attempt to ensure that any recordings are maintained securely. Otherwise, businesses may be shocked to learn that their confidential information is no longer confidential. See, e.g., Forbes ("… thousands of Zoom videos are available online for anyone to see. The videos include sensitive chats such as business meetings …").
Recording of video conferences should therefore be given appropriate attention, especially to the extent that confidential business data is at stake. (Reporting that Zoom urges those who are considering uploading to a non-Zoom cloud service a recording of a video conference "to use extreme caution and be transparent with meeting participants, giving careful consideration to whether the meeting contains sensitive information and to participants' reasonable expectations.").
Watch for indications that a video conference is being recorded (e.g., a notice that it will be recorded, a red-light recording message) and raise an objection to the host if recording the video conference is unwanted. But, keep in mind that it is easy to record a video conference session discretely with a mobile phone (or other technologies). Accordingly, if recording is undesired, confirm expressly with the other participants that no one is recording the session.
The video conference host should be careful to record the video conference only if it is actually desired and if that is the case, the host should give appropriate notice to the other participants that the video conference is being recorded.
If multiple companies are going to participate in a video conference during which confidential information is shared (e.g., to discuss a potential development relationship), an appropriate NDA should be in place beforehand. To the extent that only one participant's confidential information is going to be shared during the video conference, ideally that participant should seek to host the video conference so that it can control whether the video conference is to be recorded and should also expressly confirm with the other participants that they will not attempt to record the session by other means (e.g., on their mobile phones).
That participant should also be mindful to designate the video conference as confidential in accordance with the procedures set by the NDA (e.g., by sending within a certain number of days after the video conference written confirmation that what was said during the video conference is designated as confidential). While the participant may have designated by labeling it "confidential" a PowerPoint (or other writing) shared during the video conference, the NDA still may require the participant to designate "confidential" what was said about it during the video conference in order to protect the information under the NDA.
If the video conference is recorded and the other participants are permitted to receive a copy of the recording, the host should also be mindful to designate the video conference recording as confidential pursuant to the terms of the NDA.
To the extent that multiple participants' confidential information is going to be shared during the video conference, those participants should address in advance of the video conference: which participant will host the video conference; whether a recording of the video conference should be made; and if a recording is to be made, confirmation that the host will provide permission to the other participant to record the video conference as well. Ordinarily, if one party to NDA has a record of a communication between the parties, it is in the other party's interest to have a copy as well. Otherwise, if a dispute later arises about what confidential information was or was not disclosed in the communication, the party without the record may be at a disadvantage. The participants also should be careful to designate and treat the video conference and any recordings in accordance with the NDA.
Video conferences having become a business norm, businesses also should consider whether to address expressly in their NDAs the treatment of video conference recordings. For example, the NDA may provide that:
- Recordings may not be made without consent of the party whose confidential information is to be addressed during a video conference.
- No recordings including confidential information may be uploaded or maintained in an unapproved cloud service.
The NDA may also specifically address the disposition of recordings at the end of the relationship (e.g., whether they are to be returned to the designating party; whether they are to be destroyed; or whether an archival copy may be retained if the party continues to maintain it securely). Otherwise, recordings of video conferences—a relatively new category of "documents" subject to an NDA—may be overlooked and give rise to potential claims for breach of the NDA or misappropriation of trade secrets.
Things are changing quickly and there is no clear-cut authority or bright line rules about what are reasonable steps to protect trade secrets in response to COVID-19. This article is not an unequivocal statement of the law, but instead offers some potential reasonable steps for consideration.
Rebecca ("Bec") Edelson is a partner in Sheppard Mullin's intellectual property and litigation practice groups and leads the firm's trade secrets team.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllJudge Asks: Should Tom Girardi Serve Sentence in a Medical Facility or Behind Bars?
4 minute readLaw Firms Mentioned
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250