COVID-19 Bulletin: Recent Zoom Security Issues Serve as a Cautionary Tale for Businesses in Times of Crisis (and not)

By Zenus Franklin on April 16, 2020

As the majority of states execute stay at home orders to curb the effects of COVID-19, businesses (and educational institutions) have had to set up ways for employees and students to work remotely. As we have discussed before, companies and employees must make sure both company and employee data is secure while working on home networks and remote devices. Employee use of video conference software is no different. In an effort to keep employees connected and working efficiently, many businesses and educational institutions have had to adopt video conference software in an expedited fashion. This can be seen by looking at Zoom, a video and audio conferencing software. At the end of December 2019, Zoom had approximately 10 million daily meeting participants. Now, in just over several months, Zoom has reached 200 million daily meeting participants. While a useful and effective tool, Zoom has also experienced some challenges with security. Even in these unique, difficult, and fast moving situations, the Zoom experience stresses the importance of still following best practices in all use of technology to process your company’s data.

- Establish clear guidance and procedures for any new software or application.
  - Even though new software may be adopted and implemented quickly, companies should also make sure there are clear, written policies and procedures on how to use the new software in an efficient and safe manner.
  - Companies should also provide training to employees so that the software is being properly utilized in accordance with the new guidelines. This will ensure that employees are familiar with the software’s settings and privacy options.
  - The application of guidelines and training should ensure that employees:
    - Create strong usernames and passwords;
    - Securely log in and out of the new software;
    - Know what specific privacy settings may be available within the software;
    - Do not store or use sensitive information in the software unless it can happen in accordance with the company’s existing security policy;
    - Do not have sensitive information visible while using a webcam;
    - Know how to act and who to contact when a privacy and security issue occurs while using the software;
    - Properly use the software so as to make sure
      - the proper individuals with authorization are being authorized to use it;
      - unnecessary or unauthorized features that are disabled;
      - necessary privacy settings are enabled; and
      - all connections are secure (i.e. using end-to-end encryption).
- With a technology like Zoom, the same principles should be considered.

- - Because of the quick adoption of Zoom, many employees, without guidance on how to properly use the software, began using the product for meetings that contained sensitive information. While there are clearly vulnerabilities in Zoom’s software that resulted in personal information and other sensitive data being exposed to unauthorized individuals, this can be mitigated by implementing clear guidelines and training employees.
  - Employees should only use authorized accounts, such as those accounts created by and provided by their employer. Personal accounts or free accounts should not be used for company business.
  - While creating a Zoom account and adjusting the meeting settings, employees should consider the following in line with company policy:
    - Create and require strong passwords to be entered when individuals join the meeting (the password can be embedded into the link that you send to an authorized invitee);
    - Make sure end-to-end encryption is enabled;
    - Allow only signed-in users to join meetings;
    - Enable the waiting room feature that allows the host to see who is attempting to join the meeting;
    - Block everyone but the host from being able to screen share;
    - Turn off the ability to file transfer and make annotations;
    - Use per-meeting IDs that change for every meeting instead of personal meeting IDs that do not change;
    - Lock the meeting once all the invitees have joined;
    - Mute all invitees and disable all video except the host if it is not necessary to have invitees participate; and
    - Appoint a co-host, or a few, that can have access if a privacy and security issue occurs.

During a time where businesses are struggling to keep operations as normal as possible, the last thing a business wants to deal with is a privacy and data security issue relating to either sensitive company data or the personal information of employees or customers. When adopting new technology or software for company use, in emergencies and not, a company must take some time to adopt proper guidelines and training for its employees. The effort put into the policies and procedures in the front end will benefit the business, and its employees, in the long run. Taft’s Privacy and Data Security Practice can provide assistance or answer any questions in developing a strategy and performing best practices.

Please visit our COVID-19 Toolkit for all of Taft’s updates on the coronavirus and related legal issues.

Taft Privacy & Data Security Insights

COVID-19 Bulletin: Recent Zoom Security Issues Serve as a Cautionary Tale for Businesses in Times of Crisis (and not)

About our Privacy & Data Team