As we discussed before, educational institutions are closing campuses and are meeting legal obligations to educate their students by conducting online schooling. Now, some school districts across the country are banning teachers from using Zoom for online schooling during the COVID-19 pandemic due to security and privacy issues surrounding the videoconferencing app.  Reported cases of classroom “Zoombombings” included an incident where hackers broke into a class meeting and displayed a swastika on students’ screens, which led the FBI to issue a public warning about Zoom’s security vulnerabilities. New York City School District and Nevada Clark Public Schools disabled Zoom access, while schools in Utah and Washington State are reassessing its use at the time of this posting.

Amid the raised safety concerns, Zoom responded and advised schools to protect video calls with passwords and to lock down meeting security with currently available privacy features in the software. On March 18, 2020, Zoom added a privacy policy specific for K-12 schools and districts stating that it is “designed to reflect our compliance” with student privacy laws and also posted best practices for teachers to use.

These recent developments and challenges with new technology are hardly unique to Zoom, and just a reminder that in times of crisis (and not) due diligence should always be exercised when adopting new technology for business or educational purposes.  This is not only a best practice, but the law in many sectors or industries.  Schools and online education providers are required to meet legal obligations under various laws (Children’s Online Privacy Protection Act (COPPA) and Family Educational Rights and Privacy Act (FERPA)) while using Zoom as an online platform while schools remain physically closed. Given the numerous privacy concerns surrounding Zoom, it is the responsibility of schools and teachers to enforce safety measures to protect students’ data privacy.

In view of these recent challenges with Zoom, the following are best practices and recommendations from Zoom that schools should consider in implementing the technology.

  • Obtain parental consent—ZOOM relies on school administrators to obtain the required parental consent to use ZOOM—and the consent needs to be compliant with COPPA;
  • Prohibit students under the age of 18 to set up their own individual Zoom accounts. Instead, students should only join Zoom meeting sessions as participants through the School Subscriber’s account;
  • Teachers should privately provide meeting information;
  • Teachers should allow users only within the organization (class students) to join meetings;
  • Schools should require users to sign into an account to attend meetings, thus allowing each user to be vetted, identifiable and visible on dashboards;
  • Allow only registered and approved participants to attend a meeting; and
  • Train the educators on a variety of controls so that only hosts can use to secure the meeting (such as lock the meeting, expel a participant if necessary, prevent participants from screen sharing, disabling video, mute a participant or mute all, limit the ability to chat amongst one another while a meeting is in session, or disable in-meeting chat altogether).

Again, although Zoom has experienced these challenges, schools can implement the best practices listed above, and those listed in our previous discussion, to comply with applicable law, mitigate the privacy and security issues, and protect the schools’ and the students’ information with any online or automated systems.

Please visit our COVID-19 Toolkit for all of Taft’s updates on the coronavirus.