Virtual Meetings – Managing Privacy and Security Risks

Virtual Meetings – Managing Privacy and Security Risks

Work life has changed profoundly and we can’t expect it to be the same again anytime in the near future. Over the past couple of months, traditional office environments have been replaced with flexible work-at-home arrangements that are making employers and employees ponder whether remote work makes more sense from the perspectives of cost-effectiveness and work-life balance respectively. As businesses now contemplate opening up, the transition to the workplace will be a slow one. It will be important to consider who actually needs to be in the office and which employees should continue working at home. Fewer employees in the office will make some form of physical distancing possible and will give comfort to those returning to the office that the workplace is as safe as it can be for them.

In light of the work-at-home trend during the global COVID-19 pandemic, and the long term implementations I foresee for many businesses, PRIVATECH will be providing a series of blog articles relating to reducing privacy and security risks when working from home.

This first article will address virtual meetings. Whether you were having them before the pandemic or had to quickly get comfortable in this space, video conferencing has become a saviour for many businesses. As face-to-face meetings became increasingly unacceptable, organizations have flocked to solutions for everything from team huddles to full on-line conferences – a direction welcomed by providers such as Zoom, Microsoft Teams, GoToMeeting and Google Meet. Even into the indefinite future, we can expect video conferencing to stick like it never has before.

Human beings need connection and body language can’t be read on the screen as it can when we’re in the same room, so clearly most of us can’t wait to get back to in-person business meetings. However, video conferencing will certainly need to continue as an option. The key here is to become well familiarized with the virtual meeting platform you are using. It is critical that we do our research so we can understand information flows and security concerns related to the on-line spaces we are considering or are already using. Informed and standardized processes for acceptable video conferencing across the organization are essential for reducing privacy and security risks.

As recently stated by the Saskatchewan Information and Privacy Commissioner, it is important for businesses to do their homework before selecting a platform for on-line meetings. Meeting organizers need to make sure they are able to use settings that prevent unauthorized people from gaining access to meetings. Commissioner Kruzeniski outlines a number of questions organizations should be asking of providers such as whether virtual meetings are saved, and if so who has possession/custody or control over the information and for how long. Questions about privacy and security policies and assessments are also on the list for due diligence.

The responsibility rests on businesses to understand the privacy and security settings offered by video chat platforms and determine if they are adequate. In early April, Zoom suffered a great deal of negative media attention regarding security, and were quick to release a software update that includes a new security button to ‘report a user’. Zoom 5.0 also now defaults users to a “waiting room”, which necessitates participants to be approved to enter a meeting, and also requires a password to enter a meeting.

It’s not that these features weren’t in place before. In fact, Zoom published a blog article in March soon after the volume of users skyrocketed reminding those hosting events with Zoom of Zoom’s security settings. As often stated by the regulators, privacy protection should be built into systems by default (Privacy by Design Principle #2). However, I strongly believe accountable organizations still have a responsibility to understand privacy settings, and not assume that privacy is automatically protected.

There will always be some element of risk when operating on the Web, but videoconferencing solutions can be quite secure and risks can be mitigated if the platform is used correctly. It is no different from setting up tools such as Office 365 properly to ensure that e-mails are properly encrypted in transit, or knowing about the cloud data storage settings that enable encryption of your data at rest. The public is much more aware of the importance of their personal privacy settings for social media accounts, and it is no different for the business context. Privacy and security features are in place, but have they been enabled? It’s the user’s responsibility to make sure.

Some tips for ensuring videoconferencing is as secure as it can be, regardless of the platform you choose:

  • Discourage sharing meeting links publicly;
  • Autogenerate meeting IDs rather than using the same ID all the time;
  • Require a password to join;
  • Don’t always use the same password for your meetings;
  • Lock the meeting space once all participants have joined; and
  • Update your videoconferencing solution software to the latest version.

Later this week, PRIVATECH will post an article addressing physical and network security considerations when working from home. Stay tuned!

For assistance with your work-at-home privacy framework, contact PRIVATECH.