April 1, 2020
In the wake of COVID-19 and in the face of numerous states’ mandatory stay-at-home orders, many companies across the country are adjusting to the ever-changing environment associated with telecommuting, or working remotely. As previously discussed, telecommuting poses increased risks associated with cybersecurity protocol and oversight, and companies must be aware of the continued risks and undertake appropriate steps to safeguard against them.
Yet another potential threat which employers must be aware of is the use of videoconferencing platforms. Since the start of the COVID-19 pandemic, videoconferencing has become part of everyday personal and professional life. Zoom, in particular, has seen a surge in traffic, with nearly 600,000 people downloading the mobile application on a single day. In fact, the mobile application is currently the most popular free application for iPhones in the United States. While the videoconferencing platform can be a useful tool to connect multiple people via video and audio, companies must be aware of the potential privacy risks associated with Zoom and are urged to evaluate other platforms which may be available.
On March 30, the Office of the New York State Attorney General sent Zoom a letter asking what, if any, new security measures the company has put in place to handle increased traffic on its network and to detect hackers. While the letter refers to Zoom as “an essential and valuable communications platform,” the Attorney General’s primary concern with the platform is that it has been slow to address security flaws, including certain vulnerabilities “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams.”
Earlier this year, Zoom faced scrutiny for this practice, commonly referred to as “Zoombombing.” The potential for malicious third parties to gain access to a Zoom meeting without the meeting host’s consent is particularly worrisome in the context of confidential business-related communications. While Zoom has issued a blog post to instruct users on how to prevent unauthorized third parties from gaining access to a meeting, the Attorney General’s letter sparks new concern about whether Zoom has taken appropriate steps to address these security flaws. In particular, cyber threat actors have circumvented meeting password requirements by creating fake Zoom domains and persuading a user to enter account and meeting credentials into the fake domain. Zoom has commented on the Attorney General’s letter and has indicated that it will be providing the Attorney General’s office with the requested information.
However, the potential privacy concerns associated with the use of the Zoom platform are not solely related to third party malicious access or “Zoombombing.” In March, Zoom came under fire for sharing user data with Facebook without consent. On March 29, Zoom issued an updated privacy policy after its users reported concerns. In a blog post discussing the updated policy, Eric S. Yuan, chief executive officer and founder of Zoom, indicated that the updates do not change any of Zoom’s practices, but rather the updates were implemented to be “more clear, explicit, and transparent.” In the blog post, Zoom emphasized that it does not sell user data, has never sold user data, and has no intention of selling user data going forward.
While Zoom has updated its privacy policies and has removed the application’s ability to share user data with Facebook, Zoom was hit with a proposed class action claiming that the platform has failed to protect users’ personal information. In the suit, filed March 31 in California federal district court, plaintiffs allege violations of California’s Unfair Competition Law, Consumer Legal Remedies Act, and Consumer Privacy Act. Of note, the complaint alleges that, while Zoom released a new version of its mobile application which does not allow sharing of user data with Facebook, Zoom has not blocked prior versions of the application nor assured users that information already collected has been deleted.
Companies must be aware of the potential risks associated with the use of videoconferencing platforms and ensure that they have developed appropriate safeguards to prevent and address risks, including but not limited to use of a secure videoconferencing platform, which may come in the form of an enterprise-based platform which allows the company to control the settings. Additionally, companies are urged to ensure that their employees are appropriately educated on the use of videoconferencing platforms and are employing the proper settings to mitigate against any cyber risks.
In sum, the use of videoconferencing platforms is yet another cyber vulnerability which all companies and their employees should be aware of as we continue to navigate the COVID-19 pandemic and adjust to the “new normal.”
Visit our COVID-19 Hub for ongoing updates.