In yesterday’s MYPTHRM – HR Tip Of The Week blog, I wrote about five mistakes virtual meeting newbies and even pros make (here is the link just in case you missed – https://bit.ly/3jhHJvh).
As a leader, you need to consider the security headaches that Zoom and similar teleworking tools bring to this enforced work-at-home environment. Let’s face it, the more we get comfortable with the new technology, the usage increases, we lose sight of the security, risks, and legal issues around the technology. Below is a list of some of those areas for risk mitigation and recommended steps to take:
Security: Confirm with your IT department that you have enabled appropriate security features. Choices include the following:
- Ensuring sufficient encryption.
- Password-protect meetings, and keep the password private.
- Enable the “private meeting” setting.
- Use a “waiting room” that allows the host to check in the participants.
- Disable screen sharing for participants.
- Mute non-speakers and consider disabling private chat.
- Do not allow participants to change their usernames.
- Prohibit shared host credentials.
- Know the limits and exclusions of your cyber insurance coverage.
- Security of stored, recorded video conferences.
Also, consider an enterprise subscription product rather than a consumer-grade download: such paid products often contain security features (and contractual remedies) not available via free apps.
Confidentiality: In addition to making the right security choices technologically, there are other steps to take to be sure you do not disseminate confidential information to protect for video conferencing breaches. Some items to consider:
- Instruct the host and any presenter to clear sensitive information, disable reminders, and close sensitive applications from their screens before sharing their screens.
- Instruct participants not to screenshot or record any part of the meeting (including the audio).
- If the meeting is about a particularly sensitive or confidential topic, consider requiring a confidentiality acknowledgment/agreement just as you would for a similar in-person meeting.
- Do not use consumer-grade shared drive applications or websites (Dropbox, Google Docs, etc.) to post or share sensitive material.
- If the meeting concerns attorney-client privileged matters, consider stating so at the beginning of the meeting, and remind participants not to create separate notes or electronic conversations (chat, Slack, text, etc.) regarding the proceedings.
- Ensure that internal (employee) policies are up to date with security and confidentiality practices required of employees who use teleconferencing technologies.
Privacy – General: Remember that any teleconferencing tool collects personal data within the meaning of data privacy laws (including the GDPR and the CCPA).
- Be sure that you know what the application collects automatically, whether you have choices about configuring it to collect less information, and that all information collected is covered by your organization’s IT rules, including those regarding data storage, use, access, and longevity.
- Consider taking down or deleting recorded meetings after a pre-determined time.
- Do not distribute recordings to participants; instead, use a centrally managed (and secure) link for access.
- Also, be sure to update your privacy policy and employee notices to account for your use of teleconferencing tools, the security risks they present, and the information they collect.
Privacy – Suitability for All Persons and Information: Some topics or persons may be subject to special privacy protections. Most businesses should not plan to use Zoom or similar tools for any of the following unless they first perform a thorough privacy legal analysis with counsel and their technology professionals:
- Personal health information: Zoom and other teleconferencing tools may not be HIPAA compliant.
- Minors: Any personal information, including name, about children under 13 (residents of US) or under 16 (EU). Minors are protected by stiffer privacy laws than the general population.
- Sensitive personal information: some kinds of personal data are highly regulated in non-US jurisdictions, including the EU.
- This type of information can include political affiliation, medical conditions, religious beliefs, gender identity and sexual identification, biometric data, and genetic information.
- Note that calls placed from people’s homes may inadvertently provide this kind of information (because of posters, art, photos, or other background material).
- Consider addressing this kind of disclosure via your privacy policy, employee notices, and a reminder to participants that they are responsible for their chosen surroundings.
Notice of Recording/Consent: Recording a call without the consent of the participant can be a wiretapping violation depending on the locations involved.
- Announce at the beginning of the call that you will be recording it.
- Consider notifying participants in advance (e.g., via the invitation) that the call will be recorded and that participation constitutes consent to record.
- When you “press the button,” announce that you are beginning the recording.
Persistence of Digital Records: Like email, a digital recording is forever. Remind participants of this as necessary to curb any animate, exuberant, or inadvisable discussions.
Local Rules: Some schools, governments, and other institutions do not permit the use of Zoom and other tools. Be sure you are compliant with any such restrictions.
In the wake of the COVID-19 pandemic, many employers are relying on video conferencing platforms to conduct meetings and providing remote educational instruction. While Zoom and other video conferencing platforms can provide valuable interactive experience while social distancing, it is essential to educate employees on potential privacy and cybersecurity risks. Adhering to best practices will help you protect the privacy of participants, and reduce the risk of intervention by unwanted participants.
Let MYPTHRM help you reshape your online meetings to improve security, performance, and employee engagement. To learn more contact us at 516 522-0078 or email us at [email protected]
My Part-Time HR Manager
Providing no-nonsense, cost-effective solutions to your HR Dilemmas!
My Part-Time HR Manager provides advisory services to our clients and newsletter subscribers. None of the information contained herein should be construed as legal or financial advice, nor is My Part-Time HR Manager engaged to provide such advice. Although we go to great lengths to make sure our information is accurate and useful, we recommend you consult your legal or financial advisor if you want assurance that our information, and your interpretation of it, is appropriate to your particular situation.
