The videoconference platform Zoom has seen a surge in users since the coronavirus pandemic. Teleworkers are relying increasingly on Zoom for virtual meetings, and as a HIPAA-compliant videoconferencing program, Zoom for Healthcare has gained popularity among healthcare providers in particular. New York’s Attorney General has asked Zoom to explain its privacy policies, and additional scrutiny is likely to follow.

Hackers have noticed. Since the beginning of the year, reports show 1,700 registrations including the word “Zoom,” with 4 percent containing suspicious characteristics. A click on a fake Zoom invitation could install InstallCorePUA, which opens the door to malicious software installations.

Some Zoom hacks require less technical expertise. Recently, the FBI warned of “Zoom-bombing,” wherein an unauthorized user accesses a Zoom meeting and disrupts it with profane or otherwise disturbing imagery. So far, Zoom-bombing seems limited to pranks, but it is not difficult to imagine a more sophisticated hacker accessing a Zoom meeting to obtain confidential or proprietary information.

Additionally, Zoom faces accusations regarding its collection and sharing of users’ information. Vox recently reported that Zoom shared users’ data with Facebook, even if the Zoom user did not have a Facebook account. Zoom responded by removing the Facebook software development kit from its client. Even so, a new lawsuit alleges that Zoom “likely” still shares data with Facebook, because many Zoom users will not timely update their version of the app.

Not all of Zoom’s vulnerabilities are external. Zoom meetings use transport encryption, not end-to-end encryption, which means the Zoom service itself can access the unencrypted video and audio content of meetings. Consequently, the confidentiality of recorded Zoom meetings depends entirely on Zoom servers’ security from hackers. This fact may have legal implications as well; the attorney-client privilege could potentially be destroyed if a communication is voluntarily revealed to a third party, so conceivably, recording a Zoom meeting may create waiver of privilege issues. (Zoom recently updated its privacy policy to address concerns about recorded meetings, but the update did not implement any specific changes.)

Thoughtful, robust data security precautions can guard against many vulnerabilities, whether on Zoom or other videoconference platforms. Such precautions include:

  • Do not make meetings public. Require a meeting password or use the waiting room feature and control the admittance of guests.
  • Do not share a link to a teleconference on an unrestricted publicly available social media post. Instead, provide the link directly to attendees.
  • Restrict screensharing to “Host Only.”
  • Ensure users are using the most recent version. Zoom recently added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
  • To protect confidentiality, restrict remote control of devices, file transfer, data sharing, and screen sharing during Zoom conferences.
  • For document sharing, consider establishing a secure reading room or sending the documents via a password-encrypted transfer.
  • Make sure you are using the most recent version of the Zoom app.
  • As stated elsewhere on this blog, remind your employees about appropriate data security procedures, including “phishing” and other social engineering scams.

For more information regarding this article, please contact Sean Griffin.

For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.

To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.

As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.