Focusing the Lens on Video Conferencing Platforms: Privacy and Cybersecurity Considerations for Legal Practice

  • May 04, 2020
  • Jennifer Davidson and Alessia Monastero, Deeth Williams Wall LLP

COVID-19 has transformed the day-to-day practice of law from bustling offices to an industry of remote workers overnight. Lawyers have had to rapidly transform their methods of communication, largely turning to video conferencing platforms to perform functions that used to be reserved for in-person attendance.

Several video conferencing platforms have boomed from relative obscurity to essential services in this transition to remote work. Zoom, Microsoft Teams, Google Hangouts, Cisco WebEx, WhatsApp, Skype, BlueJeans (to name just a few) have all seen a tremendous rise in user base since the COVID-19 pandemic began.

Zoom has emerged as a popular favourite for professionals, students, family and friends as a means to connect with the world while practicing social distancing. In March 2020, Zoom ballooned to 200 million daily meeting participants, up from 10 million in December 2019.[1]

In a move that many would have thought impossible only a few months ago, video conferencing platforms are now being used in legal practice for trials, commissions and notarizations, witnessing will signings, multiparty discoveries, mediations, negotiations, the list goes on and on…

However, lawyers face a unique set of obligations when performing their services via video conferencing. The move to video conferencing may be essential to practicing law in the time of COVID-19, but careful consideration should be paid to ensuring that ethical, professional, privacy and cybersecurity obligations have been met to protect clients. This involves an in-depth understanding of platform features, options and risks to ensure best practices are followed.

Selecting the Right Platform

There are several considerations to be undertaken in the selection of which video conferencing platform is right for your practice. The type of use, the number of participants, platform features and security, how you plan to connect to the service (Public Switched Telephone Network Communications (PSTN) versus computer audio), sophistication of participants, firm or company policies and budget all play into the individual selection process. However, regardless of which platform you chose, it is imperative that you read the fine print. Platforms vary in the terms of service, rights and privacy features they offer – and you may not always be in a position to negotiate your preferences. Now is the time to start reading the Terms of Service and Privacy Policies (and other policies) to really understand what you are signing up for – and to explain the rights and risks to clients so they have a complete picture of how their communications and personal information will be handled while communicating with you on the platform.

It’s also worthwhile to consider whether there are services you should not perform online and give thought to postponing them or exploring alternatives to ensure you are not breaching professional obligations. Practicing law in the time of COVID-19 has altered some lines of how we interpret the Rules of Professional Conduct (the “Rules”) which in the past demanded in in-person attendance for certain functions. However, that is not an indicator that all Rules have relaxed. For example, professional obligations to protect confidential client information remain in full force even while we operate online. Each practice should be considered individually to determine how to operate responsibly and in adherence to professional and ethical obligations.

Privacy and Cybersecurity

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) sets rules for how businesses are required to handle personal information in the course of commercial activity. Under PIPEDA, personal information is defined as any factual or subjective information, recorded or not, about an identifiable individual. This can include age, names, income, social status, credit records, medical records, and other pieces of information. Other privacy laws may also be applicable to your practice or to your client’s business, including provincial privacy laws and legislation relating to the handling of personal health information. In Ontario, the Personal Health Information Protection Act (PHIPA), specifically protects the confidentiality and privacy of personal health information, outlining collection, use, and disclosure rules.

Take the time to inquire as to whether the platform you are using has a PIPEDA Compliance Statement and other policies relating to applicable privacy laws like PHIPA.

A vital consideration when selecting a platform is understanding the use, storage and sharing of data, particularly personal information. Where does the platform store your data? Does it sit within a public cloud? Does the data remain in Canada? Is it shared with third parties? How long will your information be retained? All these questions should be satisfied before practicing law via video conference.

Recordings

Many video platforms provide an option to record virtual meetings. Under the Rules, lawyers are required to inform other legal practitioners and clients of an intention to record.[2]

If the meeting will be recorded, it is important to review agreements to determine the security, location and accessibility of recordings and take appropriate steps to address any issues that arise. Zoom’s Terms of Service reads:

By using the Services, you are giving Zoom consent to store recordings for any or all Zoom meetings or webinars that you join, if such recordings are stored in our systems. You will receive a notification (visual or otherwise) when recording is enabled. If you do not consent to being recorded, you can choose to leave the meeting or webinar.[3]

Taking appropriate precautions when recording is particularly important when those recordings will be stored on the platform. The availability of that recording and the retention period should be considered before providing or requesting the informed consent of video conferencing participants.

In addition to recordings, all platforms carry risks of participants taking screen grabs. This vulnerability exists regardless of platform choice. It is worthwhile to consider that such a tool could be used against your client while communicating on video conferencing platforms.

Cybersecurity

COVID-19 is a perfect storm in so many ways and cybersecurity is no exception. A remote work force with varying levels of technological safeguards rapidly adopting to video communications on platforms who must play catchup to new threats is a near perfect opportunity for cyber criminals to target unsuspecting participants and enterprises.

Cyber criminals are turning their sights on video conferencing tools as the next major way to exploit individuals. Over the last few months, Zoombombings have made the news worldwide as hackers harvested meeting IDs to “drop in” on unsuspecting participants. Cyber-attacks using malicious GIFs (Graphic Interchange Format) were reportedly used to scrape user data and cause mischief on Microsoft Teams. Reports of phishing attacks asking users to “update your WebEx” take unsuspecting users to a phishing page requesting personal information and credit card data.[4]

While platforms work quickly to respond to attacks and remove vulnerabilities, these schemes highlight the need to exercise vigilance and take precautions on video conferences during COVID-19 (and beyond).

Tips and Tricks to Mitigate Cybersecurity Risks

Online Hygiene Practices

A well-rounded online hygiene practice is crucial (both in life and in law). Keep your passwords tightly guarded, avoid public Wi-Fi and always stay current with the most updated version of the chosen platform to avoid security risks. When scheduling a meeting, share meeting ID and passwords only through secure channels and only with participants who need to have it. If available, set up two-factor authentication to avoid sharing the meeting link altogether.

Use the Platform Effectively

Video platforms provide several host controls to ensure the safety of meeting participants. Understanding and using those controls effectively will mitigate risk and increase security.

Where possible, lock down meetings once your participants have entered the room so no uninvited visitors can drop in. If available, use waiting room features to accept each user individually and only accept preregistered/known participants. If the meeting involves large groups or unknown participants, maintain vigilance over communications and use host functions to manage control of screen sharing and to mute or remove participants causing disruptions.

Limit the Information Shared

As lawyers, it is essential to not only follow best practices for managing video conference meetings, but to critically assess what should or should not be shared on the platform. Confidential documents should not be shared over video conferencing unless you are satisfied that the necessary security is in place. As an alternative, you may wish to use a secure file transfer application to safely transfer confidential documentation.

While we all try to stay safe and serve clients in our new work-from-home arrangements, it is important to not just encourage our children do their homework – but for us to do ours. Do your research on video conferencing platforms and their security – and if in doubt, contact an expert to ensure you have the information necessary to make an informed decision on video conferencing platforms for legal practice.

_____________________________________

About the Authors

Jennifer Davidson is a Technology and Intellectual Property associate at Deeth Williams Wall LLP with a focus on cybersecurity and emerging technologies.

Alessia Monastero is a student-at-law at Deeth Williams Wall LLP.

Any article or other information or content expressed or made available in this Section is that of the respective author(s) and not of the OBA.