A person taking a photo of a video-conference call being conducted on his phone
PHOTO: Sam Saunders

It may be the ubiquitous feel-good workplace share amid the COVID-19 health crisis: a screenshot of employee faces on a Zoom video conference call accompanied by a positive message of teamwork. But not everyone is feeling good about Zoom, though. The massive spike in usage (10 million daily users in December to 200 million now) comes with major concerns over privacy and security that has brought a class action lawsuit and the attention of federal and state regulators.

A user this week sued the video-conference provider for sharing personal information without proper notice, to third-party providers like Facebook. The New York Times reported Zoom sent user names and email addresses to a company system then matched them with LinkedIn profiles. The FBI issued warnings of “Zoom-bombing” after receiving multiple reports of hackers disrupting conferences with pornographic and/or hate images and threatening language. The New York Attorney General sent a letter to Zoom asking about its security and privacy practices. 

The big questions now? How can enterprises ensure workplace apps like Zoom provide them with ever-so necessary capabilities like video-conferencing while protecting employee privacy and their organization’s sensitive information? What due diligence is required on behalf of enterprises as they navigate these applications in their (much more crowded) digital workplaces?

Corporate, Regulatory Pressure May Be the Fix

“Unfortunately the growth in Zoom users has not been accompanied by a growth in privacy or security maturity of the platform,” said Dana Louise Simberkoff, JD, CIPP, chief risk, privacy and information security officer for AvePoint.

“Zoom has been the subject of ongoing privacy and security issues over the past few years, and these issues range from easily exploitable features in the platform, which may create privacy and security vulnerabilities and a lack of transparency in the platforms tracking and data sharing features. Some of these issues may be easily addressed with security fixes, but others may require corporate and regulatory pressure on the company to raise its own game around transparency and trust with their new corporate consumer base.”

Zoom’s Response and Planned Action Steps

Before we offer more considerations for privacy and security protections using workplace apps like Zoom, here’s what Zoom has said and done in the past week or so after coming under fire. Asked by CMSWire to respond to the class action lawsuit, filed by Robert Cullen in the Northern California US District Court, a Zoom spokesperson pointed out a Zoom blog related to the matter. The spokesperson also noted Zoom recently posted a blog with some clarifications regarding its privacy policies. Further, Zoom CEO Eric Yuan on April 1 blogged about the steps Zoom has taken and plans to take in light of the recent privacy and security issues. Zoom also on April 5 began to enable two password settings by default to protect against unwanted visitors.

Is Zoom Even the Right Call?

Surely, organizations shouldn’t rely solely on Zoom beefing up its security to protect their data. They need to do their part, too, according to Kristina Podnar, digital policy consultant and author. “Zoom is interesting with the latest lawsuit just being part of the story,” Podnar said. “Remember the patent case issue last year. It is clear that Zoom has architected its offering without regard for user privacy or safety, which leads us to where we are today.”

Companies should ask whether Zoom is really required as part of the infrastructure, or are there better and more privacy-friendly tools that can be used. Collaboration consultant James Dellow on April 3 penned about some Zoom alternatives on LinkedIn. “For many organizations, especially those looking to be GDPR compliant, Zoom does not meet the criteria for 3rd party processor compliance which is a broader regulatory risk,” Podnar said.

Recognize Your Encryption Needs

If you do have to use Zoom, consider its data privacy practices and what risks your business is willing to stomach, Podnar added. “Anything that is shared over Zoom during a meeting is encrypted via TCP and UDP,” she said. (Zoom shared its encryption practices in an April 1 blog post). “This means that the audio and video content will be encrypted, much like your HTTPS content is encrypted in transit, but underlying user data will still be exposed. That may be a risk you are willing to take internal to your organization on any normal day, but as people work from home, use their own devices, think about the data privacy implications for your employees and the business liability that goes with that.”

Encryption beyond that offered by Zoom may be appropriate to protect your employee data that contains possible trade secrets, Podnar said, citing a use case of several SMEs working on a new product, which is a trade secret and could impact markets.

Related Article: Where Does Encryption Fit in Privacy Regulations?

Are You Aware of Data Breach Ramifications?

Zoom may be easy to set up and use and has had great reliability during this pandemic. However, if your employees’ data is compromised, or illegally shared by Zoom, especially in areas like Europe, South Africa and soon in Brazil, you will not only face the possibility of employee-initiated lawsuits, but also regulatory fines in many jurisdictions. In addition, Podnar added, the Electronics Communications Privacy Act (ECPA) places some limitations on an employee’s right to monitor an employee’s telephone and data usage at work, which may cause a business to get embroiled in additional regulatory and union issues.

Ask Provider for Data Protection Agreement

During the initial evaluation of a tool like Zoom, ask for a Data Protection Agreement, or a similar document, said Jennifer Wu, JD, CIPP.C, CIPM, privacy consultant at Calligo. “This is something that is required if a company falls under the jurisdiction of the GDPR or CCPA,” Wu said. “If your company decides it does not live up to required technical and organizational measures, there is no need to spend further time assessing the tool’s features.”

Under CCPA, Podnar noted, users and employees alike could invoke data sales issues that implicate your business due to lack of compliance from a 3rd party mitigation perspective. The same holds true, she said, for some of the other privacy regulations, like Nevada’s data privacy law (SB 220).

Related Article: How GDPR Will Help Rebuild Data Protection and Customer Trust

Scrutinize the Provider’s Privacy Policy

Scrutinize a service provider's privacy policy, also known as privacy notices or statements. Most often, as the case with Zoom, the privacy policy alone does not give you enough information to assess risk, Wu said. “However,” she added, “it helps you know what questions to ask. As we have discovered with Zoom, once asked to clarify, they confirmed that end-to-end encryption was not available. If this was relevant to your company, their previous privacy policy did not tell you that.”

Review the privacy policy of what kind of personal information the company collects from its users of the application. There should be a section that tells users what the company does with the information it collects. “In general, be aware of privacy policies that use ‘may’ a lot and throw in every possible use,” Wu said. “These kinds of privacy policies do not tell you anything.”

Further, review the notice to see if they are sharing client data with any other parties. Often broad categories liked "partners" or "service providers" are used. Read about Zoom's take on the claims of sharing data with Facebook.

Seek Clarification on Vague Terms

Zoom's privacy policy uses boilerplate language like Zoom uses a "combination of industry-standard security technologies, procedures, and organizational measures to help protect your personal data from unauthorized access, use or disclosure."

Clarify what specific procedural measures they are doing to protect data? Some companies like Microsoft, for example, provide copies of audit reports available to download, Wu said. “Ask the service providers what industry-standard security framework are they using,” Wu said. “Contact information for a service provider should be available in the privacy policy. Often there is no other way to find out, other than to ask.”

Time to Dig Deep on Questions With Collaboration Providers

Ultimately, for organizations that may just be considering workplace apps like Zoom, or have any other collaboration tools in place, Podnar said this is the time to dig deep and answer

  • Is personal data being collected and, if so, how is the personal information related to employees, consumers, vendor partners, or those we engage for usability testing and product development?
  • What levels of transparency are appropriate and needed for the business to protect itself from unreasonable risk?
  • How does the tool’s owner (company) address government requests/demands for personal information? Are they compliant with key regulatory frameworks with which our company is required to comply (e.g., CCPA, GDPR, LGDP, POPIA, etc.)?
  • Are there any licenses of personal information written into the tool agreement/contract that we need to consider?

“This is a case where the barrier of entry for this tool is so low, that Zoom has been thrust into the spotlight and used in ways for which they were not truly enterprise ready,” Simberkoff said. “This is also a good illustration for why privacy and security by design, even for consumer applications, is critically important.”