A surge in demand for conference calls facilities has been an inevitable consequence of coronavirus and increased working from home. According to a recent Guardian article, the estimated net worth of Eric Yuan, the founder of conferencing call facility Zoom has increased by more than $4bn since the start of the pandemic, making him the 182nd richest person in the world. Yuan explained in a recent blog Zoom now has 200 million users. Last December it had just 10 million.
I use Zoom on a daily basis for client calls, internal meetings with colleagues, catch ups with friends and family and sing-along sessions with my son’s nursery. Switching from GDPR to Twinkle Twinkle throughout the day has been an interesting side effect of coronavirus!
Thanks to the surge in popularity, Zoom has become a target for hackers and “bug bounty hunters” searching for vulnerabilities in Zoom’s technology which are then sold for thousands of dollars. So how confident can we be that our personal data is protected and what steps can we take to help protect our data?
Should we be worried?
Most conference call facilities require, at the very least, name and email address of users to enable them to sign up to use the service. We should all be able to expect that those details are protected and that the data is processed in accordance with GDPR. Zoom has, however, received a significant amount of negative publicity about the security measures it has in place.
According to recent articles, a number of security issues have been raised about Zoom, including:
- an investigation which showed that Zoom’s app for iPhone and iPads sent data about users’ devices to Facebook, irrespective of whether the user had a Facebook account (according to a recent lawsuit, this enabled Facebook to send targeted ads to those users);
- it seems that Zoom’s video calls are not end-to-end encrypted, which means that Zoom may be able to view the contents of videos and calls;
- a security issue may have allowed third parties to control user microphones and webcams and gain control of Apple iMacs; and
- the possibility of being “zoombombed” where an unexpected person or offensive content appears in the meeting.
A number of organisations have banned employees from using Zoom, including Google. New York City’s Department of Education has also encouraged schools to refrain from using Zoom and instead use a service provided by Microsoft.
What steps should organisations take?
Each organisation should consider whether it is comfortable for its employees to use Zoom and other conference call facilities. Despite the risks associated with conference calls, they provide significant benefits, particularly in the current climate.
The following steps can be taken to help protect employees and their personal data when using conference call and instant messaging facilities:
- encourage employees to use their business email address as opposed to their personal email (e.g. Gmail or Hotmail) address to reduce the amount of “personal” personal data being provided;
- encourage employees to speak to your organisation’s IT or Security team before using a conference call facility;
- encourage employees to use the password option and distribute the password to invitees;
- update passwords from time to time to prevent people accidentally joining a meeting;
- if using Zoom, ensure that the “password meeting setting” has been activated so that a password is always required to join a call; and
- with all conference call facilities and messaging services, make sure your employees take care when sharing personal data with colleagues – all personal data should be processed in accordance with GDPR and any records of personal data shared between colleagues may need to be provided pursuant to a subject access request.
If you have any questions about your organisation’s compliance with GDPR, or if you would like a free of charge internal process map for dealing with GDPR breaches and subject access requests, please contact Florence Maxwell or Matthew Hattersley.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.