Even after the pandemic recedes, virtual meetings are likely to remain popular. Here's how to host them in a way that minimizes liability.
With the rise of virtual meetings to negotiate M&A and other types of deals and to raise capital among investors, are you setting yourself up for liability risk if details of the meeting get out or you record participants without their permission?
Here are issues for you to think about before you host your next meeting on Zoom, WebEx or other virtual conferencing platforms.
OK to record?
American Civil Liberties Union Speech, Privacy, and Technology Project Senior Policy Analyst Jay Stanley warns companies shouldn't record video or audio calls unless all participants receive clear notice.
While employers have a legitimate interest in monitoring employee performance, that kind of monitoring is typically narrowly tailored to meet those needs and isn't necessarily appropriate for other contexts, Stanley said.
Once you have permission, recording meetings is a best practice. Recordings can give companies notes for clarification on what was discussed, Michael Coden, head of the cybersecurity practice at BCG Platinion, the technology unit of Boston Consulting Group, said.
Companies must educate their employees on secure video conference hosting, Coden said. "Well-known platforms such as WebEx, Zoom and Skype will reliably enable secure meetings, but users must be trained and informed."
He suggests meeting hosts guard against potential intruders by taking attendance and requiring participants to announce themselves.
If you do record, don't store the conversation on the platform's servers. Store it instead on your outside counsel's servers; any recordings stored on a platform server could be subpoenaed by another party from the host company.
If a topic under discussion is sensitive — something you wouldn't want on the front page of a newspaper or in a court deposition — you don't want to record it, Coden adds. Sensitive topics include anything involving business data, HR-related personnel matters, and proprietary technology, Mark Vena, a technology consultant with Moor Insights & Strategy, said.
Vena doesn't recommend recording calls covering content that could potentially damage the company if it got into the hands of a competitor, or that could create issues if requested by a court in a legal matter.
When recordings are published online, companies should consider whether redacting or removing certain portions, said Dan Siegel, chair of the American Bar Association Law Practice Division Professional Development Board and one of the first legal experts to focus on the intersection of technology and ethics.
Zoom, the leading video communications company, was hit by high-profile breaches over the summer. It has since retooled its processes to build security into everything it does. "We froze all new features on the platform to enable us to focus on ensuring the features and platform are as secure as they can be," its CFO, Kelly Steckelberg, told CNBC at the time.
In a May blog post, Steckelberg recommended five best practices businesses can use for virtual meeting security.
- Require a password. "It's always a good idea to secure any meeting with a password, so only invited guests can join your virtual board meeting," she wrote. "Passwords can be set for individual meetings, or can be enabled at the user, group, or account level for all meetings."
- Require registration. Requiring guests to pre-register with their name, email, and additional information can provide a layer of security without requiring participants to have an account. Requiring attendees to have an account can enhance security further, however, as it helps you to admit only authenticated users.
- Enable waiting rooms. "The waiting room is a great way to protect any meeting because it's a virtual holding area that prevents people from joining until they are admitted," she wrote. "Meeting hosts and co-hosts can admit everyone from the waiting room all at once or individually."
- Add watermarks. In the case of Zoom, if the audio file is shared without permission, the company can help identify which participant recorded the meeting if all participants have audio watermarks.
- Lock the meeting. After everyone invited has joined and the meeting has started, lock the meeting to prevent anyone else from joining. In the case of Zoom, you can find this within the security icon in the meeting controls.
You're probably safe
Although security issues must be taken seriously, don't lose sleep over it, Mike Lloyd, chief technology officer at cybersecurity consulting firm RedSeal said.
"Bear in mind the vast majority of Zoom meetings are simply that – vast," Lloyd said. "We are recording hundreds or thousands of hours per week per company of this stuff. Could someone potentially steal something of interest from them? Well, sure, yes, but it's not practical or cost-effective for most spying purposes."
The advantage of having potential valuable information hidden from crooks in a sea of web dross reminds Lloyd that, centuries ago, Dutch diamond merchants were reputed to send their wares via standard postal mail – simply because it was so easy to hide their tiny valuable products in the vast flow of mail every day, making it impractical for thieves to find them.
Companies should record video calls when doing so poses an obvious business benefit, the participants have consented to it, and there are adequate controls in place to limit access to the resulting video to only authorized parties, Kayne McGladrey, security architect at cybersecurity consultancy Ascent Solutions, said.
To ensure accessibility,companies should also strongly consider using closed captioning on call recordings, McGladrey added.