Protecting Confidential Information During Covid-19

Katarina Klaric, Principal and Director at Stephens Lawyers & Consultants, highlights the privacy risks of using services, in particular, Zoom, in order to work from home more efficiently, amidst the ongoing global pandemic.

COVID-19 restrictions have resulted in many workplaces requiring their employees to work remotely from home. This has resulted in unprecedented technological challenges for government agencies and private sector/non-for-profit organisations to implement technological solutions which enable secure data access and connectivity for their employees. The use of video conferencing services such as Zoom, Skype and Microsoft Teams has been adopted by many workplaces without proper security risk assessment of the technology and adequate training of staff in the use of the technology and security risks.

Confidential Information/Trade secrets are the most valuable assets of many organisations and this data is potentially exposed to greater risk of unauthorised access, disclosure or use, with employees working remotely and using video conferencing services.

Remote workplaces also give rise to increased security risks associated with privacy breaches in the handling of personal information or data collected by agencies or organisations. Although the Australian Privacy Act, does not prevent employees from working from home remotely, compliance with the Australian Privacy Principles (“APP”) is still required during COVID-19.

Agencies and organisations need to assess and evaluate the risks associated with remote workplace environments and new projects and consider whether security measures for their remote workplaces and new projects are adequate for the protection of their confidential information/trade secrets and personal data.

Recent media reports about the Zoom video conferencing services highlight some of the risks associated with the use of this technology:

• Check Point Research in its report identified security flaws in Zoom video conferencing platform which allowed potential hackers to join the meeting uninvited or to listen in[i].
• Zoom setups allows meeting participants to easily share meeting details with external parties. This flaw can result in security breaches and meetings being interrupted by unidentified persons known as “Zoombombers”[ii].
• Security flaws which have allowed on-line class rooms to be interrupted by uninvited guests “yelling profanities” and showing offensive material[iii].
• The inadequacy of the technical encryption offered by Zoom for the encryption of the video and audio data during transmission and storage when using Zoom video conferencing services[iv].
• Security flaws which allowed hackers to take over a Zoom user’s computer including the webcam and microphone[v].

[For further reading see Article titled “Zoom Video Communications and Data and Privacy Risks” authored by Peter Divitcos, Stephens Lawyers & Consultants.]

Zoom has admitted that there are security flaws and privacy issues with its videoconferencing services[vi]. In response to the data security privacy concerns, Zoom announced that it was updating its security protections. From May 2020 all Zoom meetings will require a password and the virtual waiting room will become a default setting[vii]. In addition, from 30 May 2020, Zoom will enable GCM encryption. Zoom clients will have to upgrade their service to utilise the encryption functionality. Zoom has stated that these upgrades will “provide confidentiality and integrity assurances” to Zoom meetings.[viii]

It is important that agencies and organisations implement appropriate risk management strategies to minimise the risk of data security breach and to protect their confidential information/trade secrets and ensure compliance with privacy laws. Some of the steps for consideration for video conferencing:

• Workplaces should not use videoconferencing services for meetings where confidential and sensitive content is to be discussed without first ensuring that appropriate security configurations and/or encryption are implemented.
• Meeting participants prior to the commencement of the meeting should be reminded of their obligations to keep confidential content that is discussed until such time the agency or organisation release the material into the public domain. This should be confirmed in any minutes or record of the meeting that is circulated to participants.
• Carefully read the terms of service and privacy policy of video conferencing service providers to ensure that the use of the service will not result in the breach of confidentiality obligations to third parties and/or breach of privacy obligations under the Australian privacy laws. This will require you to have a detailed understanding of what type of data including personal information is collected and managed by the video conferencing provider, who is authorised to access this information, how this information is used and where is the information stored.
• Undertake an assessment of the possible security and privacy risks and implement the appropriate measures to deal with these.
• Seek the assistance of IT or cybersecurity experts to implement the appropriate security configuration and settings including encryption for video conferencing.
• Educate and train your staff in respect of features and functionality of the video conferencing service so that appropriate security and privacy configurations and settings are “on” before each conference session.
• Provide staff with appropriate training in relation to which discussions are appropriate on videoconferencing platforms, and those which are not.
• Implement and update appropriate security measures for the protection of confidential information/data, including controls such as encryption and password protection.
• Keep up to date in relation to any further security breaches on videoconferencing platforms. Useful resources for updates include:
  • Stay Smart Online – an online alert service which provides alerts on the latest threats and information on how to reduce the risk of cyber threats
  • ACCC Scam watch
  • Australian Cyber Security Centre (ACSC)
  • Australian Cybercrime Online Reporting Network (Acorn)

The Office of the Australian Information Commissioner (OAIC) has also  published guidance for government agencies and private sector organisations to assist the entities regulated by the Privacy Act 1988 (Cth.)to understand their obligations during the COVID 19 pandemic -“Coronavirus (COVID-19):Understanding your privacy obligations to your staff”. The OAIC guidance also includes some steps that agencies and organisations can take to protect personal information when working remotely.

[i] Kim Lyons, ‘Zoom vulnerability would have allowed hackers to eavesdrop on calls’, Ther Verge, 28 January 2020, https://www.theverge.com/2020/1/28/21082331/zoom-vulnerability-hacker-eavesdrop-security-google-hangouts-skype-checkpoint.

[ii] ABC News, ‘Coronavirus working arrangements have seen Zoom downloads soar, but some users are wary of security flaws’, 3 April 2020, https://www.abc.net.au/news/2020-04-02/coronavirus-sees-zoom-downloads-soar-but-fbi-warns-security-flaw/12113802.

[iii] Ibid.

[iv] Micah Lee and Yael Gruer, ‘Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading marketing’ The Intercept, 31 March 2020, https://theintercept.com/2020/03/31/zoom-meeting-encryption/.

[v] Kari Paul, “Zoom is malware”: why experts worry about the video conferencing platform’ The Guardian, 3 April 2020, https://www.theguardian.com/technology/2020/apr/02/zoom-technology-security-coronavirus-video-conferencing.

[vi] Michael Chetner, Head of Australia and Asia Pacific, Zoom Video Communications, told Fran Kelly presenter of ABC Radio National that Zoom was designed for enterprise by large companies who have IT departments that can go through security measures and configure Zoom, so that it can be used safely. Zoom’s security and privacy flaws have been brought to the forefront with massive growth in the use of the service by individuals, consumers, small to medium businesses and schools as a result of COVID 19 restrictions. Since December 2019, Zoom users have increased from 10 million to 200 million worldwide in March 2020.  Zoom has engaged cybersecurity experts to deal with the issues and were working with schools to ensure that Zoom was configured properly to ensure safety of children. Mr Chetner also emphasised the importance of proper security configuration of Zoom and education of users on how to use Zoom safely. See Fran Kelly, ‘Video app “Zoom” criticised over security and privacy issues’, ABC RN Breakfast, 20 April 2020, https://www.abc.net.au/radionational/programs/breakfast/video-app-zoom-criticised-over-security-and-privacy-issues/12163500.

[vii] Dan Grabham, ‘Zoom meeting passwords explained: Why are they now on by default?’, 6 May 2020, https://www.pocket-lint.com/apps/news/151741-why-are-zoom-meeting-passwords-now-on-by-default.

[viii] Colleen Rodriguez, ‘Zoom Hits Milestone on 90-Day Security Plan, Releases Zoom 5.0, 22 April 2020, https://blog.zoom.us/wordpress/2020/04/22/zoom-hits-milestone-on-90-day-security-plan-releases-zoom-5-0/.

Katarina Klaric is a Principal and Director of Stephens Lawyers & Consultants, and is skilled in both litigation and commercial business transactions. As a litigator Katarina has been involved in leading cases involving intellectual property infringement, contravention of the Australian Competition & Consumer Law and complex commercial issues. Connect with Katarina via email or LinkedIn