The Rise of Video Conferencing – What ICO and NCSC Should Look For
December 11, 2020
Kemp IT law
To print this article, all you need to do is be registered or log in to Mondaq.com.
The coronavirus outbreak has taken advantage of video conferencing, which is spread around the world. For many, it is still the most important means of keeping in touch with colleagues and customers. To reflect the popularity of the practice, it was recently widely reported that in the three months ended July 31st alone, Zoom’s revenue increased a staggering 355% to $ 663.5 million (£ 496.3 million) during the Profits rose to $ 186 m and its customer growth increased a whopping 458% year over year.
However, the increased demand and ubiquitous use of this type of communication has raised some concerns that privacy and security are compromised for convenience. The ability to look into people’s homes and record video and voice calls clearly has an impact on privacy and security.
In April, Ian Hulme, Director of Assurance for the ICO, published a blog highlighting the top privacy issues businesses should be aware of when using video conferencing1.
First of all, he recommends checking and using the privacy and security settings so that users are transparent, that is, they should know how their data is being processed. Users also need choice and control over how their data is used.
Other suggestions include restricting who can join meetings with passwords, controlling when people can join, and restricting who can share screens during the video conference. The Director of Assurance also suggests that organizations review the way meeting passwords and IDs are shared. These decisions should be made before the meeting starts, and employees should be given clear advice on which settings to use and how.
The ICO also recommends that companies remain vigilant about the risks of video conference phishing. This can be in the form of a link or attachment that is sent via a live chat feature. Therefore, it is recommended that users only click the links and attachments that they expect from meeting participants they recognize.
Companies should also ensure that their privacy policies correctly reflect the use of video conferencing platforms to process personal data. If calls are recorded, this should be taken into account in the policy. It is recommended that attendees receive a short message and a link to the privacy notice on the meeting invite and registration page.
Ensuring that video conferencing software (and indeed all software) is up to date is also mentioned as an effective way of ensuring the security of the system. This includes applying updates regularly. If video conferencing is accessed through a web browser, the browser must also be kept up to date.
There should also be an ongoing assessment of the video conferencing tools or services used to ensure that the tool or service is appropriate for the job at hand.
Separately, on April 21, 2020, the NCSC published security guidelines for organizations to select, configure, and implement video conferencing services2. As with the ICO blog, this guide emphasizes the need to choose the right service to ensure that the calls and any other data shared in meetings are protected. The guide recommends companies:
- Follow the NCSC’s Cloud Security Principles3 when meetings are sensitive and organizations fully understand the encryption model used by their chosen service provider.
- Make sure that the service actually works as described by the service provider.
- Understand where data is going and who has access to it when cloud-based video conferencing services often store and process data in their data centers in multiple countries;
- Whenever possible, when deploying and configuring the service, establish company-wide defaults and controls, and ensure that the correct settings are applied while securely balancing user needs.
- give employees clear instructions on how to use videoconferencing safely;
- Ask staff to test that the service is working before using it for real meetings, and make sure they are familiar with how to mute the microphone and turn off the camera.
- Ask staff to keep meeting join details as confidential as the meeting itself, blurring the background or using a wallpaper for privacy and to see when their webcam is on and when calls are being recorded.
- Make sure the meeting organizers / hosts consider what features are appropriate for the meeting and whether they should be limited to a subset of attendees. and
- Make sure organizers and hosts restrict access to the meeting details to only attendees.
Originally published until December 2020
The content of this article is intended to provide general guidance on the subject. A professional should be obtained about your particular circumstances.
Termination of contracts
Reed Smith (worldwide)
Welcome back to our new series of “Back to Basics” blogs where we post articles on general legal issues.
VAT rules after Brexit: what you need to know
TMF Group BV
From tax representation and VAT refunds to new rules for e-commerce companies, experts from the TMF Group answer the most frequently asked questions about VAT that have been received since Brexit.