Zoom meeting usage increased so quickly during the pandemic that the software outgrew its rudimentary security. Zoom’s lack of reliable security and accompanying privacy problems have resulted in numerous legal issues.
Security
Security flaws allow hackers to easily break into the system, allow meeting participants to reuse passwords, and do not provide controls to prevent meeting participants from distributing data obtained during Zoom meetings. The flawed software also permits viewers to study hand motions in order to determine which computer keys a participant is typing, including any password being entered.
Zoombombing
The most common type of system break-in is called Zoombombing, which occurs when an unauthorized intruder enters a Zoom meeting. Damages that such an intruder may cause range from simple embarrassment, to criminal mischief, to theft of confidential or sensitive information. A stealth intruder could make offensive, slanderous, or libelous statements about the company or could trick meeting participants into revealing proprietary information about the company. An intruder could also gain information about participants in order to perpetuate identity theft or extortion crimes.
Unauthorized participation in a government-sponsored public meeting is generally not illegal unless the speech contributed by the unauthorized participant is threatening, dangerous, or perpetuates a criminal act. Entrance into a private, but not password-protected meeting, is a form of cyber trespass. Entrance into a password-protected meeting is illegal according to the Computer Fraud and Abuse Act.
Sale of Data
Zoom is currently the subject of several lawsuits regarding the collection and sale of personal information obtained in meetings with advertisers. The most vulnerable participants are those accessing Zoom meetings through iPhones.
Privacy
Disclosure of personal information in Zoom conversations may be combined with information about the same person, available elsewhere, to facilitate the crime of identity theft. One prevalent scheme is to discover a person’s name, phone number, place of employment, then use this information to file a fake unemployment claim.
Employment Law Issues
Zoom meeting participants may neglect to consider the background art, pictures, memorabilia, apparel, or other assorted personal items visible behind them during a Zoom meeting. A background may inadvertently reveal information regarding a person’s race, religion, orientation, age, or membership in a protected class. Background items may also reveal health-related issues and subject a firm to HIPAA exposure. These revelations have the possibility of subjecting a company to discrimination litigation.
A Zoom meeting from home may lead participants to adopt a more casual, relaxed approach and a sense that work from home is not really being at work. This may induce meeting participants to let down their guard and may prompt someone to make crude or offensive remarks that could be considered harassment.
Recordings
Zoom offers no indication to a participant that a meeting is being recorded. Once recorded, no restrictions exist on where the recorded meeting may be posted on the internet or otherwise made available. Recording a meeting without a participant’s knowledge or consent may be considered wiretapping. When something is posted on the internet, it is on the internet forever!
Zoom also has an “attendee attention tracking feature” that allows the meeting host to monitor a participant’s level of engagement and distractions from other electronic sources.
Attorney-client privilege
Poor security and lack of privacy in a Zoom meeting may compromise attorney-client privilege. Furthermore, if such a meeting is recorded, the ability to post the recording to a non-secure page on the internet may also compromise the attorney-client privilege. To ensure attorney-client privilege in a meeting, lawyers should control who has access to such a meeting, where a meeting recording is posted, and should post a disclaimer prior to the client meeting and even at various points during the meeting.
Due Process
Some courts are conducting hearings using Zoom meetings in lieu of in-person court appearances. Should a participant not be able to get the Zoom software to work or function properly, such a participant might not be able to attend their own hearing. This could potentially be grounds for denial of due process and violation of a Fourth Amendment right.
Zoom Terms of Service Agreement
A participant initially signs onto Zoom and must choose the “I agree” button. The only option Zoom offers is to leave a meeting. This may limit legal recourse against Zoom due to Zoom’s draconian terms of service agreement. Zoom’s “as-is” terms of service agreement absolves Zoom of responsibility for content, loss of content, loss due to access problems, and lost deleted content.
Zoom terms force a participant to agree to waive suing Zoom individually and forbids participation in a class-action lawsuit. A participant agrees to submit disputes to individual arbitration by a mediator selected by Zoom. Zoom also requires any dispute to be adjudicated in Zoom’s venue in Santa Clara County, California, and in the Northern District California.
Zoom also reserves the right to increase subscription prices and subjects the users to automatic yearly renewal unless the user announces an intent to opt-out of renewal at least 30 days prior to the expiration date of the current year.
Cyber Insurance
Cyber insurance is available for loss of content and malicious cyber-attacks, but it is not clear if any policy provider covers Zoom meetings because not enough instances have occurred to provide the actuarial baseline data to establish or price such a coverage policy.
Tips for Zoom Users
To reduce legal liability, participants in Zoom meetings should:
- Password-protect all meetings and do not reuse passwords
- Always use private meeting settings
- Do not allow participants to join a meeting before the host joins
- Use a “per meeting ID” and not a “personal meeting ID”
- Use a waiting room to allow the meeting host to screen and check in all participants
- Disable screen sharing for each participant other than the host
- Mute non-speakers and disable private side chats
- Establish consistent and unchangeable user names
- Do not share host credentials
- Inform all participants when a meeting is being recorded
- Work from home participants should choose one room from which to participate in Zoom meetings and only display items one would display in a business office
About the Author
Eric Shaffer is a patent attorney and has written over 400 patents. His technical expertise comprises computer and electrical engineering, wireless telecommunications, chemistry, polymers, and pharmacology. Prior to his legal career, Eric worked as a financial software developer using COBOL, Java, C++, Oracle, and SAP software.