Zoombombing and Privacy
#Zoombombing - Do I need to be worried?
Take a look through your Facebook, Instagram or Twitter feed now and you’ll pretty soon see someone posting about the latest craze: Zoombombing. From a corporate governance perspective, you should be linking concerns about Zoombombing and Privacy compliance.
To the uninitiated, the term ‘Zoombombing’ probably sounds ridiculous, so here’s a quick recap.
Zoom is a popular video conferencing software used globally that, with the increase in virtual workplaces, has seen a huge spike in usage. From businesses, educational institutions to government, Zoom has an impressive cache of clients. Their list of users is rapidly increasing in the current climate, with a number of Australian universities now using Zoom to run their online courses.
The company promotes itself on its ease-of-use with virtual meetings being able to be created with a click of a button and shared easily through a simple URL. This simplicity, however, has led to chaos with the rise of Zoombombing: uninvited individuals “bombing” into (i.e. joining) meetings and causing disruption. Zoombombing can at times be harmless pranks but as a recent NPR article shows, can quickly turn harmful with offensive imagery and hate speech being broadcasted.
The rise of Zoombombing has led to an FBI warning being issued to users and the New York City Department of Educating mandating that schools are banned from using the program.
From the birth of this craze, further investigations into Zooms security and privacy policies have been conducted. Zoom cites is security measures as one of its key features, stating on its website that meetings are end-to-end encrypted. However, a recent investigation by The Verge has alleged that Zoom isn’t in fact end-to-end encrypted in the truest sense. Whatever the cause, a breach is a breach and Zoombombing and Privacy compliance is a serious concern.
Legal considerations associated with Zoombombing and Privacy
So, what does this mean, legally speaking, for businesses using Zoom to conduct either internal or external meetings?
Well the most important question to ask first and foremost is this: is your business obligated to comply with the Privacy Act 1998 (Cth) (Act)?
Privacy is an ever-evolving field and determining whether you are required to comply with the Act is beyond the scope of this post.
Generally, the following organisations are required to comply:
- Commonwealth Government agencies and those who contract with them.
- Organisations with an annual turnover of more than $3 million.
- An organisation that provides a health service.
- Businesses that buy or sell personal information.
- Credit reporting bodies.
However, this isn’t the complete list and there are exceptions and exceptions to the exceptions! If you’re confused about whether you fall under the Act, it’s best to call our Privacy Lawyer so we can ensure you are compliant. Determining whether you are compliant is important as penalties can be significantly more than the cost of meeting the requirements in the first instance.
What do you do if your meeting is Zoom Bombed?
If you are obligated to comply with the Act, the second all-important question is: what happens if my virtual meeting gets Zoom Bombed?
Businesses may be required to report to the Office of the Information Commissioner where they have reasonable grounds to believe an eligible data breach has occurred. They may also be required to notify any individuals of risk of serious harm arising from the breach.
An eligible data breach occurs when personal information an organisation holds is lost or subjected to unauthorised access or disclosure. For example, when:
- a device with a customer’s personal information is lost or stolen;
- a database with personal information is hacked; or
- personal information is mistakenly given to the wrong person.
What this means in the context of Zoombombing and Privacy is that if you are in a virtual meeting where personal information you hold is being discussed and your meeting is “bombed” by an unknown third-party, this could constitute a notifiable data breach.
For example, your organisation’s Customer Service Team may be openly discussing personal information about your customers (such as name, phone number or address) when you find that someone has at some point logged into your call. Without knowing who the person is or how long they have been on the call for, you have suffered a data breach and may be required to notify the Office of the Information Commissioner and affected individuals.
So, what can you do in this new world of virtual meetings?
- Investigate whether you are required to comply with the Privacy Act 1988 (Cth);
- Create a Data Protection Policy and a Data Breach Response Plan;
- Research your video conferencing tools and create secure sessions with your staff; and
- Remain vigilant.
- Tech Startup
- Technology Law
- Legal Documents