Digital Brain
digital brain
digital brain

Privacy Commissioner Releases Tips for Secure Videoconferencing

May 5, 2020 Privacy Law Bulletin 4 minutes read

It goes without saying that organizations’ use of videoconferencing is at an all-time high as many businesses have converted to remote work. Like all technologies, videoconferencing poses unique cybersecurity and data privacy risks.

Recognizing the surge in videoconferencing, the Office of the Privacy Commissioner of Canada (the “OPC”) has published tips to ensure compliance with privacy laws during videoconferencing. Below is a summary of the OPC’s tips, together with some advice from McMillan’s Privacy and Data Protection team concerning best practices while telecommuting.

Do Your Diligence

Prior to selecting a videoconferencing service, businesses should review the service’s privacy policies and terms of use to understand the service’s privacy and data handling practices. In particular, review and understand how the videoconferencing provider may collect, use and disclose personal information from those who set up an account or participate in a videoconference call. Consider whether these policies and terms of use align with your business’ own privacy policy, contractual terms, and other commitments or obligations with respect to privacy and data handling. Your organization may need to revise its privacy compliance program, including its privacy policy, to permit the use of videoconferencing.

Users of the videoconferencing service should be encouraged to implement and periodically update a unique and complex password when setting up a new account with a videoconferencing service. The OPC recommends that users avoid using social media accounts to sign up for such accounts.

Stay Current

Businesses should stay current on news and publications related to privacy concerns and security vulnerabilities associated with their videoconferencing service of choice.

We recommend establishing a Google alert or other means of tracking updates from reputable sources concerning any reported vulnerabilities or breaches in your videoconferencing software. This will allow an organization to act quickly to install any patches or updates needed, or take other steps to minimize any security risks. We also suggest that organizations update their patch management policy or program to include regular testing, updates and patching for all videoconferencing services.

Videoconferencing users should also be encouraged to periodically review their devices’ permissions and ensure that they are up-to-date.

Limit Participants

Videoconferencing users must make sure that meetings are private and limited to invited participants.

Avoid announcing meetings on social media platforms or websites to prevent uninvited participants from joining the meeting and potentially overhearing private discussions. If possible, ensure that videoconferencing calls are secured with a password, particularly if the meetings involve the discussion of sensitive personal information. Meeting hosts should also disable features such as “join before host” and file transfers to limit security risks.

At the outset of a videoconference, we recommend conducting a quick “roll call”, particularly if there are users dialing in who are not visible onscreen. This can help to crosscheck that everyone who is on the call is meant to be there.

Prevent Overhearing & Oversharing

Where the videoconference is held is also important. Participants should ensure that there is nothing in the background of the call that reveals private information, such as a whiteboard or calendar with confidential notations. If using a web browser, users should open a new window for the call and close all other applications, including email, to ensure that confidential information is not inadvertently disclosed if screen-sharing occurs during the call.

The videoconference should be hosted in a private area, ideally a separate room in one’s home. However, for some employees, taking a call in a private room or completely out of earshot of others in their household may not be possible. At the outset of a videoconference, we therefore recommend that the host ask all users to disclose if they may be within earshot of others in their home during the call. Such users should listen in to the call by headset, and should be encouraged to send any input containing confidential information either by follow-up email, private chat feature or on a separate call when they are in a private space.

Meeting hosts should disable participants’ ability to record a call. Ask attendees to switch off personal home assistants (such as Alexa or Siri) or smart speakers during a video call, as these technologies may be triggered or inadvertently record the call.

Takeaways For Your Business

Given the vulnerability of videoconferencing services to security threats, it is important that organizations adopt the suggestions and best practices developed by the OPC.

However, the above tips should form only a part of a broader effort to address any privacy and cybersecurity vulnerabilities caused by remote working.

Times of crisis give rise to an increased risk of cyberattacks and threats. Threat actors exploit security vulnerabilities, employee distraction and unfamiliarity with new technologies as an opportunity to attempt to unlawfully access sensitive business and personal information. Businesses must emphasize a culture of cybersecurity and compliance with privacy and data protection laws in order to minimize such risks. Providing adequate training and frequent reminders to employees about cyber risks, including the proper use of videoconferencing technologies, is an important step in avoiding data breaches.

While we all eagerly await the day we can connect with our colleagues, clients and customers face-to-face again, many suggest that a rise in working remotely may be here to stay. We advise organizations to act now to develop and implement policies and practices that keep confidential and personal information safe and sound during these unsettled times.

by Kristen Pennington and Chiedza Museredza

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2020

Related Publications (5 Posts)

Featured Insight

Alberta Recognizes Privacy Tort of Public Disclosure of Private Facts

The Alberta Court of Queen’s Bench recognized the tort of public disclosure of private facts for the first time; In deciding the recognize the tort...

Read More
Sep 27, 2021
Featured Insight

Real Estate Litigation: Summer Highlights

Even in the summer months, the legal news does not let up. Here are some recent decisions and legislative developments as we head into the 2021 fall season.

Read More
Sep 21, 2021
Featured Insight

McMillan’s Employment and Labour Webinar

Join McMillan's annual Employment and Labour Seminar on Tuesday, October 5th as we address significant legal developments and provide practical advice on responding to employee issues.

Details
Tuesday, October 5, 2021
Featured Insight

Supreme Court of Canada Confirms: CCAA Super-Priority Charges Rank Ahead of CRA’s Deemed Trusts

Canada v. Canada North Group Inc. provided much needed clarity regarding the order of priority for unremitted source deductions in restructuring proceedings.

Read More
Sep 17, 2021
Featured Insight

McMillan’s ESG Strategy Sessions

The COVID-19 pandemic and increased concerns over environmental and social issues, such as climate change and systemic racism, have prompted conversations throughout global capital markets.

Details
Wednesday, October 6, 2021