Blog

Don’t let your virtual meetings expose you to privacy and security risks

By Michael Simon Attorney at XPAN Law Group

With the current pandemic, virtual meeting systems are now highly-popular, and seen as easy-to-use substitutes for in-person meetings. However, with the easy usability comes corresponding features that present some security and privacy concerns: first, the difficulty of keeping meetings confidential; and second,  of recording meetings. As a result, I have told clients that I recommend that they consult with legal counsel to understand the risks created by these issues.

When assessing the viability, privacy and security of a virtual meeting environment, there are some key due diligence items to address. Two main considerations include: 

  1. Consider adding a further level of security for all confidential virtual meetings; and
  2. Consider limiting recording to small meetings of just a few parties and requiring explicit consent from all participants both before recording virtual meetings and on the record or – in the alternative – bar employees from recording meetings at all.

Don’t let just anyone join your confidential meetings

Virtual meeting systems are designed to foster an open environment that promotes team transparency and ease of communication. That is great for the day-to-day operations, especially now that your employees can’t just drop by someone’s office. Unfortunately, the very nature of such systems can cause problems when you need to carefully limit the attendees so that you can discuss confidential information and maintain privacy standards.

The default settings for most virtual meeting systems allow anyone with the meeting link and the access code (usually nine or so digits) to join. Most systems will auto-generate that access code for you, so that it is easy to send out meeting invites and easy for recipients to join those meetings. It also means that any invite that gets forwarded to someone, whether you intended them to join that meeting or not, is now able to attend.

Of course, most systems let you see who is attending a meeting, so you might catch someone who is not supposed to be on a call, but there’s no guarantee of that, especially if there is a long list of attendees. Some systems, like Zoom, let you set separate meeting passwords, as an additional form of protection (see here), but Skype and Teams don’t provide such additional security options. For Skype and Teams, your best bet to secure confidential meetings is to change the “Lobby” settings so that no-one can join a call without the approval of the meeting administrator (which is usually the person who set up the call). 

Finally, we recognize that virtual meeting accounts can be expensive, and that some companies try to minimize that expense by sharing accounts among staff. We don’t recommend that as a best practice in general, and we particularly strongly recommend against doing so if any of those employees, such as in HR or Legal, are conducting confidential meetings. Sharing accounts makes it far too easy for someone to accidentally dial into a call. While that normally just leads to a few seconds of apologies and a quick log-off, it can be another thing entirely if someone suddenly starts hearing things that they aren’t supposed to hear.

Recording meetings is a can of worms best left unopened 

As difficult as it can be to set security on virtual meetings, it is almost the opposite problem when it comes to recording them: it just takes the click of a button or two to do so. There are plenty of legitimate reasons why your employees might want to record meetings: to send to people who could not attend or to avoid having to take notes during the meeting or otherwise, to name a few. Yet, as the cliche about “good intentions” goes, recording meetings can lead your organization down a very bad road and violate privacy requirements.

Understanding when it is legal to record a call or a videoconference is a maddening task. The Reporters Committee For Freedom has published a Reporters’ Recording Guide with requirements for Federal and all state laws: it’s 28 pages long!  Full coverage of those laws would require far more detail than we can offer here in this article, but at least we can start with a summary of the good news – from the Reporters’ Guide:

Federal law [18 U.S.C. 2511(2)(d)] allows recording of phone calls and other electronic communications with the consent of at least one party to the call. A majority of the states and territories have adopted wiretapping statutes based on the federal law, although most also have extended the law to cover in person conversations. Thirty-eight states and the District of Columbia permit individuals to record conversations to which they are a party without informing the other parties that they are doing so. 

That leaves 11 jurisdictions with so-called “two-party consent” requirements: 

California ,Connecticut, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania, and Washington (oh and if you are doing the math, that does leave one: Vermont, which doesn’t even have a law on the subject).  

It is important to understand that that common term “two-party” is a dangerous misnomer, as all of these jurisdictions require consent to be recorded by all of the parties on a call/video.  From here on, we will refer to these jurisdictions as “all-party consent” (and we’ll stop using those annoying quotes as well now).  Many of these jurisdictions’ recording laws specify criminal penalties, some of them at the felony level.

Most of the major virtual meeting systems make it very clear to everyone when someone is recording a meeting – some with an announcement, some with a banner, and some with both.  Some of the systems even suggest that you consult with counsel before recording. For some jurisdictions, that might be enough; Washington Rev. Code § 9.73.030(3) allows for all-party consent by “announc[ing] to all other parties engaged in the communication or conversation, in any reasonably effective manner, that such communication or conversation is about to be recorded or transmitted,” as long as that announcement is itself recorded. Most other all-party consent jurisdictions do not contain such convenient exceptions.

Even for some of those one-party consent jurisdictions, things can get complicated. For example, Arizona is a one-party consent jurisdiction, but under the Arizona Rules of Professional Conduct, a lawyer must obtain the consent of all parties to record a call. (See State Bar of Arizona Ethics Opinion 95-03).

Oh, and did we mention that there are international issues as well . . . because not all countries or even regional jurisdictions within those countries allow for simple, one-party consent.  We just don’t have the space (and you don’t have the patience) for us to go through all of the details here.

So, where do you go from here?

Once again, the very nature of these systems is what makes them so difficult to use in a compliant manner: it is easy to set up a call or videoconference that people from all over the world can easily join. You could very easily have attendees from all-party consent jurisdictions in attendance without knowing it. If you have a meeting with a few attendees you can request consent before recording and then confirm on the record. But if you have a meeting with many, even dozens of attendees, how do you find the time to ask each one?  And as anyone who spends any time in virtual meetings knows well (and those who don’t will learn it soon), not everyone joins the call on time – are you prepared to stop the discussion cold as many times as needed to obtain consent from each and every such straggler?

Ultimately, in this time of transition to remote work, companies need to review their internal policies to ensure that the appropriate guidance is provided to To learn more tips from the XPAN team on transition to a remote workforce, with a focus on privacy and security, check out our firms’ “Transition to a Remote Work Environment” Guidance. And, remember, luck favors the prepared!

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.