During the past eighteen months, a consortium of six data protection and privacy authorities reviewed the security and privacy practices of the major video teleconferencing (VTC) platforms — Cisco, Google, Microsoft and Zoom.
The consortium included cybersecurity representatives from across the globe:
- Office of the Australian Information Commissioner (Australia)
- Office of the Privacy Commissioner (Canada)
- Gibraltar Regulatory Authority (Gibraltar)
- Office of the Privacy Commissioner for Personal Data (Hong Kong)
- Federal Data Protection and Information Commissioner (Switzerland)
- Information Commissioner’s Office (United Kingdom)
These discussions began with an open letter issued in July 2020, continued with direct engagement between the consortium and VTC companies, and culminated in a set of joint observations issued by the international group in October 2021. The observations consist of learnings from the engagement process as well as a set of recommendations around three core issues — encryption, secondary use of data and data centers.
Although the consortium’s guidance pertains to VTC platforms directly, their remarks offer key insights for any organization using VTC tools. Given the importance of these observations, what follows are actionable guidance and best practices for security and privacy teams responsible for managing the deployment and use of video teleconferencing systems.
Privacy by design and default
The use of any new technology tool should be accompanied by a risk assessment to determine potential privacy issues presented by its use and available compensating technical and administrative controls. Risk assessments help organizations mitigate negative impacts by articulating tangible steps to reduce potential risks related to the use of a particular system.
The consortium suggested that the video teleconferencing platforms should complete “privacy impact assessments for all new VTC features” and encourage “regular contact between privacy, security and development teams and adherence to the data minimization principle.”
VTC privacy impact assessments should include detailing the risks related to features like screen sharing, webcams, whiteboards, chat and file transfers as vectors for intentional or inadvertent exposure of sensitive data. Personal identifiable information (PII) like social security numbers, national IDs, email addresses, and health and financial data can be easily displayed during VTC conversations by screen sharing a sensitive document or application, using the webcam to present hard copy documents, or sharing documents through the file transfer feature.
Although dynamic VTC features present risks, those risks are outpaced by the productivity gains that connect users and facilitate rich dialogue and interactions. Recent data from Theta Lake’s 2021 Modern Communications Survey Report paints a picture consistent with these opportunities and challenges, noting that 91% of regulated financial services firms are using two to six VTC platforms — however, 83% of respondents disable key productivity features due to security and compliance concerns. As a compensating control, many organizations are turning to purpose-built platforms to unlock the business value of VTCs and assist with data loss prevention and oversight of VTC interactions to identify privacy, cybersecurity and regulatory issues in conversations.
Given concerns around privacy and security, the consortium recommends “that all VTCs place settings for their service at the most privacy protective by default.” The group observed “examples of this in practice, such as: passwords required by default; virtual waiting rooms by default; privacy protective default settings consistent in browser and app versions of VTC services; and video and microphone off by default.”
As new U.S. state and global privacy and data protection rules emerge, concerns about data storage locations have come to the forefront. For various regulatory and operational reasons, organizations are consolidating data footprints into single or a limited set of jurisdictions, particularly when using cloud-based technologies. As a result, video conference data storage locations and data flows have come under scrutiny.
The consortium put forth various recommendations here. First, VTCs and the companies using them should be transparent about where data is stored and confirm that cross-border data flows meet relevant regulatory mandates. For example, ensuring adherence to contractual requirements, like the European Union and U.K.’s Standard Contractual Clauses, or relevant codes of conduct and binding corporate rules for transfers of relevant personal data are fundamental. Additionally, video conferencing platforms and organizations should, where feasible, provide users with options as to where they would like to store their data.
The use of encryption can be a powerful tool for securing communications and information transmitted over VTCs. The consortium proposed making end-to-end encryption available in any platform implementation, as well as educating users about the differences between standard and end-to-end encryption.
Security settings and end-user controls
For regulated organizations in industries like financial services, healthcare, education or government, the use of specific video teleconferencing features may pose compliance or security challenges. The group suggested several key practices that the VTC platforms should take to ensure that cybersecurity issues are addressed.
For companies assessing the third-party risks of VTCs and related compliance and security platforms, a robust vendor management program that conducts security testing and validates operational practices through third party auditing and security reporting such as SOC 2, Type 2 or ISO 27001 is essential.
Several end-user meeting controls promote increased privacy and security. The consortium noted, “[t]he joint signatories saw some good examples of such controls in practice, including: ability to opt out of attendance or engagement reports; virtual and blurred backgrounds; user consent prior to host unmuting audio or activating video; and the ability to report a user for inappropriate conduct (or ejection by hosts).”
Supporting technologies can now monitor and supervise these controls by validating in-meeting settings like blurred backgrounds or session passwords, detecting muted audio, and identifying inappropriate behavior, which may be difficult to detect given the breadth video, voice, and chat VTC functions. Security systems can scan across what was spoken, shown and shared during a video conference to detect the presence of inappropriate logos or documents displayed on screen, as well as the use of sensitive cloud-based applications and the exchange of PII.
With video conferencing platforms now firmly embedded as critical business infrastructure, the clarity and detail of guidance offered by the consortium provides a collective baseline standard for VTC platforms themselves and every security leader managing them.