Editor’s Note:  Given the recent increase in remote working driven by the outbreak of the coronavirus disease 2019 (COVID-19), many legal professionals are now integrating tools into their business communications workflow that they may have never used before or may have never used in environments requiring the legal defensibility of communications. One of these tools is the Zoom teleconferencing platform. Provided below is a series of extracts from information notes, articles, and lawsuits that may be beneficial for consideration by data and legal discovery professionals and providers as they evaluate the use of Zoom in support of the conduct of eDiscovery.

Full information note  from the Data Protection Commission (DPC) Ireland

Data Protection Tip for Video Conferencing

In light of the recent increase in remote working, necessitated by COVID-19 mitigation measures, as well as the increased numbers keeping in touch online with friends and family, the number of people video-conferencing and video-calling has increased dramatically. This has also resulted in people using apps and services which they might not have used before, or are now using for different reasons – i.e. using an app they usually use for personal purposes now for work purposes or vice versa.

Concerns have been raised about how to use these technologies to keep in touch with colleagues and loved ones in a way that is safe and secure, and ensures an adequate standard of data protection.

Here are some tips to help both individuals and organizations (such as employers who might introduce new or increased video-conferencing arrangements for employees) use these services in a safe manner.

Tips for Individuals

  • Make sure that the device you use for video-calling has the necessary updates, such as operating system updates (like iOS or Android) and software/antivirus updates (and make sure it has antivirus/online security software in the first place).
  • Try to use services that you know and trust, have done some research on, and/or have been vetted and suggested by your employer, etc., for video-conferencing or video-calling.
  • Take some time to read over the service’s privacy or data protection policy to be sure who your personal data is being shared with, where it will be stored or processed, and what purposes it will be used for, amongst other information.
  • Think twice about what permissions for data or sensors you are being asked for: Do you really need to share your location or your list of contacts for instance? What will that data be used for?
  • If the data protection or privacy information is inadequate or too much information or access to your device is being sought, you should be wary of sharing personal data with this service, and may want to take further steps, or consider another service.
  • Ensure your device is used in a safe location, for example, keep an eye on what (or who) can be seen from your camera, and be sure to log out, mute, or turn off video, as appropriate, when you leave or take a break.
  • Consider the data protection and privacy rights of others before you post or share a picture or video of a video-call that contains their image, voice, and/or contact details.
  • Have a read of our general tips on staying safe online during a pandemic

Tips for Organizations

  • Employees should be using your contracted service providers for work-related communications. Ensure you are happy with the privacy and security features of the services you ask them to use. Ad-hoc use of apps or services by individuals should not be encouraged.
  • Try to ensure that employees use work accounts, email addresses, phone numbers, etc., where possible, for work-related video-conferencing, to avoid the unnecessary collection of their personal contact or social media details.
  • Make sure that clear, understandable, and up-to-date organizational policies and guidelines are provided to those using video-conferencing, so they know what rules to follow and steps to take to minimize data protection risks. This should include information on the controls the services provide and that are available to them to protect their security, data, and communications.
  • Implement, and/or advise employees to implement, appropriate security controls such as access controls (such as multi-factor authentication and strong unique passwords) and limit use and data sharing to what is necessary.
  • Where video-conferencing services need to be used for organizational reasons, have a consistent policy regarding which services are used and how, and offer through VPN or remote network access where possible.
  • Avoid sharing of company data, document locations or hyperlinks in any shared ‘chat’ facility that may be public as these may be processed by the service or device in unsafe ways.
  • Read our guidance on Protecting Personal Data When Working Remotely and our guidance on data security and make sure the points contained within are made clear to employees.

Read the original information note at Data Protection Tip for Video Conferencing

Full information note from the Data Protection Commission (DPC) Ireland

Protecting Personal Data When Working Remotely


  • Take extra care that devices, such as USBs, phones, laptops, or tablets, are not lost or misplaced,
  • Make sure that any device has the necessary updates, such as operating system updates (like iOS or Android) and software/antivirus updates.
  • Ensure your computer, laptop, or device, is used in a safe location, for example where you can keep sight of it and minimize who else can view the screen, particularly if working with sensitive personal data.
  • Lock your device if you do have to leave it unattended for any reason.
  • Make sure your devices are turned off, locked, or stored carefully when not in use.
  • Use effective access controls (such as multi-factor authentication and strong passwords) and, where available, encryption to restrict access to the device, and to reduce the risk if a device is stolen or misplaced.
  • When a device is lost or stolen, you should take steps immediately to ensure a remote memory wipe, where possible.


  • Follow any applicable policies in your organization around the use of email.
  • Use work email accounts rather than personal ones for work-related emails involving personal data. If you have to use personal email make sure contents and attachments are encrypted and avoid using personal or confidential data in subject lines.
  • Before sending an email, ensure you’re sending it to the correct recipient, particularly for emails involving large amounts of personal data or sensitive personal data.

Cloud and Network Access

  • Where possible only use your organization’s trusted networks or cloud services, and complying with any organizational rules and procedures about Cloud or network access, login, and data sharing.
  • If you are working without cloud or network access, ensure any locally stored data is adequately backed up in a secure manner.

Paper Records

  • It’s important to remember that data protection applies to not only electronically stored or processed data, but also personal data in manual form (such as paper records) where it is, or is intended to be, part of a filing system.
  • Where you are working remotely with paper records, take steps to ensure the security and confidentiality of these records, such as by keeping them locked in a filing cabinet or drawer when not in use, disposing of them securely (e.g., shredding) when no longer needed, and making sure they are not left somewhere where they could be misplaced or stolen.
  • If you’re dealing with records that contain special categories of personal data (e.g., health data) you should take extra care to ensure their security and confidentiality, and only remove such records from a secure location where it is strictly necessary to carry out your work.
  • Where possible, you should keep a written record of which records and files have been taken home, in order to maintain good data access and governance practices.

Read the original information note at Protecting Personal Data When Working Remotely

An extract from an article by Nick Statt via The Verge

Google Bans Its Employees from Using Zo0m Over Security Concerns

Google is issuing a ban on the use of the Zoom teleconferencing platform for employees. The company is citing security concerns with the app that have arisen since Zoom became one of the most popular services for free video chatting during the COVID-19 pandemic. The news was first reported by BuzzFeed News earlier today [April 8, 2020].

Google emailed employees last week about the ban, telling workers who had the Zoom app installed on their Google-provided machines that the software would soon no longer function. It is worth noting that Google offers its own enterprise Zoom competitor called Meet as part of its G Suite offering.

Other issues have included exposed Zoom recordings, undisclosed data sharing with Facebookexposed LinkedIn profiles, and a “malware-like” installer for macOS. The company now faces a full-blown privacy and security backlash. Zoom has responded by racing to plug holes and beef up its consumer and corporate protections to stave off stiff competition from Microsoft Teams and Skype, Google’s G Suite apps, and other more traditional teleconferencing providers. Zoom said earlier this month that it would pause new features for 90 days to focus on privacy and security.

Read the complete article at Google Bans Its Employees from Using Zo0m Over Security Concerns

An extract from an article by Matthew Finnegan via Computerworld

Zoom Hit By Investor Lawsuit As Security, Privacy Concerns Mount

The challenges facing Zoom continue to mount, as the company now faces an investor lawsuit and more organizations ban the use of the video meeting app due to privacy and security concerns. The company also upped efforts to improve its security and privacy practices by hiring Facebook’s former CSO as a consultant.

Zoom has seen a surge in use in recent weeks as self-isolation in response to the pandemic ramps up the demand for video software. As its popularity has boomed – both for business and personal use – and the company’s stock price rocketed, Zoom has come under pressure on a number of fronts.

On Tuesday [April 7, 2020], shareholder Michael Drieu filed suit in a California federal court, alleging that Zoom “significantly overstated” the degree to which its platform is encrypted, failing to disclose these “deficiencies” to shareholders.

Zoom admitted on April 1 to a “discrepancy” in its definition of end-to-end encryption from the commonly accepted definition. Drieu claims he and other shareholders have suffered “significant losses and damages” due to a drop in Zoom’s share price after the admission.

Read the complete article at Zoom Hit By Investor Lawsuit As Security, Privacy Concerns Mount

An extract from a class-action lawsuit filed against Zoom Video Communications 

Cullen v. Zoom Video Communications, Inc.

US District Court for the Northern District of California, March 30, 2020

Zoom, however, has failed to properly safeguard the personal information of the increasing millions of users of its software application (“Zoom App”) and video conferencing platform. Upon installing or upon each opening of the Zoom App, Zoom collects the personal information of its users and discloses, without adequate notice or authorization, this personal information to third parties, including Facebook, Inc. (“Facebook”), invading the privacy of millions of users.

Case 5:20-cv-02155 Document 1 Filed 03/30/20 (PDF)

Zoom-Complaint-Case 5-20-cv-02155 Document 1 Filed 033020

An extract from a class-action lawsuit filed against Zoom Video Communications 

Drieu v. Zoom Video Communications, Inc. et al

US District Court for the Northern District of California, April 7, 2020

The truth about the deficiencies in Zoom’s software encryption began to come to light as early as July 2019. However, due in large part to the Company’s obfuscation, it was not until the COVID-19 pandemic in March and April of 2020, with businesses and other organizations increasingly relying on Zoom’s video communication software to facilitate remote work activity as governments increasingly implemented shelter-in-place orders, that the truth was more fully laid bare in a series of corrective disclosures. As it became clear through a series of news reports and admissions by the Company that Zoom had significantly overstated the degree to which its video communication software was encrypted, and organizations consequently prohibited its employees from utilizing Zoom for work activities, the Company’s stock price plummeted, damaging investors.

Case 3:20-cv-02353 Document 1 Filed 04/07/20 (PDF)

Zoom-Complaint-Case 3-20-cv-02353 Document 1 Filed 040720

An extract from an article by Oded Gal via the Zoom Blog

The Facts Around Zoom and Encryption Meetings/Webinars

In light of recent interest in our encryption practices, we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption. Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption. While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it. This blog is intended to rectify that discrepancy and clarify exactly how we encrypt the content that moves across our network.

The goal of our encryption design is to provide the maximum amount of privacy possible while supporting the diverse needs of our client base.

To be clear, in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.

Read the complete article at The Facts Around Zoom and Encryption Meetings/Webinars

An extract from an article by Maria Crimi Speth of Jaburg Wilk

How Private is Zoom Videoconferencing?

Many of us find ourselves attending meetings by video conference, such as Zoom. You might even be having confidential interactions with your clients, medical providers, or legal providers. If you are wondering how secure those interactions are, we analyzed Zoom’s security, legal, and privacy policies (which were updated on March 18, 2020) to help you stay informed without having to read all the fine print.

Read the complete article at How Private is Zoom® Videoconferencing?

An extract from Zoom’s Privacy Policy by Aparna Bawa via Zoom

Zoom’s Privacy Policy

At Zoom, ensuring the privacy and security of our users and their data is our top priority. We want to address recent concerns about Zoom’s privacy policy.

We want to emphasize that:

  • Zoom does not sell our users’ data.
  • Zoom has never sold user data in the past and has no intention of selling users’ data going forward.
  • Zoom does not monitor your meetings or its contents.
  • Zoom complies with all applicable privacy laws, rules, and regulations in the jurisdictions within which it operates, including the GDPR and the CCPA.

We are not changing any of our practices. We are updating our privacy policy [March 29, 2020] to be more clear, explicit, and transparent.

Read the complete article at Zoom’s Privacy Policy

Additional Reading

Source: ComplexDiscovery

The post The Boom of Zoom? Careful Considerations for eDiscovery Professionals appeared first on ComplexDiscovery.