Keeping It Confidential: Protecting Data Privacy, Attorney-Client and Work Product Privilege with the Rise of Videoconferencing
The shuttering of businesses in response to the Covid-19 outbreak forced many companies to unexpectedly and quickly migrate to a remote workforce in order to continue operations. Law firms and clients alike faced unprecedented challenges adapting to new work environments, technological challenges, and privacy and security concerns.
The ethical rules vary by state regarding Attorney-Client and Work Product privilege, but the ABA has issued guidance on telecommunications to encourage attorneys to protect information transmitted electronically. See Formal Opinion 477.
There are a number of considerations and recommended steps to protect data privacy and privilege while working remotely.
I. Internet Security and Encryption
Internet security should be the first consideration to ensure all communications are protected while working remotely. Working in a public space and using free Wi-Fi is a great way to jeopardize the attorney-client privilege or enable a data breach. While most people are working from their own homes, not everyone secures their internet appropriately. It is not sufficient to simply password-protect home internet. Any company, law firm, or business that handles sensitive data should consider using a Virtual Private Network (“VPN”) to add secondary security. Additionally, all data should be encrypted and accompany strong security protocols. All confidential attorney-client and work-product privilege MUST be labeled as such.
II. Hardware and Software
While some companies were already equipped to allow employees to work remotely, others were unprepared. These companies experienced complications that arose from allowing an employee to utilize a personal computer to conduct work-related business.
Aside from security and privacy issues, some software installed on an employee’s personal machine may contain license restrictions against commercial use. The software license agreement for each product outlines specific use cases and restrictions. If the employee fails to abide by these restrictions by using the software for a new work-related purpose, the company itself could be liable for copyright infringement damages for violating the license agreement.
The best way to avoid potential copyright infringement damages is to provide each employee with a company-owned device that has properly licensed software pre-installed. Additionally, this provides the company a unique opportunity to install encryption and VPN connections, to deploy security protocols that prevent an employee from downloading any unlicensed software and to otherwise ensure the device is protected against a security breach.
III. Videoconferencing Protocols
The influx of traffic on web conferencing systems such as Microsoft Teams and a few others created issues with bandwidth and availability as their servers were overloaded. Zoom, another web conferencing company, was compromised by interlopers joining unsecured meetings. Videoconferencing has become a lifeline for many companies to continue business as usual in a remote environment, but it can be precarious if the correct steps are not taken to ensure privacy.
A. Password Protect All Meetings. Every meeting should be protected by a password. A number of videoconferencing companies allow a user to use their personal meeting login. However, it is not wise to repeat meeting IDs or passwords. If possible, always use a new, generated meeting ID and password. In the instance of recurring meetings with the same participants, most web conferencing options allow the same ID and password to be used for the recurrence.
B. Limit Participants to Protect Privilege. Most video or web conferencing platforms allow the host of the meeting to view the names and/or phone numbers of all participants. Ask everyone on the line to identify themselves. If you do not recognize a phone number or participant, end the meeting and send a new ID and password. In addition to random interlopers, it is critical to ensure that a client or customer does not invite third parties, contractors, or any other unauthorized person to the meeting when sharing attorney-client or work product privileged information. Sharing the information with third parties destroys the privilege and makes the information discoverable.
C. Ensure Meetings are Conducted in Secure, Private Locations. By now, most people have shrug off random barks or shouts from children in the background of web conferences. While it can be expected in light of school closures and family members working from home, it is important that other individuals are not able to overhear confidential discussions. If working in your own home, secure a location to conduct your meeting that will ensure no one will be able to observe it. For individuals traveling, it is equally important not to share sensitive information in public places like airports or restaurants.
D. Control Call Recording. There are many reasons why individuals might record a call from an attorney or a work-related discussion. The discussion itself could be confidential or privileged, but if the recording is backed up and stored elsewhere or discovered by participants outside of the conversation, it can lose the attorney-client privilege and can be discoverable in litigation. Communicate effectively with all participants in meetings to ensure everyone understands how to protect confidential information.
E. Avoid Attachments to Calendar Invitations. An easy way to ensure all parties have files readily available to discuss is to attach them to a calendar invitation. However, some conferencing systems, such as Amazon Chime, include an Amazon recipient on all invitation. This can be removed, but if a user is not cognizant of this issue, you could be sharing work-product privileged and other confidential files with third parties and thus destroying the privilege. If you have not fully vetted the web conferencing platform and considered the security of the transmissions, it is best to avoid sharing files through the calendar invitation.
Proper training and communication can go a long way to protect confidential and sensitive information. If you are unsure about how to minimize risks associated with working remotely, Scott & Scott, LLP can help.