Who’s Zoomin’ Who is a studio platinum album made by the late great Aretha Franklin in 1985. The track was about a man and a woman, who think they are “zooming” the other into a relationship. Skip ahead 35 years, add in a pandemic, and zooming takes on an entirely different meaning. As part of our new normal, virtual meetings have effectively taken the place of the face-to-face meetings of our pre–COVID world. In the automotive industry, there have been many discussions of the COVID-accelerated transition to digital marketing and even commercials seem to promote Zoom-style sales. The Mercedes 2020 Summer Event commercial “Benz Time” shows a salesman in a showroom demonstrating car features over the internet to a couple holding an iPad at home and encourages shopping online.

Whether businesses interact in person or virtually, they must do so in a safe and secure manner to retain customer trust and comply with applicable law.

Digital retailing may be the trend of our times, but does it represent increased liability risk to the stores utilizing virtual meeting software? Zoom software has been criticized in the past for security breaches such as “zoom bombing” (where a third party breaks into a virtual meeting and inserts obscene or other objectionable material), security vulnerability which enables hackers to gain access to webcams or microphones, and permitting too many attempts to submit valid meeting IDs (thus enabling unauthorized individuals to access private meetings). Zoom has been patched numerous times but the risk of unauthorized interception of communication remains a concern. The purpose of this article is not to single out Zoom — since other virtual meeting software companies have had security issues of their own — but rather to consider some of the issues, which arise in the internet meeting space.

The primary issue is one of safeguarding nonpublic personally identifiable financial information (NPI). The Safeguards Rule requires that businesses maintain physical, electronic, and procedural safeguards to protect the confidentiality and security of collected information. To the extent workers are working from home, there is increased vulnerability since the home network environment is not supervised and regularly audited for security purposes. In the internet meeting context, while a demonstration of features of a vehicle similar to the “Benz Time” commercial does not expose NPI, what if the host is using an unpatched application that allows a malicious actor to take control of an unsuspecting customer’s webcam? Besides the Safeguards Rule, state laws may apply. 

Consider the California Consumer Protection Act (CCPA) which provides for a private right of action by affected consumers. In fact, suits have already been filed against Zoom arising from the claim that Zoom shared personal information with Facebook without a user’s consent for use in targeted advertising and without providing the CCPA-required opt-out notice. Of course, claims of fraud can also be brought to the extent virtual meeting software was used to make a fraudulent representation, but that type of claim is not unique to virtual meeting software and exits in real life too.

Prudent businesses should engage their IT department or vendor to ensure that their virtual meeting software is running the latest version of the software and is updated and patched on a regular basis. Some commentators suggest using web-based applications rather than downloaded software since they appear to be updated more frequently. The virtual meeting platforms’ embedded security mechanisms should be enabled. While not an exhaustive list, and using Zoom as an example, features such as generating random IDs for each virtual meeting and enabling security features such as “require a password when scheduling new meetings” are recommended. In a similar vein, users should disable “embed password in meeting link for one-click join” and enable “require password for participants joining by phone.” The waiting room feature should be enabled so that the host must approve any person attempting to enter the meeting. Most other options should be disabled including “join before host,” screensharing for non-hosts and file transfer. After the meeting has started, the meeting should be locked so that no other individuals can join. 

The takeaway is that whether businesses interact in person or virtually, they must do so in a safe and secure manner to retain customer trust and comply with applicable law. While Zoom bombing and other malicious uses of virtual meeting software can create unwanted liability and exposure, they can be easily addressed as part of a compliance management system (CMS). Your CMS should provide policies and procedures applicable to remote working and virtual meetings, as well as training for your employees and audit functionality to protect your business. Don’t let the bad actors “zoom” your business into the danger zone.

Content provided in this article is intended for informational purposes only and should not be construed as legal advice and should not be relied upon or acted upon without retaining counsel to provide specific legal advice based upon your particular situation, jurisdiction and circumstances. No duties are assumed, intended or created by this communication. No attorney-client relationship is being created by your review or use of this material.

Robert J. Wilson, Esquire (Bob) is a Philadelphia lawyer and is General Counsel for ARMD Resource Group. Bob is the principal of Wilson Law Firm and has over 30 years of experience both as a counselor and as a litigator in State and Federal Courts. Risk management, problem solving and dispute resolution are his core competencies. Bob’s practice is largely in the consumer finance space and he regularly consults with Lenders and contributes articles on various compliance related issues.