Videoconferencing and Potential Security, Confidentiality and Discovery Issues
Kelley Drye Client Advisory
With most employees working remotely amidst the COVID-19 pandemic, the use of videoconferencing platforms like Zoom, Microsoft Teams, Skype, WebEx, GoTo, Ring, and BlueJeans in everyday business has risen dramatically. Unlike a traditional conference call, videoconferencing feels more personal and more like an in-person meeting because it allows users from around the country and the world to be safely brought together via video. Further, most videoconferencing platforms allow for easy recording and sharing of that video. That convenience and functionality, however, raises security, confidentiality and discovery issues. Therefore, it is important for a business to understand these issues and to implement best practices tailored for the use of videoconferencing and the recording features in order to manage and minimize the risks associated with it.
Security and ConfidentialityYou may have recently read news stories concerning “Zoombombing,” a practice whereby an uninvited third-party manages to access a Zoom videoconference and fill it with inappropriate content or otherwise disrupt the conference. While Zoombombing is a nuisance there are more troubling implications; the ability to insert that inappropriate content means that a third-party gained unauthorized access to your private and confidential business communications. Accordingly, it is imperative to make sure that the videoconferencing platform your business utilizes is secure and protects your business’s confidences. In order to manage security concerns and to avoid the proliferation of videoconferencing data scattered in multiple locations and formats, the first step is to select and approve the videoconferencing platform that the business will use internally and when it hosts such virtual conferences. One of the key security features to look for when selecting a videoconferencing platform is whether it provides end-to-end encryption (a method of secure communication that makes it more difficult for third-parties to access data in transit from one end system or device to another).
Once the business selects a platform, it should issue company-provided videoconferencing accounts and implement a policy designating the approved platform as the sole authorized service. The business should also familiarize itself with and implement certain settings in that platform to improve the business’s security posture. For example, in Zoom, certain settings you should consider implementing include:
- Requiring participants to enter meeting passwords;
- Prohibiting participants from joining meetings until the host joins the meeting;
- Disabling the screen sharing option by participants other than the host;
- Disabling recording option by participants other than the host;
- Disabling the chat feature altogether, or if chat is enabled, it should be configured so that only messaging among the host and all participants (versus private messaging between participants) is permitted;
- Enabling a waiting room, which allows the host to decide who is allowed into the conference; and/or
- Enabling the use of automatically generated meeting IDs in lieu of personal meeting IDs.
Further, when scheduling a videoconference with a third-party, the best practice is to offer to host the videoconference whenever possible. By doing so, you ensure that you are using software that has been vetted by your business, and you maintain control over various aspects of the videoconference—such as participant-admission, screen-sharing, and recording options. That is not always an option, however, and if you participate in a videoconference hosted by a third-party, those parties will likely maintain control over whether to record the meeting. Accordingly, if you notice that you are on a videoconference that you believe is being unnecessarily or inappropriately recorded, bring that to the host’s attention. (If you are on a Zoom videoconference that is being recorded, the word “recording” will appear in red in the upper left corner of all participants’ screens.)
If you are the host and you do opt to record a videoconference, you also need to consider where you want to save and store such recordings and the ramifications thereof. For example, Zoom provides users with the option of saving recordings on the Zoom cloud or to your desktop/server. If a user saves a recording of a videoconference to the Zoom cloud, that recording is in Zoom’s possession and is subject to Zoom’s retention policies and security procedures, remains outside your direct control, and is vulnerable to a potential data breach. Therefore, for security purposes, it may be prudent to save your confidential and sensitive recordings within your system or with your trusted vendor. Regardless of where you store such recordings, it is very important to save them in a central location so as to be able to locate them quickly and efficiently should the need arise. The expense of storing large video/audio recording files should also be taken into account.
Finally, businesses can further mitigate security and legal risks by providing training to their employees on the approved platform, the settings thereof, and the proper business use and etiquette of videoconferencing and issues associated with it. For example, employees should be reminded that videoconferences are a business tool, and the good business judgment and professionalism that is expected in the office is also expected and should be practiced during videoconferences. Moreover, it is important for employees to understand that they need to take precautions to maximize security and privacy when working remotely, including not holding videoconferences in a public place.
To Record Or Not To Record
Discovery implications of recording videoconferencesWith the ease and convenience of the recording feature come potential pitfalls and serious implications for commercial litigation that need to be carefully considered and addressed before deciding to press the record button. This is particularly true today with many employees working remotely – often from the comfort of their home – that has likely fostered a level of informality during these types of communications. Such informality may result in participants making jokes, facial expressions or other gestures that might not reflect favorably on them or the business if such recordings made it into discovery and were to be played to a jury. It is also important to understand what exactly is being recorded and retained. For example, when a videoconference is recorded on Zoom, multiple files are created containing the video, audio as well as any chats that may have occurred during the conference. Further, Zoom offers the ability to transcribe the videoconference and if you enable this option, the audio of the videoconference will automatically be transcribed and a text file of the transcription will also be created and retained.
In making a decision as to whether or not to record some or all videoconferences, it is important to note that absent a legal obligation to record a conversation (for example financial services where one may be required to record a client’s permission for a transaction), there is likely no general duty to record your videoconferences. A videoconference is parallel to a face-to-face meeting that in the pre-COVID-19 world would have been memorialized by meeting notes or related correspondence, if at all. To think of it another way, when is the last time you set up a camera and pressed record before a meeting with a colleague in the office? Despite having the ability to do so using a widely available technology like your iPhone, the likely answer is never. And the fact you can record the same meeting today that is being held remotely because of COVID-19 with a touch of a button should not change your business practice.
As for recordings of videoconferences that already exist, there is likely no obligation to retain and preserve such data for any particular period of time absent a specific regulatory and/or legal requirement. However, please remember that legal obligations to retain data are based on the data’s content and not its format. In that regard, recordings of videoconferences are no different than an e-mail or any other record that may contain data that may be required to be retained for specific periods of time.
Absent any such requirement, to the extent you choose to record, recordings should only be retained while that information has value to the business. A business should update or implement a retention policy specifically addressing how and when such recordings will be maintained, preserved and destroyed. Indeed, as the Supreme Court of the United States has observed, regular disposition of data and information that is not required to be retained is a best information management practice. See Arthur Andersen LLP v. United States, 544 U.S. 696, 704 (2005) (“Document retention policies which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business. It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under ordinary circumstances.”) (internal citations and quotations omitted). Failure to implement specific and strict policies governing videoconference recordings and their retention and deletion will likely result in the proliferation of discoverable data and expenses associated with the preservation, collection and review of such data once a duty to preserve does arise.
Once litigation or an investigation is reasonably anticipated and the duty to preserve is triggered, all bets are off. Under common law and as expressly referenced in Federal Rule of Civil Procedure (“FRCP”) 37(e), a party must preserve documents and electronically stored information (“ESI”) when it reasonably anticipates litigation. There is no bright line rule when the duty to preserve arises and the threshold varies by jurisdiction but suffice it to say, it arises as soon as a business anticipates litigation or regulatory investigation. See e.g., Zubulake v. UBS Warburg, 220 F.R.D. 212 (S.D.N.Y. 2003) (“Once a party reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and put in place a ‘litigation hold.’”). Once the duty to preserve is triggered, you are obligated to preserve documents and ESI in all forms if it is potentially relevant to the anticipated litigation or investigation and must suspend your routine document and ESI retention/destruction policy. To the extent any existing recordings of videoconferences are potentially relevant to the anticipated litigation or investigation, they would fall within the scope of the preservation obligation. Indeed, the business may be subject to severe spoliation sanctions under FRCP 37(e) if potentially relevant documents and ESI are subsequently deleted or lost, such as a monetary penalty, an adverse inference instruction to a jury or even striking of the party’s pleadings.
To the extent you have any doubt, a relevant and non-privileged recording of a videoconference is discoverable ESI. Under FRCP 34(A)(1)(a) and its state-law analogs, a party must produce in response to a proper request “[a]ny designated documents or electronically stored information —including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations—stored in any medium from which information can be obtained either directly or, if necessary, after translation by the responding party into a reasonably usable form . . . .” (Emphasis added). The 2006 Advisory Committee notes on FRCP 34 further explained the broad and expansive scope of what is covered by this language:
Discoverable information often exists in both paper and electronic form, and the same or similar information might exist in both. The items listed in Rule 34(a) show different ways in which information may be recorded or stored. Images, for example, might be hard-copy documents or electronically stored information. The wide variety of computer systems currently in use, and the rapidity of technological change, counsel against a limiting or precise definition of electronically stored information. Rule 34(a)(1) is expansive and includes any type of information that is stored electronically. A common example often sought in discovery is electronic communications, such as e-mail. The rule covers—either as documents or as electronically stored information—information “stored in any medium,” to encompass future developments in computer technology. Rule 34(a)(1) is intended to be broad enough to cover all current types of computer-based information, and flexible enough to encompass future changes and developments.(Emphasis added). In addition, for the avoidance of doubt, most document requests from an adversary also contain expansive definitions of “Documents” that are being requested and explicitly call for the production of recordings of videoconferences. That being said, it is important to note that the usual limits on discovery – such as proportionality – equally apply to such recordings as they do to any other form of discoverable data.
Finally, it is important to note that even unrecorded videoconferences generate data that may be subject to preservation obligations and discovery. For example, Zoom collects the IP address, operating system, and device details for all videoconference participants even if the video of the meeting itself is not recorded. Therefore, it is important to have a full understanding of what and how such additional data is generated and where and for how long is it stored when approving a videoconferencing platform for your business.
Do I need to or can I change what I do after a preservation obligation arisesIt is equally important to remember that “spoliation sanctions apply when a party has lost or destroyed evidence, not when it has failed to create evidence.” Alsadi v. Intel Corp., 2020 WL 4035169, at *5 (D. Ariz. July 17, 2020); see also Burton v. Walgreen Co., 2015 WL 4228854, at *2 (D. Nev. July 10, 2015) (“When determining whether to impose discovery sanctions for spoliation, the threshold question that the court must decide is whether relevant evidence existed. If no relevant evidence existed, then the motion for spoliation is moot.”) (internal citation omitted). Moreover, parties are not generally required to create a record where one otherwise does not exist. See e.g., Malletier v. Dooney & Bourke, Inc., 2006 WL 3851151, at *2 (S.D.N.Y. Dec. 22, 2006). As such, it is unlikely that a party would be subject to spoliation sanctions for not starting to record its otherwise unrecorded videoconferences after a duty to preserve has arisen.
The answer is not as clear, however, if a party changes its practice and stops recording videoconferences that it previously recorded after a duty to preserve has arisen. Although spoliation sanctions generally do not apply when a party has failed to create evidence, some courts have treated changes in business practice as suspect. See e.g., Braun v. Wal-Mart, Inc., 2008 Minn. Dist. LEXIS 109, *34 (Minn. Dist. Ct. Dakota Cty. June 30, 2008) (finding that changes in employment related record practice could have been due to both legitimate business reasons and reasons related to ongoing litigation). Accordingly, if a business makes the decision to record some or all of its videoconferences, it may be exposed to spoliation sanctions if it changes its business practice of recording after a preservation obligation has arisen. Of course, even if no sanctions are imposed, an adversary may use the optics of such a change in business practice against you.
Before recording consider consent and privacy laws of relevant jurisdictionsAlthough most states require only one-party consent (i.e., consent of the party recording is enough), some states (including California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington) require that all parties to a call or videoconference consent to being recorded. Failure to obtain proper consent could result in civil and/or criminal liability. Further, in some countries, data related to a videoconference may implicate privacy laws like the European Union’s General Data Protection Regulation that have to be considered prior to recording videoconference with participants located outside of the United States.
When videoconferencing with individuals in different states—or even different countries—it may be difficult to determine which laws apply. Thus, it is always best to obtain the consent of all participants before recording a videoconference. It is advisable to use a disclaimer in the meeting invitation that discloses that the videoconference will be recorded and to have the host of the videoconference remind the participants of that fact at the start as well. If you believe that it is important to record a videoconference and are unable to obtain the consent of one or more of the participants, make sure you understand the applicable laws of all jurisdictions in which the participants are located.
Key Takeaways and Best PracticesVideoconferencing has become an important and integral tool in how we do business and communicate in the COVID-19 world and likely going forward. As such, it is not possible nor practical to prohibit or avoid using videoconferencing in your business. Instead, it is vital to understand the issues that videoconferencing and the recording thereof present and to address them proactively. Accordingly, please take note of the following “best practices” for the use of videoconferencing:
- Select and approve a videoconferencing platform to be used by your business.
- Implement specific default settings on the approved videoconference platform to improve security.
- Implement employee training on the approved platform and proper business use of videoconferencing.
- Unless there is a specific obligation or business purpose, implement a policy prohibiting or strictly limiting the recording of videoconferences.
- To the extent recordings already exist or there is a specific business reason to make such recordings, update/implement a retention policy specifically addressing how and when such recordings will be maintained, preserved and destroyed and add specific language to your litigation hold notices concerning such recordings to make sure that they are retained if a preservation obligation arises.
- For sensitive communications that would typically take place during in-person meetings, consider using a traditional form of communication like a telephone call as opposed to a videoconferencing platform.
- If you have something sensitive to discuss on a videoconference, include your attorney on the videoconference. Although the mere presence of an attorney does not guarantee that the videoconference will be deemed privileged in a future litigation, it will certainly help make the recording non-discoverable.
- Implement a procedure for obtaining consent from participants prior to recording a videoconference.