For many lawyers, the early days of the COVID-19 pandemic were a forced apprenticeship with virtual communications technologies, perhaps none more important than the easy-to-use, low-cost Zoom videoconferencing platform. Zoom calls, Zoom hearings, and Zoom depositions proliferated as a matter of necessity and, in nearly every jurisdiction, as a matter of judicial fiat.
Zoom use jumped from 10 million users at the end of 2019 to 200 million users in March 2020, according to the ABA Journal.
But as Zoom’s footprint within the legal community grew rapidly, some wondered — prompted by news of “Zoom bombing” and Zoom-inspired phishing exploits — whether Zoom meetings were safe enough places to discuss client business and share privileged client information. The answer is yes, with a few caveats. While it is true that Zoom had some “not ready for prime time” moments early in 2020, the company subsequently invested considerable time and money in an attempt to mitigate risks identified during the COVID-19-related crush of new users.
For most uses, Zoom-related security concerns are now largely misplaced and almost entirely mitigated when users take advantage of the safeguards that are available on the platform.
In fact, of all the security risks faced by today’s virtual lawyers, data theft by Zoom hackers ranks low on the list. The consensus among cybersecurity experts is that Zoom technology is safe for nearly all use cases in the legal profession.
This article reviews security measures deployed by Zoom and security measures that should be adopted by users of the platform. Together, they can create an information-sharing environment that meets the legal profession’s ethical obligation to take reasonable measures to protect client information from access by unauthorized persons in most uses.
The security considerations discussed here apply to some extent to all videoconferencing services providers. Zoom is an apt topic for discussion, however, due to its wide use within the legal community. The broad outlines of information security threats faced by legal users — and the measures employed to mitigate them — discussed below should be roughly similar across all platforms.
Security Features Offered by Zoom
In recent months, Zoom has made several technical changes to enhance platform security:
Stronger passwords, longer meeting identifiers. In April 2020, Zoom gave meeting hosts the ability to enforce tough-to-guess password requirements and increased the length of meeting identifiers from nine to 11, making them harder to discover by outsiders.
Two-factor authentication. In September 2020, Zoom made two-factor authentication (2FA) available to users. Two-factor authentication — essentially, a requirement that users present two forms of identification — provides assurance that meeting attendees are who they represent themselves to be.
End-to-end encryption. In October 2020, the company enabled end-to-end encryption (E2EE) for paid and free accounts. E2EE, which can be turned on or off on a per-meeting basis, scrambles communications and is a critical technology for preventing unauthorized prying into Zoom videoconferences.
“Zoom bombing” protections. In November 2020, Zoom added two features designed to quickly eject uninvited Zoom meeting guests. Meeting hosts can now quickly suspend any meeting participant. Non-host meeting participants also gained the ability to report disruptive participants to the meeting host.
In every event, lawyers will want to use their own judgment when deciding whether Zoom security is robust enough for their intended uses and compliant with relevant regulatory regimes. For example, Zoom’s HIPAA-compliance report should be reviewed whenever health information will be shared during a videoconference. And the prospect that high-value proprietary information could be shared during a Zoom-hosted videoconference should prompt a careful review of Zoom’s current security feature set. Zoom is continually strengthening the platform’s security measures in response to user needs.
A recent federal enforcement action arising from Zoom’s China operations is worth contemplating.
On Dec. 18, 2020, the U.S. Attorney for the Eastern District of New York announced criminal charges against a China-based Zoom employee who allegedly, at the behest of the Chinese government, disrupted Zoom videoconferences among U.S. residents discussing the 1989 Tiananmen Square massacre in the People’s Republic of China. Zoom officials provided more information about the incident in a subsequent blog post.
Lawyers will also want to examine the Zoom Privacy Statement and Government Requests Guide to determine whether they are comfortable with the personal data collected by Zoom and the extent to which Zoom meeting data can be shared with law enforcement agencies and other third-parties.
User Settings and Controls
In addition to the built-in security protections on the Zoom platform, Zoom users can use several tools to increase the level of security available during Zoom meetings:
The waiting room. Zoom’s “waiting room” is a holding area for meeting participants. Participants cannot join the meeting unless the host affirmatively admits them. Participants in the waiting room cannot hear the meeting or speak to others, and the waiting room screen displays only the meeting identification information.
With paid Zoom plans, meeting hosts can create VIP lists and lists of preapproved domains that will allow meeting participants to bypass the waiting room.
Think of waiting rooms as a security guard for the meeting. Never admit uninvited meeting participants who appear in the waiting room.
As of Sept. 27, 2000, all Zoom-hosted meetings must employ either a passcode, a waiting room, or be restricted to only authenticated users (e.g., invited VIPs or users from a particular domain).
Passcodes and meeting registration. Meeting hosts should protect all meetings with a passcode and should strongly consider requiring participant registration in order to join the meeting. With registration, the meeting host can collect information about each meeting participant. Registered participants must still have a password to access the meeting.
Attorneys should be judicious when distributing links to Zoom meetings, and Zoom meetings involving client matters should never be shared on social media. Nor should attorneys use their personal Zoom accounts to host legal meetings, because meetings hosted by personal accounts are accessible via a static (and guessable) meeting address. The long random meeting identification number now used by Zoom is much more secure.
Chat settings. In-meeting chat is useful for sharing links and answering questions. Chat can be configured to allow participants to chat with each other, chat with the meeting host alone, or not chat at all.
Meeting hosts should carefully consider the extent to which they permit participants to engage in chat sessions. The possibility of one-on-one chat between meeting participants is a particular concern in legal proceedings, inasmuch as it creates opportunities for unmonitored, private conversations between witnesses and third parties.
Meeting hosts should also consider whether to allow participants to save chat histories to their local computer for later review.
File transfer and screen-sharing. Zoom’s file transfer functionality allows files to be shared within the context of the meeting. Meeting hosts can disable file-sharing or, if permitted, limit shared files to a particular size and file type (e.g., PDF files only).
Screen-sharing capabilities by hosts and participants can be turned on or off or limited to the meeting host.
Other controls. Meeting hosts also have the ability to control the audio and video of meeting participants and to prevent them from changing their on-screen identifiers.
Three Practical Tips
A host who starts a Zoom meeting early will have time to customize the meeting controls to make the event as secure as possible. It’s also a good idea to practice setting up meetings. Meeting hosts might also send themselves a meeting invite — this way, they will be able to experience the meeting attendance process from a participant’s perspective.
An important thing to note about Zoom is the distinction between “settings” and “controls.” Settings provide a feature set that can be controlled and customized by the host during the meeting. For example, if a Zoom feature such as a waiting room is not enabled in settings, then it will not be possible for the meeting host to use a waiting room during the meeting.
Legal users should consider the ramifications of using Zoom to store recordings of depositions and other law-related meetings. Regardless of the strength of data security measures there, the mere act of storing data on Zoom creates an additional opportunity for cyberattack by malevolent parties.
Zoom Security Rx: Technological Competence
At the end of the day, the responsibility for ensuring that Zoom meetings are conducted in a reasonably secure and ethical fashion falls on the individual attorney. In fact, many believe that the ability to deploy technologies such as Zoom to efficiently — and safely — handle client matters is what the American Bar Association had in mind when it added the duty of technology competence to the Model Rules of Professional Conduct in 2012 (ABA Model Rule 1.1, Comment 8). Zoom passcodes, VIP access lists, waiting rooms, and controls on meeting participant behavior make it possible for attorneys to tightly lock down any Zoom meeting, provided they take the time to learn and practice them.