With the sudden increase in WFH policies, many companies have increased their use of audio and video conferencing tools. But with improved communication and productivity they offer comes increased security concerns. Kroll’s Alan Brill discusses privacy risks and examines the legal issues associated with using these tools.
As IT and information security teams and professionals have been required to act swiftly to ensure their organizations remain operational during COVID-19, there is a potential danger that may be overlooked, not only during the pandemic, but also when a company is operating normally.
One of the problems that had to be solved was how to deal with meetings that could no longer be face-to-face interactions. Sometimes, a phone call is enough, but often, larger group meetings need something with greater capabilities, like a dial-in conference line or a video-conferencing application.
What’s easy to forget is that using any service or application can have legal consequences. While IT professionals are not specialists in applying the law to their technologies, they cannot ignore the problem.
In fact, the person who decides to record an audio or video conference may be committing a crime that could result in arrest and imprisonment.
Let’s look at two potential problems with these audio and video conferencing capabilities.
1. Consent to Being Recorded
Most of the audio and video conference platforms that have experienced explosive growth in use during the pandemic have a feature that permits the recording of meetings with a click of a mouse. This poses a number of problems.
The first problem is around consent. There are state and federal laws in the U.S. and many other countries concerning the unauthorized recording of conversations. A shortcut term for these problems is “wiretapping,” and it is important to know that the concept of unauthorized interception of communications is much broader than what is portrayed on television.
In terms of a simple telephone call, do you have the right to record it? In some states (often referred to as “one-party” states), a call can generally be recorded if one of the parties on the call consents to the recording. In others (“two-party states”), the law says that all parties on a call must consent for a recording to be lawful. California and Florida are examples of two-party states.
In many cases, audio or video meetings may involve participants in different states or even different countries. It is important to know where those on a call or in a meeting are. Some nations have broad prohibitions against communication interception. In some countries, information on a call or video conference may implicate privacy laws like the European Union’s General Data Protection Regulation (GDPR) or the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA.) Violation of state or federal laws can have serious consequences, including both criminal charges and civil litigation.
When it comes to consent, counsel should also be consulted on the question of what constitutes consent. Is it enough to have an icon on the screen of a video conference that says or means “recording?” Should the person running the meeting announce it? Does each person on the line or in the conference have to give affirmative consent? Is staying in the meeting enough? What about people who join a meeting after it has begun and after an opening announcement was made? Could a late joiner claim that they were recorded illegally? Could a disclaimer be placed in the invitation to the meeting (“Joining the meeting represents your consent for the recording.”)? Note that many conference meeting applications provide a means of embedding a disclaimer for recording in the meeting invitation. Some can provide a list of participants who agreed to the recording.
2. The Recording May Be Evidence
The other problem concerns how to get people to think before pressing the “record” button. Aside from the issues that we’ve considered above, remember that any recorded communication may constitute discoverable evidence in any future litigation. Consider that people working in unusual circumstances (like from home, rather than in an office) may make jokes or say things — particularly at the start or end of a meeting — that might not reflect favorably on them or the company if that recording made its way into a court proceeding. To ensure employees are mindful of this, it is important to have guidelines:
- First, not all meetings should be recorded. Unless there is a good reason to record it, such as a training session or one that needs to be viewed later by those who were not there, don’t record audio or video meetings.
- When there is a need for a recorded meeting, make sure that the person running it understands counsel’s requirement to ensure that everyone on a conference call or video understands that it is being recorded and where necessary, gives consent in the manner prescribed by counsel.
- When a meeting is recorded, it should only be recorded by the person calling the meeting. There should be a policy prohibiting others from recording a meeting. Consult counsel about implementing a policy prohibiting employees from recording meetings they attend without authorization from the person running the meeting. (There are software applications that enable a meeting participant to record a meeting they are attending.)
- Only retain recorded meetings as long necessary. Like other business records, keeping information longer than that information has value makes little sense unless there is a legal or regulatory requirement to retain them.
- If there is litigation relating to the subject of a recorded call or video meeting, it may be covered by a legal hold and should not be deleted without advice of counsel.
These issues with recorded conferences will be relevant even after things return to more normal circumstances, but now is the time to consider them and to develop the appropriate guidelines in conjunction with the advice of counsel.