By Dan J. Nichols and Kaushik Rath

Message to the Present from the Future

Imagine that the year is 2021.  It has been 365 days of virtual meetings: business strategy sessions, product development conferences, Board of Directors meetings, “check-ins” among coworkers, and consultations with in-house attorneys—all conducted via Zoom or other videoconference platforms.  Thousands of hours have been spent connecting through webcams, and potentially many of those hours were recorded.  Whether knowingly recorded to enable absent attendees to stay informed or unknowingly taped and stored to an employee’s videoconference account, these recordings present more than one opportunity for risk—these multiple hours of recordings can result in compliance issues, security concerns, and legal obligations down the line.

Now, with this potential of recording-related risk in mind, imagine that you could send a message back in time to the present.  What questions, information, and tips would you and your attorney give your present self to consider?

Are We Recording Videoconferences?

Millions of employees suddenly shifted to working from home during the pandemic, and with that shift, videoconferencing grew exponentially.  For example, in a matter of a few weeks, Zoom went from 10 million users to 200 million, including multinational corporations and governmental organizations.  Microsoft Teams, Google Hangouts, BlueJeans, GoToMeeting, and other platforms also saw increased use.  Did your company have a policy in place or institute one on videoconference procedures?  And if so, did this policy include protocols on recording?  Even if your company did not formalize a videoconferencing plan, employees likely used video conference platforms to engage with colleagues and clients across the world.  And many of those videoconferences were recorded.  Do you know how many?

Who Can Record a Videoconference?

Some platforms (including Zoom) allow only the host to record meetings, effectively removing the ability of the other participants to record or, more importantly, to prevent the recording.  Do your meeting organizers understand their responsibilities when creating a recording?  Are they ensuring the consent of all participants and compliance with the company’s information governance policies?  Do participants know whom to contact should there be questions regarding company policy on videoconference recordings?  Do you know who can record videoconferences on the platform(s) your employees are using?

What All Is Being Recorded?

Recorded videoconferencing calls capture not only video and audio data, but also other information, including metadata.  Meeting recordings can capture host and participant information, documents circulated via screen shares, and meeting chats.  That data may be covered by different components of the company’s retention policies.  Further, the different kinds of data can create collection issues down the road in litigation.  Are we reminding videoconference organizers of the company’s retention policies and how they need to address all content that might be recorded?

How Secure are the Recorded Meetings?

With the increase in use, videoconferencing security has come under growing scrutiny.  For example, Zoom recently came under fire for allegedly misrepresenting the encryption level used for its videoconferencing meetings.[1]  Despite asserting it used “end-to-end encryption for video meetings,” which would protect against external attackers and prevent Zoom from accessing the contents of a video meeting, Zoom was using transport encryption.  This use means that Zoom has access to unencrypted audio and video from meetings.  In response to a shareholder derivative lawsuit regarding misrepresenting “end-to-end encryption,” Zoom conceded: “to be clear, in a meeting where all the participants are using Zoom clients, and the meeting is not being recorded, [emphasis added] we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving client.”[2]  All platforms have their own security settings and issues.  Regardless of platform, you need to dig into the security features to know if you are taking any risks by using the platform.

Acceptance of the Terms of Service can mean that users also consent to the storage of recordings for any or all meetings or webinars.  It is unclear how long those recordings are stored, but there is potential that the service providers could be subpoenaed for the recordings during litigation.

Are We Consenting to Recordings?

The recording of conversations, whether in person or electronically, is governed by state, federal, and international law.  While most states require one-party consent, effectively allowing the recording party to record without the consent of the other party, some states require the consent of all parties.  In videoconference calls, where participants may be scattered across multiple jurisdictions with conflicting laws, or even internationally, the issue of determining the governing law becomes far more complicated.  Numerous approaches to determining the governing law have compounded the complexity.  Some jurisdictions view the location of the recording device to control the law, while others apply the law of the state in which the person being recorded is situated.

To avoid the risk of non-consensual recordings, are organizers of meetings affirmatively obtaining the consent of all the parties to the recording of a meeting?[3]  Alternatively, do we have a disclaimer, drafted or reviewed by an information law attorney, that at the outset of the meeting would put the participants on notice that the teleconference call is being recorded?

Is This Recording Privileged or Confidential?

Counsel should be aware that attorney-client privilege can also be compromised during videoconference calls.  This situation can be especially troublesome with videoconferencing, as inadvertently permitting someone whose presence vitiates privilege to access an otherwise privileged live stream conversation, or the subsequent recording can result in waiver.  Such privilege-busting participants can include third parties or employees who are outside the appropriate group for privileged communications.  Are we comfortable recording videoconferences with privileged content?

Likewise, videoconference recordings can include trade secrets or other confidential business information, allowing widespread access to the information and weakening protections for sensitive information.

Should This Recording Be Kept for Litigation?

Generally, parties are not required to affirmatively record meetings.  (Notable exceptions include regulated financial institutions under Dodd-Frank, NASDAQ, and SEC regulations.)  However, if a recording is made, it may be subject to a preservation duty, i.e., a legal obligation to preserve in connection with a pending or anticipated legal matter.  Video recordings are challenging data to work with in litigation and can create additional costs for collection, review, and analysis.  Are we preserving recordings for legal holds?  Do meeting organizers understand the ramifications if recordings are made of content subject to legal holds?  Should we restrict the content that can be recorded?  If a video conference is subject to a legal hold, do we know we can and will keep it?

Should We Be Budgeting for Recording-Related Expenses?

The cost of video recordings begins with the actual storage cost, but it does not end there.  If video recordings are relevant in litigation, costs can skyrocket, even with advancements in automated transcription and video analysis tools.  Further, any management of the recordings for information governance creates new needs for processes and technological solutions.

Tips for Organizations

  1. Establish clear guidelines on when employees should or should not record videoconference meetings.
  2. For recorded videoconference meetings, ensure that there is clear guidance regarding applicable retention period(s) and application of legal holds.
  3. At the organizational level, implement controls and use services (such as VPN) to mitigate data protection risks. [4]
  4. Through policies and controls, only permit the use of videoconference providers with adequate privacy and security measures.  For example, to reduce the risk of either inadvertent or malicious “Zoom bombing,” hosts should adjust their settings so that only the host can share the screen and use the “waiting room” function for all meetings, which allows for the host to approve potential meeting participants.
  5. To avoid phishing schemes, meeting hosts should generate random meeting IDs instead of relying on Zoom-generated links.
  6. Prohibit the host or any participant from storing recordings locally to a computer and make certain that the storage of recordings complies with existing information governance policies.
  7. Where appropriate, encourage the use of Zoom webinars over meetings because they do not include group participation,  are more secure, and less attractive to hackers.[5]
  8. For platforms other than Zoom, please make sure that you apply similar scrutiny for security and management of videoconference and any recordings.

Back to the Present

For those fortunate enough to work from home during the pandemic, videoconferencing is a godsend.  However, the rapid change in work environments afforded little time to think about the implications.  Now is the time to understand the videoconferencing tool, think about its business and legal implications, formulate sensible and workable governance policies, and act.  In short: realize the value and mitigate the risks.