The COVID-19 pandemic and resulting office shutdowns has required many organizations to quickly transition to remote working environments. Going remote often requires a number of technology solutions and tools such as video conferencing, email, cloud file storage, file sharing, chat and communication platforms, and remote desktop applications, just to name a few. In a normal world, implementing new technology typically requires months of planning and preparation, however the COVID-19 pandemic has rushed many companies to do this in just weeks, or even days, to keep their companies running. Often, these tools are used to share and store personally-identifiable information, confidential information, and various other types of information for which companies have contractual and/or legal obligations (collectively “protected information”). Additionally, vendors of remote work technology tools may learn information about companies and their users through use of the tools. This results in significant privacy and security risks that may not have yet been considered.
It has been a bad week for Zoom Video Communications Inc. (a video conference service that countless companies and schools are using for remote video conferencing in response to COVID-19). The company was hit with a class action lawsuit claiming that Zoom illegally shared millions of users’ personal information with Facebook and failed to protect their personal information. Specifically, the lawsuit alleges that Zoom violated the California Consumer Privacy Act and committed fraud in violation of California’s Unfair Competition Law through Zoom’s alleged privacy misrepresentations, inadequate privacy notices about its data collection and use, and its failure to implement and maintain reasonable security procedures. The lawsuit also alleges that Zoom committed fraud in violation of California’s Unfair Competition Law, violated California’s Consumers Legal Remedies Act, and violated consumers’ California constitutional privacy rights. Further, multiple instances of hijacking of Zoom meetings have been reported nationwide. FBI Boston issued a press release regarding the so-called ‘Zoombombings” to alert users to the issue and protections that should be implemented. And it has been reported that a vulnerability in the Zoom Windows client could allow attackers to steal the Windows credentials of users through a text messaging feature in the chat interface.
All of this should serve as a power call to action for all companies to carefully consider privacy and security practices when engaging vendors and service providers, even now. Perhaps especially now. The rush to engage vendors during the COVID-19 pandemic should not be at the expense of privacy and security. Whether your company is currently evaluating vendors, or has already rolled out remote working technology solutions, now is the time to think about these issues.
Questions to Consider
When evaluating vendors and service providers, it is important to answer the following questions:
- What protected information will my company share with the vendor, and what will they have access to?
- Will the vendor do with information it learns about my company and its users?
- Will the vendor have access to my company’s network or information systems?
- What is the vendor permitted to do with protected information that my company shares with them? (look out for broadly-worded privacy notices)
- What risk does the vendor present to my company?
- If the vendor has a data breach, is my company protected? (think about the impact of a breach and whether the agreement provides protection)
- How does the vendor safeguard protected information that my company shares with them, and what security controls have they implemented?
- Does the vendor meet compliant requirements that may be necessary for my business and for the types of protected information that my company plans to share? (e.g., if a vendor has access to payment card information, think about PCI-DSS compliance)
- Does the vendor share my company’s protected information with any third parties?
- What service levels has the vendor agreed to provide, and are they adequate for my company’s use?
- Where does the vendor store the protected information? (is all information stored in the US?)
- How will the vendor assist my company to fulfill requests my company receives to access, correct, or delete personal information?
Think about potential legal and contractual obligations your company has, as well as internal company policies, that may be impacted by sharing protected information with vendors:
- Does the protected information that my company is sharing with the vendor include personal information governed by data privacy laws, such as the California Consumer Privacy Act (CCPA) and the European Union General Data Protection Regulation (GDPR)?
- Does the protected information include sector-specific information such as health information or financial information governed by laws such as the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA)?
- Does the protected information include information collected from children or student records governed by the Children’s Online Privacy Protections Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), or other similar state laws?
- Are there laws, contractual obligations, or internal policies that dictate certain security requirements that my company’s vendors must meet before my company can share protected information?
- Does my company need permission from its customers to share their information with the vendor?
- Do my company have contractual obligations pursuant to contracts with third parties that my company is obligated to impose or “flow-down” to the vendor? If so, does the services agreement properly do that? (e.g., a customer agreement may require all subcontractors to meet certain cyber security requirements)
- Does my company have established privacy and security vendor guidelines that must be met before sharing protected information with the vendor? (these are often set forth in information security policies or procurement standards)
Strategy and Tips
Here are a few ways that companies can address privacy and security risks when engaging vendors:
- Conduct reasonable vendor due diligence and risk assessments given the mission critical nature of engaging with business continuity vendors and ask questions.
- Review critical vendor services agreements and privacy notices.
- Take inventory of applicable laws, contractual obligations, and internal policies of your company to determine if any have an impact on your engagement of the vendor.
- Implement protective contracts, including security and data protection agreements, as well as data transfer agreements, as applicable and as necessary to comply with your company’s contractual obligations, internal policies, and laws applicable to your company.
- Document your contracting process. “Showing your work” may be important to demonstrate that you have processes and controls in place – even now – to meet a “reasonable security” standard in the event of a breach.
This is by no means an exhaustive analysis of all of the possible issues that may arise from engaging vendors and services providers for remote work technology, as each company is unique with its own mix of applicable laws, contractual obligations, and policies. These are complex and rapidly evolving issues.