April 7, 2020 – Zoom is a popular videoconferencing platform that more people and businesses are using as a result of coronavirus and social distancing requirements. But as more people joined the platform, reports of security concerns quickly surfaced.
Videoconferencing, using Zoom or any other similar platform, is instrumental as we continue to practice social distancing in both our personal and professional lives.
In law practice, there are two distinct uses of videoconferencing: one involves court appearances, and the other involves conferences with clients and colleagues. These two distinct uses of videoconferencing require different ethical considerations.
Exposure to Hacking
As Zoom usage ramped up, reports noted that configuration and sharing issues led to instances of hacking. This was due to sharing of meeting IDs through social media, which could be accessed by outside individuals or automated bots scraping for data.
Meetings scheduled without passwords to access the meeting could likewise be compromised. Zoom subsequently announced setting and configuration changes to reduce hacking exposure, but lawyers must understand how to enable those settings.
Zoom’s default settings now require passwords to enter conference calls, and the “waiting room” feature – which lets the host control when a participant enters the meeting – is also the default. But those hosting meetings should ensure those default settings are enabled and learn about other features that will enhance security.
Many courts are using Zoom or other videoconferencing platforms to provide needed access to the courts while protecting the health and safety of those involved in the proceedings as well as the public. When a lawyer is ordered to appear in court, the lawyer must do so absent limited exceptions.
Preparing for a court appearance is part of the lawyer’s duty of competence. Consequently, in preparing for a videoconference court appearance, the lawyer should understand – to the extent reasonably possible – how videoconferencing works.
For example, a lawyer may have concerns about how the lawyer will communicate with the client during the court appearance so that the communication is not heard by others.
Keep in mind the Wisconsin Supreme Court’s temporary order regarding the remote administration of oaths at depositions.
Videoconferences with Clients and Colleagues
The primary concern when using technology to communicate with clients and colleagues is protecting information relating to the representation of the client.
The Rules of Professional Conduct do not impose a strict liability standard on lawyers who use technology nor require a guarantee that information will not be inadvertently disclosed. Instead the duty of confidentiality “requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer's supervision.” ABA Comment  following SCR 20:1.6.
SCR 20:1.6(d) states: “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (d) if the lawyer has made reasonable efforts to prevent the access or disclosure. To be reasonable, the lawyer’s efforts must be commensurate with the risks presented by the technology involved, the type of practice, and the individual needs of a particular client. Keep in mind that technology such as videoconferencing platforms are nonlawyer assistance subject to the requirements of SCR 20:5.3.
The ABA Comments that follow SCR 20:1.6 and SCR 20:5.3, as well as Wisconsin Formal Ethics Opinion EF-15-01, have identified factors for lawyers to consider when assessing the risks. These factors, which are not exclusive, include:
the information’s sensitivity;
the client’s instructions and circumstances;
the possible effect that inadvertent disclosure or unauthorized interception could pose to a client or third party;
the attorney’s ability to assess the technology’s level of security;
the likelihood of disclosure if additional safeguards are not employed;
the cost of employing additional safeguards;
the difficulty of implementing the additional safeguards;
the extent to which the additional safeguards adversely affect the lawyer’s ability to represent clients;
the need for increased accessibility and the urgency of the situation;
the experience and reputation of the service provider;
the terms of the agreement with the service provider; and
the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality.
Once the lawyer has assessed the risks by considering these factors, the lawyer is able to determine what efforts are reasonable to protect against those risks.
Unfortunately, it is impossible to provide specific requirements for reasonable efforts because technology is continually changing. For example, operating systems, software and applications regularly issue patches to update their security.
In addition, the risks vary with the specific technology involved, the type of practice, and the individual needs of a particular client.
Consequently, lawyers must exercise their professional judgment in adopting specific videoconferencing platforms, just as they do when choosing and supervising other types of service providers. Although it is impossible to provide specific requirements, it is possible to provide some general guidance.
First, lawyers should understand the importance of computer security, such as the use of firewalls, virus and spyware programs, operating systems updates, software and applications updates, strong passwords and multifactor authentication, encryption, and virtual private networks.
Second, lawyers should have at least a base-level comprehension of videoconferencing and the implications of its use. While attorneys are not required to understand precisely how videoconferencing works, competence requires at least a cursory understanding of its benefits and risks. Such a cursory understanding is necessary to explain to the client the advantages and risks of using videoconferencing in the representation.
Third, lawyers who use videoconferencing should understand the importance of selecting a provider that uses appropriate security protocols.
While complete security is never achievable, a lawyer must take reasonable precautions. This includes researching the videoconferencing vendor’s security measures and track record. Knowing the qualifications, reputation, and longevity of a videoconferencing provider is necessary, just like knowing the qualifications, reputation, and longevity of any other service provider.
Zooming with Clients and Colleagues
There has been much written about the recent security issues such as “Zoom-bombing” or “Zoom-raiding,” and there is no need to repeat them here.
Fortunately, some of those security issues have been addressed by the company in the past week, and the company has promised to focus on privacy and security concerns for the next 90 days. Here is more information about company’s plans for security.
According to computer security advisor Paul Ducklin’s recent blog post, “a lot of the problems and risks can be reduced enormously just by getting the basics right. Here are four of the basics recommended by Ducklin.
First, “patch early, patch often.” Get into the habit of manually checking that you are up-to-date every day, even if you are using the auto-updating feature for your operating system and applications. Check if you have the latest version of Zoom.
Second, Ducklin recommends using Zoom’s Waiting Room option. The Waiting Room is a virtual staging area that prevents people from joining a meeting until the host is ready.
It helps ensure that your meetings are protected and include only the desired participants. Here are the instructions on how to use the Waiting Room feature. As of April 5, 2020, Zoom Waiting Room is now the default setting, as noted here.
Third, Ducklin recommends managing participants in the meeting. By default, any participant in a meeting can share their video, screen, and audio. Visit here and here for instructions on how to limit participation in a meeting.
Fourth, Ducklin recommends using a randomly generated meeting ID and setting a password on any meeting that is not explicitly open to everyone.
Using the same meeting ID makes it easier for hackers. Passwords add a layer of security. Ducklin recommends sending the web link for the meeting by one means such as email or invitation request, and the password by another means such as an instant message just before the meeting starts. Information about meeting IDs and passwords.
By the time you read this, new security measures may be in place not only for Zoom but for other platforms as well. Keeping abreast of the changes in technology will help ensure that the lawyer acts competently to safeguard information relating to the representation of a client. Visit here to learn about for alternatives to Zoom.