Reprinted with permission from the May 21, 2020 issue of The Recorder. © 2020 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.
Video conferencing has been available for years but given its new popularity in these COVID-19 times,[1] it behooves businesses to take care to protect their trade secrets during video conferencing. Here, we address some potential risks to trade secrets from video conferencing –including hidden ones – and offer some potential measures to limit them.
Fundamental Concern: Access By Unauthorized Persons To Trade Secrets Disclosed During Video Conferences.
There have been recent reports of unauthorized access to video conferences. (See “Thousands of Zoom video calls left exposed on open Web,” The Washington Post, April 3, 2020.) Thus, where trade secrets are going to be disclosed during a video conference, businesses should confirm that the video conference is secure. (See “New Zoom User Blow: This Is How ‘Thousands’ Of Video Chats Are Available For Anyone To View Online, “ Forbes, April 4, 2020: “If you are using a video conferencing platform for anything sensitive … security should be your first thought…”.)
Businesses should admonish their employees to:
- Use the video conference application’s security features (g., password-protect the video conference; lock the meeting; do not share publicly the meeting ID and/or password).
- “Kick-out” participants that are not invited to the video conference which they are hosting. If they are not hosting the video conference, contact the host to request that the unauthorized participant be kicked-out.
- Understand how the private break-out session feature works before sharing information there. Otherwise, other participants to the main video conference may inadvertently be given unintended access to the “private” room and, thus, confidential information.
- Know with whom they are chatting when they use the written chat feature. Otherwise, they may find what they thought was a private chat with certain participants was, instead, a chat with all participants and they mistakenly disclosed confidential information to unintended recipients. Be aware that the recording feature on some video conference applications records the entire session including private chats.[2]
- Master the “share screen” function so that they do not mistakenly share a screen with confidential information on it. Close everything on their computers that they will not be sharing during the video conference (g., it is much safer to share only the PowerPoint application rather than the entire desktop). Leaving even the e-mail application open is not a good idea. The e-mail preview message feature may inadvertently share confidential information during a shared screen session. Do not just minimize the e-mail application, close it completely.
- Be mindful not to inadvertently circumvent secured access to video conferences (g., by having video conferences in the presence of others when working from home or traveling.[3]
- Turn off home assistant devices (such as Google Home and Alexa) during any video conference during which confidential information may be discussed since such devices are constantly listening to what is said in their environment.
- Understand the definition of end-to-end encryption as it is provided by the video- conference provider. Although participants that use the native application may have the benefit of encryption, participants that use “out of scope” systems may not (g., cellular connections, landlines, and legacy video teleconferencing systems).
Businesses should also provide tip sheets to their employees with best practices from a security standpoint.
In addition, businesses should consider establishing mandates to avoid having to rely on the cooperation of the employees who participate in video conferences (e.g., set up the video conference settings so that use of passwords is required). IT Security or Information Technology departments should review back-end settings and enforce secure configurations. Businesses should also be mindful to implement software updates for the video conferencing applications that they are using since security improvements may be folded into updates.
Other Concerns That May Not Be Obvious – The “Record” Feature.
Many video conference applications enable the host to record the video conference and to control whether participants can record the video conference.[4] To the extent that a business’ confidential information may be shared during a video conference, the business should exercise careful control over recordings and attempt to ensure that any recordings are maintained securely. Otherwise, businesses may be shocked to learn that their confidential information is no longer confidential. (See “New Zoom User Blow: This Is How ‘Thousands’ Of Video Chats Are Available For Anyone To View Online, “ Forbes, April 4, 2020: “…thousands of Zoom videos are available online for anyone to see. The videos include sensitive chats such as business meetings…”.)
Recording of video conferences should therefore be given appropriate attention, especially to the extent that confidential business data is at stake. (See “New Zoom User Blow: This Is How ‘Thousands’ Of Video Chats Are Available For Anyone To View Online, “ Forbes, April 4, 2020: reporting that Zoom urges those who are considering uploading to a non-Zoom cloud service a recording of a video conference “to use extreme caution and be transparent with meeting participants, giving careful consideration to whether the meeting contains sensitive information and to participants’ reasonable expectations.”)
Watch for indications that a video conference is being recorded (e.g., a notice that it will be recorded, or a red-light recording message) and raise an objection to the host if recording the video conference is unwanted. But, keep in mind that it is easy to record a video conference session discretely with a mobile phone (or other technologies). Accordingly, if recording is undesired, confirm expressly with the other participants that no one is recording the session.
The video conference host should be careful to record the video conference only if it is actually desired and if that is the case, the host should give appropriate notice to the other participants that the video conference is being recorded.
If multiple companies are going to participate in a video conference during which confidential information is shared (e.g., to discuss a potential development relationship), an appropriate non-disclosure agreement (NDA) should be in place beforehand. To the extent that only one participant’s confidential information is going to be shared during the video conference, ideally that participant should seek to host the video conference so that it can control whether the video conference is to be recorded and should also expressly confirm with the other participants that they will not attempt to record the session by other means (e.g., on their mobile phones).
That participant should also be mindful to designate the video conference as confidential in accordance with the procedures set by the NDA (e.g., by sending within a certain number of days after the video conference written confirmation that what was said during the video conference is designated as confidential). While the participant may have designated by labeling it “confidential” a PowerPoint (or other writing) shared during the video conference, the NDA still may require the participant to designate “confidential” what was said about it during the video conference in order to protect the information under the NDA.
If the video conference is recorded and the other participants are permitted to receive a copy of the recording, the host should also be mindful to designate the video conference recording as confidential pursuant to the terms of the NDA.
To the extent that multiple participants’ confidential information is going to be shared during the video conference, those participants should address in advance of the video conference: (1) which participant will host the video conference; (2) whether a recording of the video conference should be made; and (3) if a recording is to be made, confirmation that the host will provide permission to the other participant to record the video conference as well. Ordinarily, if one party of the NDA has a record of a communication between the parties, it is in the other party’s interest to have a copy as well. Otherwise, if a dispute later arises about what confidential information was or was not disclosed in the communication, the party without the record may be at a disadvantage. The participants also should be careful to designate and treat the video conference and any recordings in accordance with the NDA.
Video conferences have become a business norm, so businesses also should consider whether to address expressly in their NDAs the treatment of video conference recordings. For example, the NDA may provide that:
- Recordings may not be made without consent of the party whose confidential information is to be addressed during a video conference.
- No recordings including confidential information may be uploaded or maintained in an unapproved cloud service.
The NDA may also specifically address the disposition of recordings at the end of the relationship (e.g., whether they are to be returned to the designating party; whether they are to be destroyed; or whether an archival copy may be retained if the party continues to maintain it securely). Otherwise, recordings of video conferences – a relatively new category of “documents” subject to an NDA – may be overlooked and give rise to potential claims for breach of the NDA and/or misappropriation of trade secrets.
***
Things are changing quickly and there is no clear-cut authority or bright line rules about what are reasonable steps to protect trade secrets in response to COVID-19. This article is not an unequivocal statement of the law, but instead offers some potential reasonable steps for consideration.
This article is provided for information purposes only and does not constitute legal advice and is not intended to form an attorney client relationship.
[1] For example, Zoom conferences have gone through the roof. “[Zoom] reached more than 200 million daily users [in March 2020], up from 10 million in December….” “Thousands of Zoom video calls left exposed on open Web,” The Washington Post, April 3, 2020.
[2] “New Zoom User Blow: This Is How ‘Thousands’ Of Video Chats Are Available For Anyone To View Online, “ Forbes, April 4, 2020 (private chats may be recorded when the video conference session is recorded locally).
[3] For additional potential steps to protect confidential information when working from home, see Sheppard Mullin’s Intellectual Property Blog (https://www.intellectualpropertylawblog.com/).
[4]For example, according to Zoom, it notifies participants when a host chooses to record a meeting, and provides a safe and secure way for hosts to store recordings and Zoom meetings are only recorded at the host’s choice either locally on the host’s machine or in the Zoom cloud. See “New Zoom User Blow: This Is How ‘Thousands’ Of Video Chats Are Available For Anyone To View Online, “ Forbes, April 4, 2020.