Privacy in Online Meetings and Security Breach

Due to its meaning throughout the world, we do not often like to use this word but the pandemic caused by the COVID was a turning point in our lives.

Many of the consequences of adapting to that fateful period are set to remain and one of those generally regarded as positive is teleworking.

Due to the physical impossibility of going to the offices because of the lockdown, companies and public entities were forced to implement teleworking to make it easier for their employees to carry out their activities and “continue”, as far as possible, a life with as minimum disruptions as possible. In the post-global health crisis, it has been imposed as a reality.

Although before March 2020, this type of work seemed almost utopian, today it has even become an appeal used by companies to recruit employees and a reality for thousands of professionals around the world, which has meant the arrival of the “new normality”.

Typically everyday practices such as approaching a colleague at his or her desk to solve a quick question have now been replaced by purely online meetings that have given rise to hilarious or controversial episodes. One such episode occurred at a videoconference on the defence of the European Union in which a Dutch journalist took part when the Dutch minister published the meeting’s access code on social media.

Given the increasing use of these meetings and the sensitivity of certain topics discussed in them, this incident raised the question of whether the security and confidentiality of the meetings we hold online is guaranteed.

In this regard, numerous organisations such as the European Commission, through the European Data Protection Supervisor, and national agencies such as the Spanish Data Protection Agency (AEPD) have published a series of recommendations to be taken into account in order to avoid jeopardising the disclosure of certain data.

One of them is to CHOOSE RELIABLE SUPPLIERS, meaning to choose a platform for virtual meetings that has sufficient guarantees in terms of cybersecurity and data protection, as the processing of attendees’ personal data is a fundamental aspect.

The second recommendation would be to implement RESTRICTED ACCESS.  Controlling who has access to virtual meetings is one of the fundamental pillars for ensuring privacy in videoconferences. To this end, the following is recommended:

  • Create a different meeting session each time, so that the same ID and link to it are not used again.
  • Send the link to the meeting by email and only to the people who are required to be in the meeting.
  • Protect access with a one-time password.
  • Enable the waiting room and authorise individual access for each attendee to verify their identity.
  • Do not share links to meetings on social networks or instant messaging apps and warn attendees not to do so either, as their level of privacy on social networks is unknown and the link to the meeting could potentially be seen and used by people outside the company, such as in the case we have discussed.
  • Enable notifications that warn when a person joins the meeting so that users know at all times who has access to the meeting and is present.
  • Once all attendees are present at the meeting, access to the meeting must be blocked.
  • Employees should be instructed to only access the meeting using corporate or company-authorised devices.

 

Other advisable measure are to control the sharing of information, whether through screens or files, on account of the risks that this may entail. It is strongly recommended to only allow screen sharing between hosts.

As for RECORDING MEETINGS, if it is not necessary, it is not advisable to record virtual meetings. If necessary, attendees should be informed that they will be recorded, the purpose of the recording, and when the recording starts and stops. In addition, these should be encrypted and password-locked to prevent possible leaks.

In the case of releasing this recording to the public, it is necessary to obtain the consent of the attendees to reproduce their image and/or voice.

Prior to the start of the meeting, alerting the potential cohabitants of the commencement of the meeting is advised, so that their activities are out of reach of the microphone and camera.

However, regardless of the precautions taken, mistakes and security breaches can still occur. In an age where data is the new “gold” in any organisations, the impact of a security breach can be enormous and appropriate risk management and data governance strategies are key.

According to the definition given by the General Data Protection Regulation (GDPR), a security breach is any incident resulting in unauthorised access to data on computers, applications, networks or devices that results in unauthorised access to information.

If such an incident occurs, certain information should be collected that will be very useful in deciding the measures and actions to undertake.

The first step is to IDENTIFY and establish what has happened, i.e. a device with personal data has been lost, a theft has occurred, personal data has been published by mistake or sent to the wrong recipient, there has been an unauthorised intrusion into an information system with personal data, an employee has been a victim of phishing, etc.

In this step it will be important to know the categories of personal data affected, the number of records affected and the number of people concerned by the breach.

The second step would be CLASSIFICATION of the type of breach that has occurred. There are three types of security breaches:

  1. Confidentiality breach: occurs when unauthorised access to the storage of personal data occurs or when an attack or carelessness occurs that may leave such data exposed.
  2. Integrity breach: This occurs when the original data or information stored in the system is altered, which could cause damage to the company or to those affected.
  3. Availability breach: Occurs when an incident, intentional or unintentional, causes the loss of access to the data and information stored, either temporarily or permanently.

 

The third step is CONTENTION and ELIMINATION. If the event is still ongoing, functions should be disabled and networks isolated. This will ensure that the intrusion cannot spread.

The next step is the RECOVERY of anything that may have been affected in the security breach and that is relevant to the normal conduct of business.

Finally, the COMMUNICATION of the incident. The affected parties and the corresponding authorities must be notified, as required by the regulations for the resolution of these incidents.

Specifically, the controller must report security breaches to the appropriate supervisory authority, which in the case of Spain is the AEPD, within 72 hours of becoming aware of the security breach.

In case of failure to properly carry out this notification, significant financial penalties may be imposed.



Leave a Reply

twenty − 11 =