Zoom-baa-bombing

NOTE: This blog includes discussions and explorations of legal issues. The content is intended for educational purposes only, and is not intended to be legal advice. You should always consult with a licensed attorney before taking any action that could affect or impair your legal rights.

The pandemic has forced all of us to modify, in some form or fashion, how we go about our daily lives. In many cases, it has required the adoption of new technologies. In addition to potentially having to learn new technology, the pandemic’s push for more business relationships to begin online, also comes with a need to fully understand the operational intricacies associated with these new methods of doing business.

We don’t even have to go all the way back to the days of using a Rolodex to compare it with today’s technology for storing our contact information, to recognize that the “lives” of our information are very different from even ten or fifteen years ago. Can you remember the last time you saw a post on Facebook asking for peoples’ phone numbers because the person that made the post, lost their phone, or the phone got destroyed? Or when was the last time someone responded with a “new phone, who dis?” because they did not have contact information stored in the cloud or as a part of a back-up, and they (legitimately) did not know your phone number?

The point is, where our information “goes,” where it “hangs out,” and where it is stored, has changed dramatically in the last several years, but the expectation for how that information is supposed to be handled, has not. Likewise, how we communicate and interact with clients, patients, and customers has also changed rapidly — especially in the last two or three months.

While it is good that everyone has attempted to maintain some level of normalcy by continuing face-to-face conversations through the use of video-chat platforms, we have to recognize that new normal can also create new “threats.” Previously, concerns about a flash mob taking place during a group discussion of colleagues were, for the most part, unnecessary. Nowadays, “Zoom-bombing” during a group discussion, has become a real issue. Such incidents should encourage questions about other direct consequences that may not be immediately apparent.

The fact that “Zoom-bombing” has occurred, suggests that in some form or fashion — be it a flaw in design or implementation, or even just human error — individuals neither invited nor welcome to Zoom sessions, have or are gaining access to such sessions (and despite the terminology, these threats are not just a problem for Zoom and its users). Whatever the cause of such unauthorized access, the fact that unauthorized access has occurred should cause alarm bells to start going off in your mind. For present purposes, the concern isn’t so much about what an unauthorized user does upon gaining access, so much as the fact that the unauthorized user gained access in the first place.

If you are using a video-chat platform — or even just a text messaging platform, as a part of the way you communicate with customers and prospective customers — you should be familiar with how that system works, and what additional safeguards you might need to have in place. Depending on the information you might be discussing, transmitting, etc., you may need to consider whether you should have a business associate agreement (“BAA”) with the provider of the platform that you are using. Different privacy laws cover different types of information — for example, educational matters tend to be covered by FERPA, while personal health information tends to be covered by HIPAA. BAAs are between you and a third party (e.g., an e-mail service provider, a database designer, a consultant, etc.), and are used in situations where the protected information of one (or more) of your clients will be handled by the third party, as a part of you providing service to your client. The agreement is there to ensure the third party remains compliant, so that you can remain compliant.

A BAA does not have to be a long, drawn-out document, but it is important that they are done correctly, as non-compliance — such as with a HIPAA violation — can range from “$100 for each such violation,” [1]See 42 USCS § 1320d-5(a)(1)(A) (emphasis added). up to “$50,000 for each such violation” [2]See 42 USCS § 1320d-5(a)(1)(C) (emphasis added).. And that low-end? That’s the minimum amount to be assessed in instances “in which it is established that the person did not know (and by exercising reasonable diligence would not have known) that [he or she] violated” the law.[3]See 42 USCS § 1320d-5(a)(1)(A) (emphases added). All of that, is all the more reason to make sure that any BAA you use, will actually protect you. 

Sitting down and meeting with an attorney (or using a secure video-conferencing platform) that can help you to understand and satisfy different statutory requirements (and become aware of different exemptions) will help you to operate more smoothly and save you money.

Berger Law can help.

References

1 See 42 USCS § 1320d-5(a)(1)(A) (emphasis added).
2 See 42 USCS § 1320d-5(a)(1)(C) (emphasis added).
3 See 42 USCS § 1320d-5(a)(1)(A) (emphases added).