Last Friday, a blog I wrote recommended using Zoom’s Waiting Room as a way to avoid Zoombombing. A security report issued last Friday found a security issue with Zoom’s Waiting Room and intends to publish details of the vulnerability once Zoom has had an opportunity to address the issue. The report recommends using passwords instead, as my blog last Friday also recommended, and which Zoom enabled “on” starting yesterday, as I mentioned in another blog last Friday.
Starting March 30th, we at GDPRsimple started to document the situation regarding Zoom’s privacy and security concerns. Come here for specific updates:
Earlier today, I wrote a blog about how to use passwords instead of links to access Zoom meetings and about how to enable Waiting Room (in addition to some other security features). This afternoon, Zoom sent an email to its customers about “Zoom Meetings Security Enhancements” that are coming April 5th . Zoom is enabling all of the meeting passwords “on” and is turning Waiting Room on by default. The email customers received is below.
- Use Zoom? These 5 safety tips can keep the Zoombombing hackers away
- Zoombombing: What it is and how to prevent it in Zoom video chat
- Here Are 8 Quick Tips To Keep You From Getting “Zoombombed” By Trolls
Some of these safety tips are:
- Don’t click on a link in the Zoom invite because it could be a phish. Instead, invite people to a Zoom meeting with a meeting ID and password which are used when logging into http://www.zoom.us.
- Don’t use a Personal Meeting ID for meetings, but instead use a per meeting ID exclusive to a single meeting.
- Change the screen share options. Go to Settings, after enabling Screen Sharing, instruct Zoom to only let the Host share the screen.
- Use Waiting Rooms. Go to Settings, go to In Meeting, scroll all the way to the bottom, enable Waiting Room.
- Disable other options in Settings: Join before the host, Autosaving chats, File transfer, Annotation, and Remote control.
Last week I wrote a blog about some of the steps you need to take if you have started using technologies you haven’t used before to assist in working remotely. One of the steps discussed was looking at the privacy policies posted by each technology on its website to make sure you are comfortable with its practices before you start using it. One of the technologies we discussed in that blog was Zoom, a free (and paid) application that is used for video and audio conferencing. This week, several articles have been written about Zoom and its privacy practices:
- The New York Times writes that the New York Attorney General is looking into Zoom’s privacy practices. According to the New York Times, Zoom has received a letter from the New York AG’s office “asking what, if any, new security measures the company has put in place to handle increased traffic on its network’ because the AG’s office is “concerned that Zoom’s existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network”. The New York Times article can be found here. (Registration may be required.)
- The Intercept reported that Zoom “computer audio” meetings aren’t end-to-end encrypted as advertised. With end-to-end encryption Zoom “computer audio” meetings couldn’t be accessed by Zoom employees because they don’t have the encryption keys. It turns out, however, according to The Intercept, that Zoom meetings are transport encrypted which can be accessed by Zoom employees. The Intercept article can be found here.
Privacy is a buzz word today. We were before the trend. Our founder Lynn is a world-renowned privacy expert, and she has been at this since before this was a fashionable trend.
She started GDPRsimple for SMBs to get ahead of the curve on privacy and data protection. And she has talked far and wide about the international privacy laws.
Come along with us as we write about privacy and data protection. From Privacy 101 to the hot topics of the days. We promise to make this interesting (and educational).
With Covid19, large numbers of employees are working remotely, not going into the office, and are rapidly adopting technologies that they hadn’t used before in order to be able to continue to service their customers.
We at GDPRsimple have always worked remotely because for part of the year I live in a different state than my co-founder. This is how we know that there are several key steps that you need to do immediately to protect your business from regulatory criticism:
- Make a list of the new technological solutions – known as third party service providers – that you and your entire team are using. Ideally, steps 2-4 would have been done before you started using these technologies. However, these recommendations recognize that the exigencies of getting your business up and running remotely on short notice may not have allowed for such an orderly process.
Many organizations now are using far more technologies than they previously used. As a result of working remotely, many workforces now need to frequently use video and screensharing. Examples of these technologies are Zoom, Slack and Crowdcast. Depending on how you use them, each of these technologies may collect information about you, your employees, and any information you may share about your users and customers.
- Now take that list and bucket it into two groups. (There are more groups beyond this such as cloud, but we will focus on these for now as they relate to the changes in work due to Covid19):
Secure: These are technologies that are built to be protective of personal data. One of the value propositions for them has to do with the fact that they securely send, receive and store information via the Cloud. Examples are DropBox and Box for file storage and DocuSign for electronic document signing.
Customer Service: There are other technologies that are used to help teams to communicate with and about customers – from segmentation to acquisition to retention and servicing. These platforms probably have been added to your technological suite as a result of Covid19 and could be anything from videoconferencing and screensharing (e.g. Zoom, GoogleHangout, Skype) to messaging (Slack) to data collection, sorting, and integration (AirTable).
No personal data should be shared on these platforms. Do not send individual customer identification numbers or bank account numbers via any of these platforms. Instead, convey personal information by phone or by a means of secure transport (e.g. secure email or DropBox or Box).
- Now that you have your two buckets, look at the privacy policies that these organizations post on their own websites.
You – as a leader of your team, department, company – need to know how each of those companies use, disclose and share personal data collected on their platforms. In particular, you will want to make sure that the Servicing Customer platforms do not use, disclose or share the personal data other than to provide the service you have hired them to provide (e.g. video conferencing or screen sharing).
We at GDPRsimple built a platform for you – the CEO, the team leader, the entrepreneur. The GDPR is complicated, and we wanted to simplify it for you. Contact us today at email@example.com to learn more.
With the onset of Covid-19, we at GDPRsimple are putting together privacy and data protection resources below.
Check back to learn more!
A New Year’s Resolution for SMEs: If you haven’t put the GDPR into practice yet, you should start now!
By Lynn Goldstein, Founder of GDPRsimple
You keep saying to yourself: “GDPR, what is it? I know that we needs to do something about the GDPR.” Or you are saying: “It’s our 2020 goal to do more to implement GDPR?” Or are you responding to biz dev and RFP opportunities and know that your response isn’t up to snuff? Not a problem, start now!
GDPR expanded the rights provided to individuals in the EU Directive and created several entirely new rights that regulators have started enforcing against SMEs.
Under the GDPR, individuals have the right to:
- Be informed (e.g. told what personal data about them are collected and how their personal data are used)
- Access their personal data
- Rectify their personal data if it is inaccurate or incomplete
- Erase personal data when certain grounds apply (to be explained in a subsequent blog)
- Restrict processing of personal data when certain grounds apply (to be explained in a subsequent blog)
- Port data (specifically when data is processed based on consent or contract and is carried out by automated means)
- Object to processing of personal data concerning them under certain circumstances (to be explained in a subsequent blog)
- Refuse to be subject to automated decision-making, including profiling, unless an exception applies
Each of these rights will be explained in more detail in subsequent blogs, but the important points are:
- these rights create new responsibilities for you as businesses, especially if you process (e.g. use) personal data,
- not being able to comply with these rights can cause individuals to complain to their regulators, and
- you must reply to requests to exercise these rights requests fast and accurately.
Most SMEs think they are too small for anyone – customers, employees, regulators – to notice if they don’t comply. That is not the situation under the GDPR. Each regulator must “handle” every complaint lodged with it by an individual. So, if an SME does not respond to an individual right exercised by an individual, individuals can file complaints with the regulator of the country where the individual lives, where the individual works, or where the SME’s failure to respond took place. The filing of a complaint could lead the regulator to look into your business and assess fines. How much could those fines be? Up to 4% of your total worldwide annual turnover (gross revenue).
Sure, you may be saying to yourself that since it takes time for complaints filed with regulators to be investigated, you don’t need to worry about it just yet. Not the case, we hate to say! The results of these investigations are just starting to be seen, and they are coming fast and furious. The Irish regulator addressed and resolved over 6,000 complaints in 2019! Individuals are exercising their rights. The German Bavarian state regulator announced it is auditing the implementation of the GDPR in SMEs.
Other regulators already have investigated and fined SMEs! The following are just a few examples:
- In November, the French regulator imposed a €500,000 fine on a company of less than 100 employees that was the subject of a complaint from an individual for five violations of the GDPR: failure to process data which are adequate, relevant and limited to what is necessary for the purposes for which they are processed; failure to inform the individuals; failure to respect the right to object; failure to cooperate with the supervisory authority; and failure to provide the appropriate safeguards regarding the transfer of personal data outside the EU.
- In October, the Polish regulator imposed a fine of approximately €47,000 on a marketing industry company for failure to implement appropriate technical and organizational measures to enable easy and effective withdrawal of consent to the processing of personal data and to exercise the right to request the immediate deletion of personal data.
- In December, the Belgian regulator imposed a fine of €15,000 on an SME operating a legal information website with approximately 35,000 unique visitors a month because insufficient information was provided about cookies deployed on the website, because the appropriate type of consent was not obtained for certain types of cookies and because there was no easy way to withdraw consent.
Many SMEs want to comply with the GDPR but don’t know how. This blog is the first in a series of blogs that will explain, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, an automated web and mobile tool, can help SMEs implement the GDPR and demonstrate their implementation.
We at GDPRsimple put together a series of posts on what is the GDPR. Please keep coming back to this page to see new posts and updates to old posts as information becomes available.