In an April 8 letter to the Federal Trade Commission (FTC), Senator Edward Markey (D-MA) urged the FTC to issue formal privacy and cybersecurity guidance for companies engaged in producing online conferencing services, and best practices for users of such services. This request comes in response to an exponential increase in the usage of videoconferencing tools for work, school, and personal communication as a result of millions of Americans practicing social distancing during the COVID-19 pandemic response.
The letter recognizes that “it is clear that no platform is immune from risks,” and cites news articles that detail recent security vulnerabilities and exploits that have compromised videoconferencing users’ personal data — from intimate conversations having been made publicly available online to the use of such platforms for phishing scams and malware proliferation. (For more on how cybercriminals are adapting old scams to capitalize on COVID-19, see our April 2 blog post.) Sen. Markey seeks for the FTC to provide comprehensive guidance for technology companies that are developing or expanding online conferencing tools, and to address at least the following topics:
- Implementing secure authentication and other safeguards against unauthorized access;
- Enacting limits on data collection and recording;
- Employing encryption and other security protocols for securing data; and
- Providing clear and conspicuous privacy policies for users.
Sen. Markey also requests that the FTC develop a set of best practices for the users of online conferencing software, to promote “informed, safe decisions when choosing and utilizing these technologies.” The letter references such guidance covering, at a minimum:
- Identifying and preventing cyber threats such as phishing and malware;
- Sharing links to online meetings without compromising security;
- Restricting access to meetings via software settings; and
- Recognizing that different versions of a company’s service may provide varying levels of privacy protection.
The request to the FTC comes as increased scrutiny has been leveled at American technology companies with respect to protecting users’ personal information.
Privacy impact assessments may be considered when developing new products and services. Software-developing organizations may wish to work across relevant stakeholders — including engineering, product management, marketing, information security, and legal — to document and embed “privacy and security by design” into platforms. Proactive consideration of these issues, such as securing information in relation to its sensitivity, including privacy-proactive default settings for users, and describing these intelligibly in policies and just-in-time notices, may reduce the risk of privacy-related regulatory and litigation actions.
For more information on Data, Privacy & Cybersecurity issues, visit GT’s Data Privacy Dish blog.