Posts

Zoom Privacy Policy is a Risk

Updated 4/01/20

Updates:

  • 4/01/20: MIT Tech Review summarizes the security issues with Zoom, including information about a Class Action Lawsuit.
  • 3/31/20: Vice.com reports that Zoom is leaking personal emails and photos to strangers.
  • 3/31/20: The Intercept reports that Zoom is not using End to End Encryption as claimed in their marketing materials and user interface. 
  • 3/31/20: New York Times reports that Zoom, the videoconferencing app whose traffic has surged, is under scrutiny by the New York attorney general’s office for its data privacy and security practices.
  • 3/30/20: FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic

On March 18, 2020, the Zoom.us posted changes to its privacy policy that impact all users, even those without accounts attending meetings as guests.  This change follows a dramatic increase in Zoom users (and stock price), as Zoom has been offering its services for free to many businesses and schools.

Under this version of the Zoom’s privacy policy, Zoom is collecting more information, in our assessment, than is necessary to provide users with the service. Zoom also acknowledges providing this information to third parties. The information Zoom is collecting includes, but is not limited to:

  • Name, physical address, and other similar personally identifying information
  • Information about your job, such as your title and employer
  • Your Facebook profile information (when you use Facebook to log-in to Zoom or to create a Zoom)
  • General information about your product and service preferences (including software installed and/or in use on your computer)
  • Information about your device

Per Zoom’s policy, downloading and using the Zoom app provides Zoom with consent to share any personal information they collect with third parties.

In reference to the use of third party services, the policy states

“We use these tools to help us improve your advertising experience (such as serving advertisements on our behalf across the Internet, serving personalized ads on our website, and providing analytics services).”

In other words, Zoom may use the personal information of any person using their services to market to that person across their use of the Internet.

Additionally, we do not see any effort by Zoom to determine the age of individuals using the service, so they are likely collecting and using the personal information of children.

Vice.com is reporting that Zoom’s iOS app sends data to Facebook even if you do not have a Facebook account.

Impact

Our current assessment of the impact is as follows:

  • Data collection is based on the way each meeting participant enters the meeting.  Even if the organizer is on a paid and secure business or education edition, meeting attendees using the free client or entering as a guest are subject to dating mining and sharing.
  • For businesses and schools, some of the data Zoom collects and shares is prohibited under the Children’s Online Privacy Protection Act (COPPA).
  • For schools and libraries, not using the K12 version of Zoom for faculty and students may result in violations of the Children’s Internet Protection Act (CIPA)
  • Zoom does provide a means for users to instruct Zoom to “Do not Sell” their personal information. This help with California Consumer Privacy Act (“CCPA”) and  EU’s General Data Protection Regulation (“GDPR”) compliance.  It may not be practical to advise all meeting attendees of this option.

In short, Zoom’s privacy policy may conflict with your business’ privacy policy and how you manage and respect your customers and their data. The policy may also create regulatory and legal issues.

Recommendations

If you organization uses G Suite or Microsoft Office 365, you already have the ability to securely conduct audio and video conferencing with services that do not mine and share attendee data.

  • G Suite
    • Hangouts Meet (the new service) is secure and HIPAA compliant.  Individuals outside your organization can join via shared URL, without providing personal information. Through June 2020, Google has enabled all G Suite users to conduct meetings with up to 250 participants and provided organizers with the ability to record meetings. Participants can mute their own audio/video and can present to the meeting. Meeting include dial-in numbers and pins to allow access from phones.
    • Participants can join via web browser or use the free iOS and Adroid Apps.
    • Traditional Hangouts and Chat, while not HIPAA compliant, are still secure and work within organizations and with guests.
  • Office 365
    • Teams (and formerly Skype for Business) is a secure video/audio conferencing service with screen sharing, waiting rooms, and other helpful features.  As with all of Office 365, Teams can be deployed to meet HIPAA compliance. Teams does not collect and share personal information.
    • Teams, by default is device-to-device conferencing.  You can add the ability for individuals to connect by phone for a small monthly fee for each meeting organizer that needs this function.
    • Participants can join via web browser, or use the free apps for Windows, Mac, iOS, and Android.

Before adding another service or tool for audio/video conferencing, take full advantage of the services you have. Contact us if you need help with user training and support.

If you are not using G Suite or Office 365, several communications and conferencing services are offering secure, free access for up to 90 days.  These include, but are not limited to, Dialpad, UberConference, Ring Central, and Cisco WebEx. Please contact us for help selecting and deploying the right service for you and your teams.

 

Rules and Regulations

Rules, Regulations, and Results

Rules and RegulationsFor Small and Midsize Enterprises (SMEs), the regulatory landscape remains in a perpetual state of flux with changes originating at the Federal, state, and local levels. While some rules and regulations can severely impact your business’ operations, and profitability, many create requirements that you can easily satisfy at a nominal cost.

Three regulations with upcoming deadlines or increased enforcement include:

HIPAA

HIPAA compliance is a requirement for any organization that works with personal health information of individuals — not just medical offices and insurance firms. If you are sharing employee information about benefits, insurance coverage, medical leaves, or other items that involve personal health information (PHI), you have an obligation to protect the PHI. Failure to do so can result in heavy fines and, in a few instances, criminal charges.

Historically, HIPAA compliance has focused on medical practices, insurance, and brokers. We are starting to see audits of non-medical companies, along with fines for those not in compliance. 

Fortunately, you can protect PHI by focusing on the individuals that are authorized or likely to handle sensitive employee information.  By focusing on HR, payroll, and key executive and leadership roles, you can deploy services like message-level email encryption.

What to do:

  • For as little as $5 or $6 per user per month, you can ensure that specific individuals protect PHI and sensitive information while preventing accidental disclosure
  • Contact us for information about encryption, DLP, and other HIPAA solutions.

ELD

Starting December 18, 2017, all interstate trucks in the US must use an Electronic Logging Device (ELD) to track operations and required reporting.  According to the US Department of Transportation (USDOT), fewer than 1/3 of interstate trucks have installed ELDs as of mid-November. Failure to comply can result in heavy fines, impounding of vehicles, and disruption of delivery schedules.

While enforcement is not expected to impact small and midsize trucking firms until late spring or summer of next year, your business can still be at risk.

Here are a few things to note:

  • If you have your own truck(s), they may be classified or registered as Interstate Trucks, even if you only deliver within your state.
  • If you use third parties for shipping, their failure to comply can disrupt your deliveries if trucks are stopped or impounded, or if drivers are pulled off the road.

What to do:

  • Check your own vehicles:
    • Determine if they are properly registered as Interstate Trucks, or if they should be registered as such
    • If you do not have ELDs yet, please contact us for low cost, self-install ELDs with logging software subscriptions
  • Check with your shipper(s):
    • Confirm their trucks, those of their subcontractors, and any owner/operators are properly registered and have ELDs
    • If not, have them contact us for help

GDPR

Effective May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) takes effect. While GDPR covers data protection and privacy for citizens of EU member states, treaties allow enforcement in action against US companies operating within the US.

If you have any personal data for citizens of EU member states, you are responsible for GDPR compliance.

GDPR means more than encrypting sensitive data.  GDPR includes processes and procedures for governance, including:

  • A named Data Protection Officer (DPO) responsible for oversight, compliance, and response to individual inquiries. The DPO role can be full time or part time, internal or contracted.
  • You must report suspected breaches within 72 hours of becoming aware of the issue.
  • You need to deploy privacy by design — any new system or change in systems requires primary consideration of privacy and information security.
  • You must be able to demonstrate that you mitigate risk, even in the absence of a privacy breach.

Fortunately for most SME’s the appropriate policy changes and the risk-mitigation technologies need not be expensive of complicated.

What to do:

  • Discuss GDPR with your team, and your legal counsel, to determine your required compliance
  • Provide training, education, and “cultural support” for a data privacy mindset within your organization
  • Review systems storing or processing personal information for security and privacy compliance
  • Select and deploy relevant data loss prevention (risk mitigation) solutions for your environment

Need help? Contact us for more information.


 

4 Lessons from the Q4 Data Breach Review

Last week, our strategic partner Privacy Ref held their quarterly review of recent data breaches.  In his presentation, Ben Siegel, CIPM, identified 4 lessons learned from recent data breaches, including: Google Android; Hillary Tentler, CPA; Folsom State Prison; and the Internal Revenue Service.

#1: Unauthorized Mobile Apps Create Risk

Issue: Users can download apps from sites other than the Google Play store. These apps are not “vetted” and gain access to tokens used to control users’ accounts.

Lesson: As the threat is outside of Google’s control, you need to put systems in place to prevent unauthorized apps from access your company’s data via mobile devices.

#2: Local Data is At Risk, Too

Issue: In the burglary of an accountant’s home, three hard drives were stolen and only one was recovered during the arrest.

Lesson: Physical devices, when stolen, can result in a serious data breach; While moving 100% cloud is more secure, it may not be a practical option for your business yet. You should ensure any local data is encrypted and subject to regular backup.

#3: Internal Breaches are Still a Breach

Issue: A file including names, social security numbers, and other sensitive data was saved to a shared location accessible to anybody in the organization.

Lesson: You can protect yourself from internal breaches with solutions that use defined business rules to automatically enforce permission restrictions based on the content of your files.

#4: It is Too Easy to Email Protected Information

Issue: Employees were sending emails with personally identifiable information (PII) clearly visible, in violation of regulatory requirements.

Lesson: You should not rely on people to do the right thing all of the time — mistakes happen and can be damaging and costly. System exist that scan and encrypt emails automatically if they contain sensitive or protected information.


Do you need a privacy assessment or a privacy plan review? Are you ready to better protect your data — on premise and/or in the cloud?

Contact us to discuss your needs.


 

Myth Busting

Myth Busting Monday: Cloud Lacks Security

Office365-Logo-and-textSecurity is still the biggest fear across SMBs considering the cloud.  IT leaders and C-level execs worry about spies, cyberthieves, governments, and vendors access their company’s data. This fear is unfounded.

You are the Sole Owner of Your Data; You Manage and Control Privacy and Access.

Like most reputable and trustworthy cloud providers, Microsoft runs the Office 365 based on several key principles:

  • Microsoft never mines your data for any reason other than to provide you with the Office 365 services
  • Microsoft’s staff does not have access to your data
  • If you leave Office 365, you can always take your data with you
  • You control the security and privacy settings; you determine who has access to what
  • Auditing and supervision prevent your admins from unauthorized access to your data

Beyond the core security and privacy capabilities of Microsoft Office 365, we offer additional configuration, tools, and services to ensure compliance with privacy regulations and/or your internal policies.

Fear not the lesser known security of the cloud. Learn, trust, and go.


This is the sixth of a multi-part series designed to help companies better asses the opportunity and value of cloud-based solutions. Contact us to schedule a free, no-obligation Cloud Advisor session to discuss your priorities and plans.


Fast Fact

Fast Fact Friday: Ransomware Cloud Attacks

Fast FactAccording to the Datto’s 2016 Global Ransomware Report, a survey of 1,100 IT service providers …

70% report Dropbox being the target of the ransomware attack

44% of attacks targeted Professional Services

38% of attacks targeted Healthcare


Are you moving to the cloud? Is your roadmap in line with your business goals? Contact us for a no-obligation Cloud Advisor session.


News from Cumulus Global

SMBs Benefit from Tech and Policy Mashup

Westborough, MA – Faced with increasing regulations and a changing technology landscape, small and midsize businesses (SMBs) struggle to ensure compliance and maintain data privacy. With the sophistication of rasonmware attacks and advanced persistent threats, employee awareness and behavior is more important than ever. Cloud technology makes it easier to share, even when sharing is not appropriate.

To help SMBs tackle these challenges, Cumulus Global (www.cumulusglobal.com) and Privacy Ref (www.privacyref.com) announced a unique partnership designed to help SMBs assess their needs and risks, plan and implement sound privacy practices, and respond to threats and potential breaches.

“Smaller businesses face the same regulations and requirements of large corporations,” noted Bob Siegel, Founder and President of Privacy Ref. “SMBs generally do not have the internal resources and expertise to create and manage a privacy program. This partnership gives SMBs a place to turn for guidance, expertise, and results.”

In addition to privacy assessments and policy updates, the Privacy Education Programs provides SMBs with the awareness education and training needed to ensure employees understand the risks and their role in preventing attacks and breaches.

“Our role is to ensure businesses can avoid and prevent malware attacks and data breaches,” noted Allen Falcon, CEO and Pragmatic Evangelist at Cumulus Global. “We ensure that the protecting technology, policies and procedures, and people are working together for the greatest level of protection.”

Through the partnership, SMBs also gain access to a range of data protection and recovery services and tools. These tools help prevent attacks and breaches and facilitate response and recovery if needed.

Myth Busting

Myth-Busting Monday: On-Premise is Safer Than Cloud

Office365-Logo-and-textJust because you can see it and touch it, does not mean it is safe and secure. With the number of successful ransomware attacks up more than 400% in the past year, it is increasingly clear that on-premise systems are not inherently more secure than they would be in the cloud. Many companies are hacked and remain unaware for weeks or months, as the use by cyber criminals of advanced persistent threats continues to rise.

Microsoft Office is secured with technologies and resources beyond the reach of nearly every small and mid-market business.

Large enterprises know that security is a full-time job, requiring a team of expensive experts and advanced technologies. And while large enterprise can afford to make this investment, most small and mid-size businesses do not have the resources to prevent, detect, and mitigate security issues.

Moving to Office 365, you enter an environment designed for security, backed by a team of security experts, industry leaders in regulatory compliance, and the latest security technologies and methods. Office 365 complies with the latest rules and regulations, including but not limited to:

  • HIPAA
  • Sarbanes-Oxley
  • Federal Information Security Management Act (FISMA)
  • ISO 27001
  • European Union (EU) Model Clauses and U.S.–EU Safe Harbor framework
  • Family Educational Rights and Privacy Act (FERPA)
  • Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)

And, with this security, you get a 99.9% uptime guarantee.

Thinking of going cloud — or expanding your cloud use — and remain concerned about security and data privacy, give us a chance to assess your needs and map out a solution.


This is the third of a multi-part series designed to help companies better asses the opportunity and value of cloud-based solutions.  Contact Us for more information or a free Cloud Advisor session.


Rethinking Risks and Responses

Malware, Ransomware, Natural Disasters and More Keep Hitting SMBs Hard

Never have we had a greater ability to work together to get things done than we do right now. As our cloud and hybrid environments expand, the ease-of-use encourages us to share ideas and information and to collaborate in new and exciting ways.

Never have we been under attack from so many directions. Changing weather patterns and aging infrastructure leave businesses without power for days instead of hours. Fading employee loyalty means more chances for information to walk out the door. The same features that let us easily share information also let us accidentally share information we shouldn’t. Malware and viruses have evolved from a nuisance to potentially existential threats with the increase in ransomware and advanced persistent threats.

Our Businesses, Employees, and Customers Need and Expect Protection

With the risks and impacts on the rise, we as small and midsize business owners and technologists should rethink how we both prepare and respond. Since the dawn of business computing, large enterprises have built expensive solutions to ensure that their businesses keep running “no matter what”.  Now that we are in the cloud, and solutions are incredibly affordable, we need to adopt the same approach.

Business continuity is no longer just being able to keep your business running after a disaster.

Business continuity means that you are able to prevent business disruptions and distractions, regardless of the cause. Business continuity means …

  • You actively work to minimize the chance of a ransomware attack, and that you can respond and recover quickly should it happen.
  • You have systems and procedures in place to prevent data loss and privacy breaches, and that you can detect and mitigate issues quickly and effectively.
  • You and your team are no longer tethered to the hardware, Internet access, and electricity in your offices.

For SMBs, now is the time to consider the tangible and intangible costs of business interruptions of all types and to see the value in solutions to prevent and recovery. Understand the value proposition of that goes beyond dollars and cents to include the customer relationship impact and the toll that business disruption has on your team.

Food for Thought:

Email Encryption is Not Compliance

Security Key
While providing a reasonable level of protection from inappropriate access to your data, the built-in encryption is not sufficient to meet information privacy regulations. Laws such as the Health Information Portability and Accountability Act (“HIPAA”), and industry regulations including the Personal Card Information (“PCI”) standards require more than data encryption.

Privacy laws and regulations typically include three components:

  1. Policies and procedures that, when followed, provide appropriate data protections
  2. A means to monitor compliance, with the ability to detect and mitigate potential violations of the policies and procedures
  3. A defined response and resolution procedure in the event of a breach

As explained in our eBook, Email Encryption in Google Apps, Technology can support the implementation of these three components, but does not offer a full solution on its own.


Contact us to assess your email encryption needs and to define an affordable solution.