CONFERENCE NOW LIVE: Threat Detection & Incident Response (TDIR) Summit - Join the Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Regulators Urge Video Conferencing Companies to Improve Security, Privacy

In an open letter this week, six data protection and privacy regulators from around the world have asked video teleconferencing (VTC) organizations to focus on security and privacy-by-design.

In an open letter this week, six data protection and privacy regulators from around the world have asked video teleconferencing (VTC) organizations to focus on security and privacy-by-design.

The regulatory community, which is responsible for ensuring the privacy of individuals worldwide, is concerned that the increased use of video conferencing solutions as a result of the COVID-19 pandemic has heightened the risks associated with the handling of personal information by VTC companies, and has created additional risks as well.

“Reports in the media, and directly to us as privacy enforcement authorities, indicate the realization of these risks in some cases. This has given us cause for concern as to whether the safeguards and measures put in place by VTC companies are keeping pace with the rapidly increasing risk profile of the personal information they process,” the letter reads.

In addition to voicing their concerns, the privacy watchdogs detailed their expectations regarding the manner in which video conferencing companies are expected to mitigate said risks, as well as the steps they should take to ensure they secure the personal information of users.

The regulators also encourage VTC companies to identify and address other data protection and privacy issues associated with their services, and regularly review their stance on privacy and even work with regulators to mitigate risks that they cannot resolve.

“During the current pandemic we have observed some worrying reports of security flaws in VTC products purportedly leading to unauthorized access to accounts, shared files, and calls,” the letter reads.

VTC companies should ensure that their solutions include security safeguards by default, such as effective end-to-end encryption and two-factor authentication, and that they demand strong passwords. Those offering VTC services to sectors that process sensitive information should focus the most on these security measures.

“Particular attention should also be paid to ensuring that information is adequately protected when processed by third-parties, including in other countries,” the letter reads.

Advertisement. Scroll to continue reading.

VTC companies have also been urged to take a privacy-by-design approach to their services, and not only ensure that data and privacy are protected at all times, but also that users are provided with privacy-friendly settings from the start.

Default settings, the letter says, need to ensure the best privacy protection, but users should have the option to adjust those to suit their requirements. Furthermore, business users should be provided with features to help them comply with their own privacy policies, and VTC services should minimize the capture of personal information or data.

“VTC providers should also undertake a privacy impact assessment to identify the impact of their personal information handling practices on the privacy of individuals, and implement strategies to manage, minimize or eliminate, these risks,” the letter reads.

VTC companies are also encouraged to identify the environments in which their services are used, so as to ensure they can deliver data security and privacy in all contexts, to be transparent about the data they collect and how they share it, and to ensure that users have the appropriate information and control when using their services.

“We recognize that VTC companies offer a valuable service allowing us all to stay connected regardless of where we are in the world; something that is especially important in the midst of the current Covid-19 pandemic. But ease of staying in touch must not come at the expense of people’s data protection and privacy rights,” the regulators note.

The letter was signed by commissioners with the Office of the Australian Information Commissioner, the Compliance Sector Office of the Privacy Commissioner of Canada, the Gibraltar Regulatory Authority, the Privacy Commissioner for Personal Data for Hong Kong, the Federal Data Protection and Information Commissioner for Switzerland, and the United Kingdom’s Regulatory Supervision Information Commissioner’s Office.

Related: Mozilla Says Many Popular Video Call Apps Meet Its Minimum Security Standards

Related: Hackers’ New Target During Pandemic: Video Conference Calls

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.