Main Menu Main Content
Photo of Video Conference Security Concerns Increase as NYS Suspends Article 7 In Person Meeting Requirement
Publications

Video Conference Security Concerns Increase as NYS Suspends Article 7 In Person Meeting Requirement

Hodgson Russ Education, Municipal & Public Finance Alert
April 8, 2020

On March 12, 2020, Governor Cuomo issued Executive Order 202.1, which suspended the in-person meeting requirement under Article 7 of the Public Officers Law, the Open Meetings Law (OML). As a consequence of this exception to the OML, public bodies (i.e., municipalities, school districts, and public authorities) in New York State have turned to video conferencing services for holding public meetings.

What are the concerns regarding the use of video conferencing services? As you may have seen in the media, there has been a lot of concern over the use of the Zoom video conferencing service. The concern has generally been over the privacy of the service and how each individual video call was configured allowing Zoom-Bombing or Video Teleconference hijacking. We have already had clients who have had their Zoom-based meetings disrupted in this way.

How does the configuration by the meeting host impact security? The problematic Zoom meeting configurations, which are set by each meeting host, could allow anyone to join the call, share their screen, or interact in the chat feature during the video conference. Not restricting these functions allows attendees, among other things, to share inappropriate content to all viewers of the meeting. Proper configuration of the Zoom meeting, or any video conference service, alleviates these concerns.

How does the method of login impact security? Another security concern with Zoom arises when users log into the application using a Facebook account. The Zoom application was passing data, which was not fully disclosed in Zoom’s privacy policy, to Facebook. Zoom has addressed this by updating their privacy policy and modifying the data types the app provides to Facebook. You should not sign into any site or application utilized for business purposes through Facebook (or similar application). Create a new and unique account and password for each site and application utilized for public meetings.

Is Zoom a service that can be used by public bodies to hold a meeting? Zoom, when properly configured, is a platform that does not pose an undue risk. For public meetings, Zoom should be configured as “view only” for citizens and other non-participants. This includes removing the chat function, as inappropriate content can be posted and links that are posted within a chat window cannot be verified (similar to e-mail from an unknown sender).

What are the concerns and options for executive session? A lack of security can have the greatest impact on executive sessions through an inadvertent disclosure of sensitive information (i.e., information that it is illegal to disclose, such as FERPA-protected information; information that if disclosed could provide support for claims against the public body; or information that could undercut the public body’s leverage in contract negotiations). An executive session must be conducted in a fully secure format, which can be done through a private and password protected video conference or a password protected conference call. Only the members of the board of the public body should be provided the password or pin for the service used for executive session.

Can YouTube be used to stream meetings to the public? One option to reduce disruptions at a public meeting is to stream the meeting to the public using YouTube with the comment section disabled and the members of the board participating through a video conferencing service using a password shared only with those board members. The YouTube stream can be disabled during an executive session and then re-enabled to provide for the meeting to continue or be closed publicly.

Should a training and rehearsal be held prior to the use of a video conferencing service? It is recommended that all participants in a public meeting be trained on the features of the video conferencing service and the procedures for the online public meeting. The training should include a rehearsal of the customary parts of a public meeting with discussion of the process for various scenarios, including entering, conducting, and exiting executive session.

If you have concerns about the legality of setting up your meetings in these newly-approved virtual formats, contact Mike Logan at (518.433.2409) or Jeff Swiatek at (716.848.1449). 

Please check our Coronavirus Resource Center and our CARES Act page to access additional information related to these rapidly evolving topics.

If you received this alert from a third party or from visiting our website, and would like to be added to any of our mailing lists, please visit us at: https://forms.hodgsonruss.net/sign-up-for-email-and-other-communications..html.